1*f59d82ffSelric2004-12-30 Love Hörnquist Åstrand <lha@it.su.se> 2*f59d82ffSelric 3*f59d82ffSelric * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for 4*f59d82ffSelric now (used in pkinit) 5*f59d82ffSelric 6*f59d82ffSelric2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> 7*f59d82ffSelric 8*f59d82ffSelric * lib/hdb/Makefile.am: add CHECK_SYMBOLS 9*f59d82ffSelric 10*f59d82ffSelric * lib/hdb/keys.c: make all_etypes static 11*f59d82ffSelric 12*f59d82ffSelric * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err 13*f59d82ffSelric -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops 14*f59d82ffSelric 15*f59d82ffSelric * kdc/kerberos5.c: use private version of principalname 16*f59d82ffSelric 17*f59d82ffSelric * kdc/kerberos4.c: use private version of principalname 18*f59d82ffSelric 19*f59d82ffSelric * kdc/hpropd.c: use private version of principalname 20*f59d82ffSelric 21*f59d82ffSelric * kdc/524.c: use private version of principalname 22*f59d82ffSelric 23*f59d82ffSelric * lib/krb5/rd_req.c: use private version of principalname 24*f59d82ffSelric 25*f59d82ffSelric * lib/krb5/rd_cred.c: use private version of principalname 26*f59d82ffSelric 27*f59d82ffSelric * lib/krb5/init_creds_pw.c: use private version of principalname 28*f59d82ffSelric 29*f59d82ffSelric * lib/krb5/get_in_tkt.c: use private version of principalname 30*f59d82ffSelric 31*f59d82ffSelric * lib/krb5/asn1_glue.c: make principalname functions private 32*f59d82ffSelric 33*f59d82ffSelric * lib/krb5/krb5.h: add key usage for server referrals 34*f59d82ffSelric 35*f59d82ffSelric2004-12-29 Love Hörnquist Åstrand <lha@it.su.se> 36*f59d82ffSelric 37*f59d82ffSelric * lib/krb5/principal.c: make default_v4_name_convert static 38*f59d82ffSelric 39*f59d82ffSelric * lib/krb5/crypto.c: make lots of crypto related variables static 40*f59d82ffSelric 41*f59d82ffSelric * lib/krb5/acache.c: make default_acc_name static 42*f59d82ffSelric 43*f59d82ffSelric2004-12-28 Love Hörnquist Åstrand <lha@it.su.se> 44*f59d82ffSelric 45*f59d82ffSelric * doc/setup.texi: add some text about samba, use example.com 46*f59d82ffSelric 47*f59d82ffSelric * lib/hdb/hdb-ldap.c: Add account expiration for samba from James 48*f59d82ffSelric F. Hranicky <jfh@cise.ufl.edu>. 49*f59d82ffSelric Add LDAP_addmod_integer and use it. 50*f59d82ffSelric 51*f59d82ffSelric2004-12-27 Love Hörnquist Åstrand <lha@it.su.se> 52*f59d82ffSelric 53*f59d82ffSelric * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text 54*f59d82ffSelric fixes, from Dave Love 55*f59d82ffSelric 56*f59d82ffSelric2004-12-18 Love Hörnquist Åstrand <lha@it.su.se> 57*f59d82ffSelric 58*f59d82ffSelric * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just 59*f59d82ffSelric needs pthread.h, threadlib is dead 60*f59d82ffSelric 61*f59d82ffSelric2004-12-17 Love Hörnquist Åstrand <lha@it.su.se> 62*f59d82ffSelric 63*f59d82ffSelric * kdc/config.c (configure): check for deprecated 64*f59d82ffSelric enforce-transited-policy is set and fail if it is 65*f59d82ffSelric 66*f59d82ffSelric * lib/asn1/asn1_print.c: don't print garabage for octet strings 67*f59d82ffSelric 68*f59d82ffSelric2004-12-13 Love Hörnquist Åstrand <lha@it.su.se> 69*f59d82ffSelric 70*f59d82ffSelric * kdc/main.c (main): catch sigpipe, we don't bother select()ing 71*f59d82ffSelric for errors 72*f59d82ffSelric 73*f59d82ffSelric * kdc/connect.c (handle_http_tcp): handle error from write(2) 74*f59d82ffSelric 75*f59d82ffSelric * doc/setup.texi: clarify credentials refreshing stuff 76*f59d82ffSelric 77*f59d82ffSelric * doc/setup.texi: add new node: Providing Kerberos credentials to 78*f59d82ffSelric servers and programs 79*f59d82ffSelric 80*f59d82ffSelric * doc/whatis.texi: fix spurious cross-reference makeinfo warning 81*f59d82ffSelric 82*f59d82ffSelric * lib/hdb/hdb-ldap.c (pos): uppercase in character 83*f59d82ffSelric 84*f59d82ffSelric2004-12-12 Love Hörnquist Åstrand <lha@it.su.se> 85*f59d82ffSelric 86*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode 87*f59d82ffSelric nibbels in the other order 88*f59d82ffSelric 89*f59d82ffSelric * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if 90*f59d82ffSelric attribute exists before we try to delete it LDAP__bytes2hex 91*f59d82ffSelric encodes in strange byte order, is this really right ? 92*f59d82ffSelric 93*f59d82ffSelric2004-12-11 Love Hörnquist Åstrand <lha@it.su.se> 94*f59d82ffSelric 95*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all 96*f59d82ffSelric entries, search for samba accounts too, From: "James F. Hranicky" 97*f59d82ffSelric <jfh@cise.ufl.edu> 98*f59d82ffSelric 99*f59d82ffSelric * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid 100*f59d82ffSelric too 101*f59d82ffSelric 102*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing 103*f59d82ffSelric both krb5PrincipalName and uid, it must be broken, ignore it and 104*f59d82ffSelric return it doesn't exists. 105*f59d82ffSelric 106*f59d82ffSelric2004-12-10 Love Hörnquist Åstrand <lha@it.su.se> 107*f59d82ffSelric 108*f59d82ffSelric * kdc/hpropd.8: spelling, from OpenBSD 109*f59d82ffSelric 110*f59d82ffSelric * kdc/kdc.8: use keeps for options, From OpenBSD k 111*f59d82ffSelric 112*f59d82ffSelric2004-12-09 Love Hörnquist Åstrand <lha@it.su.se> 113*f59d82ffSelric 114*f59d82ffSelric * doc/setup.texi: document --random-key and the need to do backup 115*f59d82ffSelric of the master key 116*f59d82ffSelric 117*f59d82ffSelric * kdc/kstash.8: add --random-key 118*f59d82ffSelric 119*f59d82ffSelric * kdc/kstash.c: add --random-key 120*f59d82ffSelric 121*f59d82ffSelric2004-12-08 Love Hörnquist Åstrand <lha@it.su.se> 122*f59d82ffSelric 123*f59d82ffSelric * lib/krb5/verify_krb5_conf.8: spelling, from openbsd 124*f59d82ffSelric 125*f59d82ffSelric * lib/krb5/krb5_init_context.3: spelling, from openbsd 126*f59d82ffSelric 127*f59d82ffSelric * lib/krb5/krb5.conf.5: spelling, from openbsd 128*f59d82ffSelric 129*f59d82ffSelric * kuser/kdestroy.1: use keeps around options, spelling, from 130*f59d82ffSelric openbsd 131*f59d82ffSelric 132*f59d82ffSelric * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD 133*f59d82ffSelric 134*f59d82ffSelric * kdc/hpropd.8: use keeps around options, from OpenBSD 135*f59d82ffSelric 136*f59d82ffSelric * kdc/hprop.8: use keeps around options, from OpenBSD 137*f59d82ffSelric 138*f59d82ffSelric2004-11-30 Love Hörnquist Åstrand <lha@it.su.se> 139*f59d82ffSelric 140*f59d82ffSelric * lib/krb5/context.c (krb5_free_context): clear error string 141*f59d82ffSelric before destroying mutex 142*f59d82ffSelric (krb5_init_context): don't call krb5_free_context before there is a 143*f59d82ffSelric mutex initialized 144*f59d82ffSelric 145*f59d82ffSelric2004-11-18 Love Hörnquist Åstrand <lha@it.su.se> 146*f59d82ffSelric 147*f59d82ffSelric * kuser/kinit.c (get_new_tickets): only complain about ticket 148*f59d82ffSelric renewable lifetime when the user asked for a specific renewable 149*f59d82ffSelric lifetime 150*f59d82ffSelric 151*f59d82ffSelric2004-11-15 Love Hörnquist Åstrand <lha@it.su.se> 152*f59d82ffSelric 153*f59d82ffSelric * kdc/kerberos5.c (find_keys): log what principal is missing 154*f59d82ffSelric enctypes 155*f59d82ffSelric 156*f59d82ffSelric2004-11-13 Love Hörnquist Åstrand <lha@it.su.se> 157*f59d82ffSelric 158*f59d82ffSelric * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after 159*f59d82ffSelric freeing data 160*f59d82ffSelric 161*f59d82ffSelric * lib/krb5/init_creds_pw.c (change_password): handle old_options 162*f59d82ffSelric being NULL From Guenther Deschner on samba-technical. 163*f59d82ffSelric 164*f59d82ffSelric2004-11-12 Love Hörnquist Åstrand <lha@it.su.se> 165*f59d82ffSelric 166*f59d82ffSelric * lib/krb5/krb5_get_init_creds.3: add more text describing the 167*f59d82ffSelric krb5_get_init_creds functions 168*f59d82ffSelric 169*f59d82ffSelric2004-11-11 Love Hörnquist Åstrand <lha@it.su.se> 170*f59d82ffSelric 171*f59d82ffSelric * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work 172*f59d82ffSelric again 173*f59d82ffSelric 174*f59d82ffSelric2004-11-10 Love Hörnquist Åstrand <lha@it.su.se> 175*f59d82ffSelric 176*f59d82ffSelric * lib/hdb/hdb.asn1: use constrained integers 177*f59d82ffSelric 178*f59d82ffSelric2004-11-09 Love Hörnquist Åstrand <lha@it.su.se> 179*f59d82ffSelric 180*f59d82ffSelric * lib/krb5/krb5_get_init_creds.3: add description for opt_init, 181*f59d82ffSelric opt_alloc, opt_free 182*f59d82ffSelric 183*f59d82ffSelric * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit 184*f59d82ffSelric 185*f59d82ffSelric * lib/krb5/init_creds.c: unexport 186*f59d82ffSelric krb5_get_init_creds_opt_free_pkinit 187*f59d82ffSelric 188*f59d82ffSelric * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into 189*f59d82ffSelric get_init_creds_common 190*f59d82ffSelric 191*f59d82ffSelric * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in 192*f59d82ffSelric options NULL, just make a clean copy 193*f59d82ffSelric 194*f59d82ffSelric2004-11-01 Love Hörnquist Åstrand <lha@it.su.se> 195*f59d82ffSelric 196*f59d82ffSelric * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier 197*f59d82ffSelric so we don't leak it on error 198*f59d82ffSelric 199*f59d82ffSelric2004-10-31 Love Hörnquist Åstrand <lha@it.su.se> 200*f59d82ffSelric 201*f59d82ffSelric * lib/krb5/krb5.conf.5: unbreak 2b entry 202*f59d82ffSelric 203*f59d82ffSelric * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a 204*f59d82ffSelric sockaddr but rather a kerberos address, deal with that. Based on 205*f59d82ffSelric bug report from Jakob Schlyter <jakob@rfc.se>. 206*f59d82ffSelric 207*f59d82ffSelric2004-10-30 Love Hörnquist Åstrand <lha@it.su.se> 208*f59d82ffSelric 209*f59d82ffSelric * kdc/connect.c: Make sure argument passed to ctype isn't signed 210*f59d82ffSelric char 211*f59d82ffSelric 212*f59d82ffSelric2004-10-14 Love Hörnquist Åstrand <lha@it.su.se> 213*f59d82ffSelric 214*f59d82ffSelric * lib/krb5/pkinit.c: match new error names 215*f59d82ffSelric 216*f59d82ffSelric * lib/krb5/krb5_err.et: make error messages sane again 217*f59d82ffSelric 218*f59d82ffSelric2004-10-13 Love Hörnquist Åstrand <lha@it.su.se> 219*f59d82ffSelric 220*f59d82ffSelric * lib/krb5/keytab.c: use KRB5_KT_BADNAME 221*f59d82ffSelric 222*f59d82ffSelric * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major 223*f59d82ffSelric version bump) add KRB5_DELTAT_BADFORMAT 224*f59d82ffSelric 225*f59d82ffSelric * lib/krb5/krb5.conf.5: time defaults to "s" 226*f59d82ffSelric 227*f59d82ffSelric * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, 228*f59d82ffSelric MIT's behavior was actually that it failed to parse the number 229*f59d82ffSelric (and thus used the default). Even better, ticket_lifetime (that 230*f59d82ffSelric was a consumer supposed a of the interface) was documented but 231*f59d82ffSelric never implemented, when it was implemented, people configuraiton 232*f59d82ffSelric files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a 233*f59d82ffSelric failure code. 234*f59d82ffSelric 235*f59d82ffSelric * lib/asn1/k5.asn1: sync enctypes with pkinit branch 236*f59d82ffSelric 237*f59d82ffSelric * lib/asn1/parse.y (readd) support negative numbers 238*f59d82ffSelric 239*f59d82ffSelric * lib/asn1/lex.l: support hex numbers 240*f59d82ffSelric 241*f59d82ffSelric2004-10-12 Love Hörnquist Åstrand <lha@it.su.se> 242*f59d82ffSelric 243*f59d82ffSelric * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS 244*f59d82ffSelric 245*f59d82ffSelric * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding 246*f59d82ffSelric for rc2 don't to padding for blocksize 1 247*f59d82ffSelric 248*f59d82ffSelric * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: 249*f59d82ffSelric Move keyset parsing and password based keyset generation into hdb. 250*f59d82ffSelric Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb 251*f59d82ffSelric backend. 252*f59d82ffSelric 253*f59d82ffSelric2004-10-07 Love Hörnquist Åstrand <lha@it.su.se> 254*f59d82ffSelric 255*f59d82ffSelric * kuser/kinit.c: adapt to new signature of 256*f59d82ffSelric krb5_get_init_creds_opt_set_pkinit 257*f59d82ffSelric 258*f59d82ffSelric * lib/krb5/pkinit.c: free openssl engine deal with 259*f59d82ffSelric RecipientIdentifier -> CMSIdentifier and heim_any -> name change 260*f59d82ffSelric improve error messages 261*f59d82ffSelric 262*f59d82ffSelric * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier 263*f59d82ffSelric -> CMSIdentifier and heim_any -> name change 264*f59d82ffSelric 265*f59d82ffSelric2004-10-04 Johan Danielsson <joda@pdc.kth.se> 266*f59d82ffSelric 267*f59d82ffSelric * kuser/klist.c: use rtbl_set_separator 268*f59d82ffSelric 269*f59d82ffSelric2004-10-03 Love Hörnquist Åstrand <lha@it.su.se> 270*f59d82ffSelric 271*f59d82ffSelric * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse 272*f59d82ffSelric user options first 273*f59d82ffSelric 274*f59d82ffSelric * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add 275*f59d82ffSelric openssl engine support for private key 276*f59d82ffSelric 277*f59d82ffSelric * lib/krb5/crypto.c: support padding as its done in CMS 278*f59d82ffSelric 279*f59d82ffSelric * kdc/pkinit.c: improve error logging 280*f59d82ffSelric 281*f59d82ffSelric * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt 282*f59d82ffSelric 283*f59d82ffSelric2004-09-30 Love Hörnquist Åstrand <lha@it.su.se> 284*f59d82ffSelric 285*f59d82ffSelric * lib/krb5/krb5.conf.5: assume minutes for time 286*f59d82ffSelric 287*f59d82ffSelric * lib/krb5/config_file.c (krb5_config_vget_time_default): use 288*f59d82ffSelric krb5_string_to_deltat 289*f59d82ffSelric 290*f59d82ffSelric * lib/krb5/appdefault.c (krb5_appdefault_time): use 291*f59d82ffSelric krb5_string_to_deltat 292*f59d82ffSelric 293*f59d82ffSelric * lib/krb5/time.c (krb5_string_to_deltat): set default unit to 294*f59d82ffSelric minute for compatibility with MIT Kerberos. 295*f59d82ffSelric 296*f59d82ffSelric 297*f59d82ffSelric2004-09-28 Love Hörnquist Åstrand <lha@it.su.se> 298*f59d82ffSelric 299*f59d82ffSelric * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large 300*f59d82ffSelric message safe" transport if we get back 301*f59d82ffSelric KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner 302*f59d82ffSelric <gd@sernet.de> 303*f59d82ffSelric 304*f59d82ffSelric2004-09-23 Johan Danielsson <joda@pdc.kth.se> 305*f59d82ffSelric 306*f59d82ffSelric * admin/list.c: use rtbl 307*f59d82ffSelric 308*f59d82ffSelric * admin/ktutil-commands.in: slc source file 309*f59d82ffSelric 310*f59d82ffSelric * lib/krb5/constants.c: check 311*f59d82ffSelric /Library/Preferences/edu.mit.Kerberos on OSX 312*f59d82ffSelric 313*f59d82ffSelric2004-09-21 Johan Danielsson <joda@pdc.kth.se> 314*f59d82ffSelric 315*f59d82ffSelric * lib/krb5/time.c (krb5_format_time): check return value from 316*f59d82ffSelric localtime and strftime 317*f59d82ffSelric 318*f59d82ffSelric2004-09-14 Johan Danielsson <joda@pdc.kth.se> 319*f59d82ffSelric 320*f59d82ffSelric * kuser/kinit.c: make sure we don't always get renewable creds 321*f59d82ffSelric 322*f59d82ffSelric2004-09-11 Love Hörnquist Åstrand <lha@it.su.se> 323*f59d82ffSelric 324*f59d82ffSelric * lib/krb5/acache.c: use krb5_ccapi.h 325*f59d82ffSelric 326*f59d82ffSelric * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to 327*f59d82ffSelric separate (not installed) file 328*f59d82ffSelric 329*f59d82ffSelric * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS 330*f59d82ffSelric since AM_CPPFLAGS overridden by target specific _CPPFLAGS 331*f59d82ffSelric 332*f59d82ffSelric2004-09-08 Love Hörnquist Åstrand <lha@it.su.se> 333*f59d82ffSelric 334*f59d82ffSelric * lib/krb5/pkinit.c: make variable shorter, make error messages 335*f59d82ffSelric from pkinit, make freeing easier 336*f59d82ffSelric 337*f59d82ffSelric2004-09-06 Love Hörnquist Åstrand <lha@it.su.se> 338*f59d82ffSelric 339*f59d82ffSelric * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen 340*f59d82ffSelric 341*f59d82ffSelric * lib/krb5/crypto.c (seed_something): avoid poking at memory that 342*f59d82ffSelric is uninitialized, make valgrind unhappy. Pointd out by 343*f59d82ffSelric abartlet@samba.org. While where, plug the fd leak. 344*f59d82ffSelric 345*f59d82ffSelric2004-09-05 Love Hörnquist Åstrand <lha@it.su.se> 346*f59d82ffSelric 347*f59d82ffSelric * lib/asn1/der_get.c (decode_*): name all tag-length variables the 348*f59d82ffSelric same 349*f59d82ffSelric (decode_enumerated): check that the tag-length is not longer the length 350*f59d82ffSelric 351*f59d82ffSelric * lib/asn1/der_get.c (decode_boolean): fail if length of tag is 352*f59d82ffSelric larger then len 353*f59d82ffSelric 354*f59d82ffSelric2004-08-31 Love Hörnquist Åstrand <lha@it.su.se> 355*f59d82ffSelric 356*f59d82ffSelric * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be 357*f59d82ffSelric set in case of failure too, free unconditionally on exit to avoid 358*f59d82ffSelric memory leak 359*f59d82ffSelric 360*f59d82ffSelric2004-08-23 Love Hörnquist Åstrand <lha@it.su.se> 361*f59d82ffSelric 362*f59d82ffSelric * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after 363*f59d82ffSelric free 364*f59d82ffSelric 365*f59d82ffSelric2004-08-20 Love Hörnquist Åstrand <lha@it.su.se> 366*f59d82ffSelric 367*f59d82ffSelric * lib/krb5/context.c (krb5_get_err_text): if neither of com_right 368*f59d82ffSelric nor strerror finds the error-code, return Unknown error. 369*f59d82ffSelric 370*f59d82ffSelric2004-08-19 Johan Danielsson <joda@pdc.kth.se> 371*f59d82ffSelric 372*f59d82ffSelric * lib/krb5/krb5_kuserok.3: update to reality 373*f59d82ffSelric 374*f59d82ffSelric * lib/krb5/kuserok.c: if a .k5login file exist, don't give 375*f59d82ffSelric implicit rights to anyone; also check owner/mode of .k5login 376*f59d82ffSelric 377*f59d82ffSelric2004-08-15 Love Hörnquist Åstrand <lha@it.su.se> 378*f59d82ffSelric 379*f59d82ffSelric * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 380*f59d82ffSelric 381*f59d82ffSelric * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname 382*f59d82ffSelric 383*f59d82ffSelric * lib/krb5/krb5.3: add krb5_getportbyname 384*f59d82ffSelric 385*f59d82ffSelric * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid 386*f59d82ffSelric 387*f59d82ffSelric * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid 388*f59d82ffSelric 389*f59d82ffSelric2004-08-13 Love Hörnquist Åstrand <lha@it.su.se> 390*f59d82ffSelric 391*f59d82ffSelric * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes 392*f59d82ffSelric from the client and filter them out. 393*f59d82ffSelric 394*f59d82ffSelric * lib/krb5/krb5_string_to_key.3: document krb5_free_salt 395*f59d82ffSelric 396*f59d82ffSelric2004-08-12 Love Hörnquist Åstrand <lha@it.su.se> 397*f59d82ffSelric 398*f59d82ffSelric * lib/krb5/krb5_ticket.3: data needs to be freed when using 399*f59d82ffSelric krb5_ticket_get_authorization_data_type 400*f59d82ffSelric 401*f59d82ffSelric2004-08-11 Love Hörnquist Åstrand <lha@it.su.se> 402*f59d82ffSelric 403*f59d82ffSelric * lib/krb5/test_cc.c: test variables in default_cc_name 404*f59d82ffSelric 405*f59d82ffSelric * lib/krb5/krb5.conf.5: explain support for varibles in 406*f59d82ffSelric [libdefaults]default_cc_name 407*f59d82ffSelric 408*f59d82ffSelric * lib/krb5/cache.c: drop ${time}, its not very useful 409*f59d82ffSelric 410*f59d82ffSelric * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand 411*f59d82ffSelric variables in the default cc name. Supported variables now are: 412*f59d82ffSelric ${time},${uid} and ${null} 413*f59d82ffSelric 414*f59d82ffSelric * lib/krb5/krb5.conf.5: document default_cc_name 415*f59d82ffSelric 416*f59d82ffSelric * lib/krb5/cache.c (krb5_cc_set_default_name): 417*f59d82ffSelric s/libdefault/libdefaults/ 418*f59d82ffSelric 419*f59d82ffSelric2004-08-06 Love Hörnquist Åstrand <lha@it.su.se> 420*f59d82ffSelric 421*f59d82ffSelric * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 422*f59d82ffSelric 423*f59d82ffSelric * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c 424*f59d82ffSelric 425*f59d82ffSelric * lib/krb5/krb5.h: add krb5_acc_ops 426*f59d82ffSelric 427*f59d82ffSelric * lib/krb5/acache.c: CCAPI v3 implementation, the read only 428*f59d82ffSelric support was from Magnus Ahltorp and then extended by me to support 429*f59d82ffSelric all other operations. Tested with MIT kerberos cc cache 430*f59d82ffSelric implementation on MacOS 10.3.3 431*f59d82ffSelric 432*f59d82ffSelric * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the 433*f59d82ffSelric default cc name, this is not very useful for general purpose glue 434*f59d82ffSelric since its not possible to glue in user information (like uid), but 435*f59d82ffSelric for CCAPI it works just fine 436*f59d82ffSelric 437*f59d82ffSelric2004-08-05 Love Hörnquist Åstrand <lha@it.su.se> 438*f59d82ffSelric 439*f59d82ffSelric * kuser/kgetcred.1: document --cache/-c 440*f59d82ffSelric 441*f59d82ffSelric * kuser/kgetcred.c: allow to specify what credential cache to use 442*f59d82ffSelric 443*f59d82ffSelric2004-08-03 Love Hörnquist Åstrand <lha@it.su.se> 444*f59d82ffSelric 445*f59d82ffSelric * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 446*f59d82ffSelric 447*f59d82ffSelric * lib/krb5/krb5_eai_to_heim_errno.3: document 448*f59d82ffSelric krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno 449*f59d82ffSelric 450*f59d82ffSelric * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, 451*f59d82ffSelric krb5_h_errno_to_heim_errno 452*f59d82ffSelric 453*f59d82ffSelric2004-07-26 Love Hörnquist Åstrand <lha@it.su.se> 454*f59d82ffSelric 455*f59d82ffSelric * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms 456*f59d82ffSelric result should be free with krb5_free_host_realm drop 457*f59d82ffSelric krb5_get_host_realm text 458*f59d82ffSelric 459*f59d82ffSelric * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result 460*f59d82ffSelric should be free with krb5_free_host_realm 461*f59d82ffSelric 462*f59d82ffSelric * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep 463*f59d82ffSelric 464*f59d82ffSelric * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds 465*f59d82ffSelric 466*f59d82ffSelric * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator 467*f59d82ffSelric 468*f59d82ffSelric * lib/krb5/Makefile.am: man_MANS += krb5_rd_error 469*f59d82ffSelric 470*f59d82ffSelric * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends 471*f59d82ffSelric 472*f59d82ffSelric * lib/krb5/krb5_warn.3: clarify on what string 473*f59d82ffSelric krb5_free_error_string should operate on 474*f59d82ffSelric 475*f59d82ffSelric * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred 476*f59d82ffSelric 477*f59d82ffSelric * lib/krb5/Makefile.am: krb5_get_credentials, 478*f59d82ffSelric krb5_get_forwarded_creds and friends 479*f59d82ffSelric 480*f59d82ffSelric * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds 481*f59d82ffSelric and friends 482*f59d82ffSelric 483*f59d82ffSelric * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and 484*f59d82ffSelric friends 485*f59d82ffSelric 486*f59d82ffSelric2004-07-23 Love Hörnquist Åstrand <lha@it.su.se> 487*f59d82ffSelric 488*f59d82ffSelric * kuser/klist.c (print_cred_verbose): keytypes are no longer, use 489*f59d82ffSelric enctype 490*f59d82ffSelric 491*f59d82ffSelric2004-07-22 Love Hörnquist Åstrand <lha@it.su.se> 492*f59d82ffSelric 493*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 494*f59d82ffSelric compilers, From metze at samba.org 495*f59d82ffSelric 496*f59d82ffSelric2004-07-20 Love Hörnquist Åstrand <lha@it.su.se> 497*f59d82ffSelric 498*f59d82ffSelric * lib/krb5/test_cc.c: more cc tests 499*f59d82ffSelric 500*f59d82ffSelric * lib/krb5/krb5_check_transited.3: document krb5_check_transited 501*f59d82ffSelric 502*f59d82ffSelric2004-07-19 Love Hörnquist Åstrand <lha@it.su.se> 503*f59d82ffSelric 504*f59d82ffSelric * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes 505*f59d82ffSelric principal in cert work From: Mayur Patel <patelm4@rpi.edu> 506*f59d82ffSelric 507*f59d82ffSelric2004-07-18 Love Hörnquist Åstrand <lha@it.su.se> 508*f59d82ffSelric 509*f59d82ffSelric * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 510*f59d82ffSelric 511*f59d82ffSelric * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds 512*f59d82ffSelric 513*f59d82ffSelric2004-07-15 Love Hörnquist Åstrand <lha@it.su.se> 514*f59d82ffSelric 515*f59d82ffSelric * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org 516*f59d82ffSelric description for krb5_passwd_result_to_string 517*f59d82ffSelric 518*f59d82ffSelric2004-07-14 Love Hörnquist Åstrand <lha@it.su.se> 519*f59d82ffSelric 520*f59d82ffSelric * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar 521*f59d82ffSelric fixes; split sentence in two for better understanding. From 522*f59d82ffSelric wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. 523*f59d82ffSelric 524*f59d82ffSelric * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan 525*f59d82ffSelric Stone <jonathan@dsg.stanford.edu> 526*f59d82ffSelric 527*f59d82ffSelric * lib/krb5/changepw.c (process_reply): cast ssize_t to long and 528*f59d82ffSelric print that From NetBSD via Havard Eidnes. 529*f59d82ffSelric 530*f59d82ffSelric2004-07-09 Love Hörnquist Åstrand <lha@it.su.se> 531*f59d82ffSelric 532*f59d82ffSelric * configure.in: fix helpstring for hdb-openldap-module 533*f59d82ffSelric 534*f59d82ffSelric * lib/krb5/test_cc.c: don't use krb5_err on error code 0 535*f59d82ffSelric 536*f59d82ffSelric2004-07-08 Love Hörnquist Åstrand <lha@it.su.se> 537*f59d82ffSelric 538*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better 539*f59d82ffSelric 540*f59d82ffSelric2004-07-02 Love Hörnquist Åstrand <lha@it.su.se> 541*f59d82ffSelric 542*f59d82ffSelric * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const 543*f59d82ffSelric 544*f59d82ffSelric2004-07-01 Love Hörnquist Åstrand <lha@it.su.se> 545*f59d82ffSelric 546*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with 547*f59d82ffSelric right argument 548*f59d82ffSelric 549*f59d82ffSelric2004-06-27 Johan Danielsson <joda@pdc.kth.se> 550*f59d82ffSelric 551*f59d82ffSelric * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the 552*f59d82ffSelric krbtgt is without addresses, default to not sending our own 553*f59d82ffSelric addrport 554*f59d82ffSelric 555*f59d82ffSelric * lib/asn1/lex.l: add support for /* */ and partial line -- 556*f59d82ffSelric comments 557*f59d82ffSelric 558*f59d82ffSelric * kuser/Makefile.am: don't install copy_cred_cache manpage 559*f59d82ffSelric 560*f59d82ffSelric2004-06-24 Johan Danielsson <joda@pdc.kth.se> 561*f59d82ffSelric 562*f59d82ffSelric * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if 563*f59d82ffSelric copying a static opt, make sure to allocate the "private" field 564*f59d82ffSelric 565*f59d82ffSelric2004-06-24 Love <lha@stacken.kth.se> 566*f59d82ffSelric 567*f59d82ffSelric * kdc/config.c: add enable_pkinit_princ_in_cert 568*f59d82ffSelric 569*f59d82ffSelric * kdc/kdc_locl.h: enable_pkinit_princ_in_cert 570*f59d82ffSelric 571*f59d82ffSelric * kdc/pkinit.c: Check certificate for Kerberos Principal in 572*f59d82ffSelric OtherName of subjectAltName Based on patch from Mayur Patel 573*f59d82ffSelric <patelm4@rpi.edu> 574*f59d82ffSelric 575*f59d82ffSelric2004-06-21 Love Hörnquist Åstrand <lha@it.su.se> 576*f59d82ffSelric 577*f59d82ffSelric * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use 578*f59d82ffSelric session key for authorization-data 579*f59d82ffSelric 580*f59d82ffSelric2004-06-15 Love Hörnquist Åstrand <lha@it.su.se> 581*f59d82ffSelric 582*f59d82ffSelric * kdc/connect.c (handle_tcp): note who is what that closed the 583*f59d82ffSelric connection on us 584*f59d82ffSelric 585*f59d82ffSelric2004-06-09 Love Hörnquist Åstrand <lha@it.su.se> 586*f59d82ffSelric 587*f59d82ffSelric * admin/get.c (kt_get): catch errors from krb5_parse_name 588*f59d82ffSelric 589*f59d82ffSelric2004-06-05 Love Hörnquist Åstrand <lha@it.su.se> 590*f59d82ffSelric 591*f59d82ffSelric * lib/hdb/hdb-ldap.c: if its the entry just contains the 592*f59d82ffSelric structural object (no samba nor heimdal object), add an aux 593*f59d82ffSelric heimdal object on to it. 594*f59d82ffSelric 595*f59d82ffSelric2004-06-02 Love Hörnquist Åstrand <lha@it.su.se> 596*f59d82ffSelric 597*f59d82ffSelric * kpasswd/kpasswd.c: use krb5_set_password_using_ccache 598*f59d82ffSelric 599*f59d82ffSelric * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache 600*f59d82ffSelric 601*f59d82ffSelric * lib/krb5/changepw.c: implement krb5_set_password_using_ccache 602*f59d82ffSelric 603*f59d82ffSelric * lib/hdb/hdb-ldap.c: Allow the objectClass to be 604*f59d82ffSelric "sambaSamAccount" or structural_object when searching for uid 605*f59d82ffSelric entries. 606*f59d82ffSelric 607*f59d82ffSelric * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base 608*f59d82ffSelric 609*f59d82ffSelric * lib/hdb/hdb-ldap.c: add creation base that defaults to the 610*f59d82ffSelric search base 611*f59d82ffSelric 612*f59d82ffSelric * lib/hdb/hdb-ldap.c: indent like the rest of the code 613*f59d82ffSelric 614*f59d82ffSelric2004-06-01 Love Hörnquist Åstrand <lha@it.su.se> 615*f59d82ffSelric 616*f59d82ffSelric * lib/hdb/hdb-ldap.c: check return values from ldap operations and 617*f59d82ffSelric close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you 618*f59d82ffSelric should retry by yourself. 619*f59d82ffSelric 620*f59d82ffSelric * lib/hdb/hdb-ldap.c: require search base to be configured, create 621*f59d82ffSelric local context structure 622*f59d82ffSelric 623*f59d82ffSelric2004-05-31 Love Hörnquist Åstrand <lha@it.su.se> 624*f59d82ffSelric 625*f59d82ffSelric * doc/setup.texi: more ldap text, partly from Tarjei Huse 626*f59d82ffSelric <tarjei@nu.no> 627*f59d82ffSelric 628*f59d82ffSelric2004-05-28 Love Hörnquist Åstrand <lha@it.su.se> 629*f59d82ffSelric 630*f59d82ffSelric * lib/hdb/hdb-ldap.c: clean, indent 631*f59d82ffSelric 632*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure 633*f59d82ffSelric krb5KeyVersionNumber is added on new entires 634*f59d82ffSelric 635*f59d82ffSelric2004-05-27 Love Hörnquist Åstrand <lha@it.su.se> 636*f59d82ffSelric 637*f59d82ffSelric * doc/setup.texi: minor fixes, partly from Tarjei Huse 638*f59d82ffSelric <tarjei@nu.no> 639*f59d82ffSelric 640*f59d82ffSelric * lib/krb5/krb5.conf.5: some text about dbname and realm 641*f59d82ffSelric 642*f59d82ffSelric * lib/krb5/krb5.conf.5: default value for 643*f59d82ffSelric hdb-ldap-structural-object is account 644*f59d82ffSelric 645*f59d82ffSelric2004-05-26 Love Hörnquist Åstrand <lha@it.su.se> 646*f59d82ffSelric 647*f59d82ffSelric * tools/Makefile.am: use ! instead of , as sed delimiter 648*f59d82ffSelric 649*f59d82ffSelric2004-05-25 Love Hörnquist Åstrand <lha@it.su.se> 650*f59d82ffSelric 651*f59d82ffSelric * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions 652*f59d82ffSelric 653*f59d82ffSelric2004-05-23 Love Hörnquist Åstrand <lha@it.su.se> 654*f59d82ffSelric 655*f59d82ffSelric * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean 656*f59d82ffSelric 657*f59d82ffSelric * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure 658*f59d82ffSelric option 659*f59d82ffSelric 660*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: 661*f59d82ffSelric Andrew Bartlett <abartlet@samba.org> 662*f59d82ffSelric 663*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length 664*f59d82ffSelric check From: Andrew Bartlett <abartlet@samba.org> 665*f59d82ffSelric 666*f59d82ffSelric * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword 667*f59d82ffSelric case, make sure ent->etypes are allocated, From: Andrew Bartlett 668*f59d82ffSelric <abartlet@samba.org> 669*f59d82ffSelric 670*f59d82ffSelric2004-05-14 Love Hörnquist Åstrand <lha@it.su.se> 671*f59d82ffSelric 672*f59d82ffSelric * kuser/kinit.c: move "setpag if (argc < 1)" to common path 673*f59d82ffSelric 674*f59d82ffSelric2004-05-12 Love Hörnquist Åstrand <lha@it.su.se> 675*f59d82ffSelric 676*f59d82ffSelric * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers 677*f59d82ffSelric 678*f59d82ffSelric * fix-export: use right argument for -E 679*f59d82ffSelric 680*f59d82ffSelric2004-05-06 Johan Danielsson <joda@pdc.kth.se> 681*f59d82ffSelric 682*f59d82ffSelric * kuser/kinit.c: print some diagnostics if the exec fails 683*f59d82ffSelric 684*f59d82ffSelric2004-04-29 Love Hörnquist Åstrand <lha@it.su.se> 685*f59d82ffSelric 686*f59d82ffSelric * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key 687*f59d82ffSelric From: Luke Howard <lukeh@padl.com> 688*f59d82ffSelric 689*f59d82ffSelric * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, 690*f59d82ffSelric not just a pointer size of it From: Luke Howard <lukeh@padl.com> 691*f59d82ffSelric 692*f59d82ffSelric2004-04-28 Love Hörnquist Åstrand <lha@it.su.se> 693*f59d82ffSelric 694*f59d82ffSelric * fix-export: add -E flag where needed to make-proto 695*f59d82ffSelric 696*f59d82ffSelric2004-04-26 Love Hörnquist Åstrand <lha@it.su.se> 697*f59d82ffSelric 698*f59d82ffSelric * lib/krb5/crypto.c: add set_param for RC2 699*f59d82ffSelric 700*f59d82ffSelric * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids 701*f59d82ffSelric that are no longer needed 702*f59d82ffSelric 703*f59d82ffSelric * kdc/pkinit.c: use krb5_enctype_to_oid 704*f59d82ffSelric 705*f59d82ffSelric * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists 706*f59d82ffSelric before we compare with it 707*f59d82ffSelric 708*f59d82ffSelric * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length 709*f59d82ffSelric before returning it add aes-oids 710*f59d82ffSelric 711*f59d82ffSelric * lib/krb5/crypto.c: add krb5_enctype_to_oid and 712*f59d82ffSelric krb5_oid_to_enctype 713*f59d82ffSelric 714*f59d82ffSelric * kdc/pkinit.c: use krb5_crypto_set_params 715*f59d82ffSelric 716*f59d82ffSelric * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none 717*f59d82ffSelric 718*f59d82ffSelric * lib/krb5/krb5.h: add KEYTYPE_AES192 719*f59d82ffSelric 720*f59d82ffSelric * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement 721*f59d82ffSelric kcrypto RC2 support 722*f59d82ffSelric 723*f59d82ffSelric * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype 724*f59d82ffSelric rc2-cbc XXX RC2CBCParameter is wrong because the compiler is 725*f59d82ffSelric broken 726*f59d82ffSelric 727*f59d82ffSelric * lib/krb5/krb5.h: add KEYTYPE_RC2 728*f59d82ffSelric 729*f59d82ffSelric * lib/krb5/crypto.c: add partial CMS parameter handling, this is 730*f59d82ffSelric needed for RC2 731*f59d82ffSelric 732*f59d82ffSelric * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp 733*f59d82ffSelric 734*f59d82ffSelric * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c 735*f59d82ffSelric 736*f59d82ffSelric * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp 737*f59d82ffSelric 738*f59d82ffSelric * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE 739*f59d82ffSelric 740*f59d82ffSelric * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype 741*f59d82ffSelric rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken 742*f59d82ffSelric 743*f59d82ffSelric2004-04-26 Johan Danielsson <joda@pdc.kth.se> 744*f59d82ffSelric 745*f59d82ffSelric * lib/krb5/config_file.c: allow parsing directly from strings with 746*f59d82ffSelric krb5_config_parse_string_multi 747*f59d82ffSelric 748*f59d82ffSelric * lib/krb5/verify_krb5_conf.c: try to resolve hostnames 749*f59d82ffSelric 750*f59d82ffSelric2004-04-25 Johan Danielsson <joda@pdc.kth.se> 751*f59d82ffSelric 752*f59d82ffSelric * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file 753*f59d82ffSelric descriptor so we don't have to keep track of it in two places 754*f59d82ffSelric 755*f59d82ffSelric * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in 756*f59d82ffSelric libkrb5 757*f59d82ffSelric 758*f59d82ffSelric * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its 759*f59d82ffSelric own manpage 760*f59d82ffSelric 761*f59d82ffSelric * replace krb5_free_creds_contents by krb5_free_cred_contents 762*f59d82ffSelric 763*f59d82ffSelric * lib/krb5/cache.c: add krb5_cc_next_cred_match() and 764*f59d82ffSelric krb5_cc_copy_cred_match() 765*f59d82ffSelric 766*f59d82ffSelric * lib/krb5/creds.c (krb5_compare_creds): add more matching options 767*f59d82ffSelric 768*f59d82ffSelric * lib/krb5/krb5.h: add more creds match flags 769*f59d82ffSelric 770*f59d82ffSelric * kuser/copy_cred_cache: add --valid-for option 771*f59d82ffSelric 772*f59d82ffSelric * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length 773*f59d82ffSelric of second ticket is > 0 774*f59d82ffSelric 775*f59d82ffSelric2004-04-25 Love Hörnquist Åstrand <lha@it.su.se> 776*f59d82ffSelric 777*f59d82ffSelric * lib/krb5/pkinit.c: use the right oid for pkauthdata 778*f59d82ffSelric 779*f59d82ffSelric * lib/krb5/pkinit.c: always send both win2k compat version and the 780*f59d82ffSelric ietf draft one, this is possible since microsoft use 781*f59d82ffSelric wrong/diffrent PA number. Make the configuration flag boolean 782*f59d82ffSelric configuring if NOT to send the win2k compat glue. 783*f59d82ffSelric 784*f59d82ffSelric * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec 785*f59d82ffSelric 786*f59d82ffSelric * kuser/copy_cred_cache.1: pacify mdoclint 787*f59d82ffSelric 788*f59d82ffSelric * kdc/pkinit.c: use IV for envelopeddata encryption, patch 789*f59d82ffSelric originally from Luke Howard <lukeh@padl.com>, tweeked by me. 790*f59d82ffSelric 791*f59d82ffSelric * lib/krb5/krb5_storage.3: document 792*f59d82ffSelric KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 793*f59d82ffSelric 794*f59d82ffSelric * lib/krb5/krb5_data.3: document that krb5_data_free cleans the 795*f59d82ffSelric structure too 796*f59d82ffSelric 797*f59d82ffSelric * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch 798*f59d82ffSelric originally from Luke Howard <lukeh@padl.com>, tweeked by me. 799*f59d82ffSelric 800*f59d82ffSelric2004-04-24 Johan Danielsson <joda@pdc.kth.se> 801*f59d82ffSelric 802*f59d82ffSelric * kuser/copy_cred_cache.{c,1}: add cred cache copy tool 803*f59d82ffSelric 804*f59d82ffSelric * configure.in: use rk_SYS_LARGEFILE 805*f59d82ffSelric 806*f59d82ffSelric * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder 807*f59d82ffSelric issue with a storage flag instead of a separate function. 808*f59d82ffSelric 809*f59d82ffSelric2004-04-24 Love Hörnquist Åstrand <lha@it.su.se> 810*f59d82ffSelric 811*f59d82ffSelric * lib/krb5/pkinit.c: move out the oid check from get_reply_key 812*f59d82ffSelric 813*f59d82ffSelric * lib/krb5/pkinit.c: uniquify error messages 814*f59d82ffSelric 815*f59d82ffSelric * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the 816*f59d82ffSelric plain nonce for now 817*f59d82ffSelric 818*f59d82ffSelric * lib/krb5/pkinit.c: more w2k compat from Luke Howard 819*f59d82ffSelric <lukeh@padl.com> add RC2 support, clean up error messages 820*f59d82ffSelric 821*f59d82ffSelric * lib/krb5/pkinit.c: remove more dependency on 822*f59d82ffSelric krb5_config->pkinit_flags 823*f59d82ffSelric 824*f59d82ffSelric * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft 825*f59d82ffSelric style answer to IETF, From Luke Howard <lukeh@padl.com> 826*f59d82ffSelric (_krb5_pk_create_sign): ms handles NULL in param, so always send it 827*f59d82ffSelric (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } 828*f59d82ffSelric 829*f59d82ffSelric * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the 830*f59d82ffSelric digestAlgorithm to sha1 (both for SignerInfo and SignedData, add 831*f59d82ffSelric new function _set_digest_alg to set it 832*f59d82ffSelric 833*f59d82ffSelric2004-04-23 Love Hörnquist Åstrand <lha@it.su.se> 834*f59d82ffSelric 835*f59d82ffSelric * include/make_crypto.c: include rc2.h, and when I'm here, make 836*f59d82ffSelric aes mandatory 837*f59d82ffSelric 838*f59d82ffSelric * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT 839*f59d82ffSelric kerberos 840*f59d82ffSelric 841*f59d82ffSelric * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on 842*f59d82ffSelric failure 843*f59d82ffSelric 844*f59d82ffSelric * lib/krb5/crypto.c (DES3_random_to_key): make it produce the 845*f59d82ffSelric right result 846*f59d82ffSelric (DES3_postproc): use DES3_random_to_key 847*f59d82ffSelric (krb5_random_to_key): check the required number of bits (not the size 848*f59d82ffSelric of the key) 849*f59d82ffSelric 850*f59d82ffSelric * lib/krb5/aes-test.c: test random to key function 851*f59d82ffSelric 852*f59d82ffSelric * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for 853*f59d82ffSelric now 854*f59d82ffSelric 855*f59d82ffSelric2004-04-22 Love Hörnquist Åstrand <lha@it.su.se> 856*f59d82ffSelric 857*f59d82ffSelric * lib/krb5/krb5_string_to_key.3: document that 858*f59d82ffSelric krb5_string_to_key_derived is broken for non 3des enctypes and 859*f59d82ffSelric thus deprecated 860*f59d82ffSelric 861*f59d82ffSelric * kdc/pkinit.c (generate_dh_keyblock): use the new function 862*f59d82ffSelric krb5_random_to_key 863*f59d82ffSelric 864*f59d82ffSelric * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they 865*f59d82ffSelric need special processing 866*f59d82ffSelric 867*f59d82ffSelric * lib/krb5/crypto.c (krb5_random_to_key): new function 868*f59d82ffSelric 869*f59d82ffSelric * lib/krb5/krb5_keyblock.3: document krb5_random_to_key 870*f59d82ffSelric 871*f59d82ffSelric2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> 872*f59d82ffSelric 873*f59d82ffSelric * kdc/pkinit.c: use the first proposed enable enctype 874*f59d82ffSelric 875*f59d82ffSelric * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the 876*f59d82ffSelric return from krb5_enctype_valid 877*f59d82ffSelric 878*f59d82ffSelric * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes 879*f59d82ffSelric 880*f59d82ffSelric2004-04-21 Love Hörnquist Åstrand <lha@it.su.se> 881*f59d82ffSelric 882*f59d82ffSelric * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid 883*f59d82ffSelric components being smaller then 127 and allocate one extra element 884*f59d82ffSelric since first byte is split to to elements. 885*f59d82ffSelric 886*f59d82ffSelric2004-04-20 Love Hörnquist Åstrand <lha@it.su.se> 887*f59d82ffSelric 888*f59d82ffSelric * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: 889*f59d82ffSelric private use, lukeh@padl.com 890*f59d82ffSelric 891*f59d82ffSelric2004-04-19 Love Hörnquist Åstrand <lha@it.su.se> 892*f59d82ffSelric 893*f59d82ffSelric * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode 894*f59d82ffSelric DH public key 895*f59d82ffSelric 896*f59d82ffSelric2004-04-18 Love Hörnquist Åstrand <lha@it.su.se> 897*f59d82ffSelric 898*f59d82ffSelric * lib/krb5/krb5_init_context.3: add krb5_context to so its added 899*f59d82ffSelric as manpage-link too 900*f59d82ffSelric 901*f59d82ffSelric2004-04-17 Love Hörnquist Åstrand <lha@it.su.se> 902*f59d82ffSelric 903*f59d82ffSelric * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, 904*f59d82ffSelric XXX add locking 905*f59d82ffSelric 906*f59d82ffSelric * kuser/kdestroy.c: add --credential argument that just remove one 907*f59d82ffSelric credential entry out of the cache specified 908*f59d82ffSelric 909*f59d82ffSelric * kdc/pkinit.c: replace the krb5.conf configuration option that 910*f59d82ffSelric describes the mapping between principals and subject names with a 911*f59d82ffSelric file, default /var/heimdal/pki-mapping. XXX this should be pushed 912*f59d82ffSelric into HDB. XXX should add issuer too 913*f59d82ffSelric 914*f59d82ffSelric * kdc/config.c: merge certificate/private_key to a user_id 915*f59d82ffSelric 916*f59d82ffSelric2004-04-16 Love Hörnquist Åstrand <lha@it.su.se> 917*f59d82ffSelric 918*f59d82ffSelric * kdc/kdc_locl.h: update prototype for pk_initialize 919*f59d82ffSelric 920*f59d82ffSelric * kuser/kinit.c: merge certificate/private_key to a user_id 921*f59d82ffSelric 922*f59d82ffSelric * kdc/pkinit.c: adapt to heim_integer changes 923*f59d82ffSelric 924*f59d82ffSelric * lib/krb5/pkinit.c: merge certificate/private_key to a user_id 925*f59d82ffSelric 926*f59d82ffSelric * kdc/pkinit.c: adapt to heim_integer changes, 927*f59d82ffSelric merge certificate/private_key to a user_id 928*f59d82ffSelric 929*f59d82ffSelric2004-04-15 Love Hörnquist Åstrand <lha@it.su.se> 930*f59d82ffSelric 931*f59d82ffSelric * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE 932*f59d82ffSelric 933*f59d82ffSelric2004-04-13 Love Hörnquist Åstrand <lha@it.su.se> 934*f59d82ffSelric 935*f59d82ffSelric * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building 936*f59d82ffSelric libkrb5.la, add KRB5_LIB_FUNCTION proto 937*f59d82ffSelric 938*f59d82ffSelric * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION 939*f59d82ffSelric 940*f59d82ffSelric * configure.in: export KRB5_LIB_FUNCTION when building with 941*f59d82ffSelric BUILD_KRB5_LIB 942*f59d82ffSelric 943*f59d82ffSelric * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add 944*f59d82ffSelric error strings 945*f59d82ffSelric 946*f59d82ffSelric * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing 947*f59d82ffSelric is printed on stderr, fflush it 948*f59d82ffSelric 949*f59d82ffSelric * lib/krb5/krb5_keyblock.3: free functions also zeros out the key 950*f59d82ffSelric 951*f59d82ffSelric * lib/krb5/krb5_get_init_creds.3: some text about 952*f59d82ffSelric krb5_prompter_posix 953*f59d82ffSelric 954*f59d82ffSelric * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object 955*f59d82ffSelric 956*f59d82ffSelric * lib/krb5/cache.c: add krb5_cc_get_prefix_ops 957*f59d82ffSelric 958*f59d82ffSelric * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops 959*f59d82ffSelric 960*f59d82ffSelric2004-04-05 Love Hörnquist Åstrand <lha@it.su.se> 961*f59d82ffSelric 962*f59d82ffSelric * appl/test/http_client.c: support GSS_C_DELEG_FLAG and 963*f59d82ffSelric GSS_C_MUTUAL_FLAG 964*f59d82ffSelric 965*f59d82ffSelric * appl/test/http_client.c: verbose logging 966*f59d82ffSelric 967*f59d82ffSelric2004-04-02 Love Hörnquist Åstrand <lha@it.su.se> 968*f59d82ffSelric 969*f59d82ffSelric * kdc/connect.c: case size_t to unsigned long for LP64 platforms 970*f59d82ffSelric 971*f59d82ffSelric2004-04-01 Love Hörnquist Åstrand <lha@it.su.se> 972*f59d82ffSelric 973*f59d82ffSelric * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of 974*f59d82ffSelric default structural object 975*f59d82ffSelric 976*f59d82ffSelric * tools/Makefile.am: handle sed expression breaking 977*f59d82ffSelric 978*f59d82ffSelric2004-03-31 Love Hörnquist Åstrand <lha@it.su.se> 979*f59d82ffSelric 980*f59d82ffSelric * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr 981*f59d82ffSelric 982*f59d82ffSelric * lib/krb5/changepw.c: add tcp support to the set protocol, should 983*f59d82ffSelric be cleaned up to enable sharing code with krb5_sendto 984*f59d82ffSelric 985*f59d82ffSelric * kpasswd/kpasswd.c (change_password): remove extra free 986*f59d82ffSelric 987*f59d82ffSelric * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on 988*f59d82ffSelric osf/1 989*f59d82ffSelric 990*f59d82ffSelric2004-03-30 Love Hörnquist Åstrand <lha@it.su.se> 991*f59d82ffSelric 992*f59d82ffSelric * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't 993*f59d82ffSelric increase md->len, krb5_padata_add already does that 994*f59d82ffSelric 995*f59d82ffSelric * lib/krb5/init_creds.c: its PAC not PAQ 996*f59d82ffSelric 997*f59d82ffSelric * kuser/kinit.c: its PAC not PAQ 998*f59d82ffSelric 999*f59d82ffSelric * kdc/kerberos4.c: stop the client from renewing tickets into the 1000*f59d82ffSelric future From: Jeffrey Hutzelman <jhutz@cmu.edu> 1001*f59d82ffSelric 1002*f59d82ffSelric2004-03-29 Love Hörnquist Åstrand <lha@it.su.se> 1003*f59d82ffSelric 1004*f59d82ffSelric * configure.in: try to handle sys/strtty.h needing sys/stream.h 1005*f59d82ffSelric 1006*f59d82ffSelric2004-03-23 Love Hörnquist Åstrand <lha@it.su.se> 1007*f59d82ffSelric 1008*f59d82ffSelric * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no 1009*f59d82ffSelric longer used 1010*f59d82ffSelric 1011*f59d82ffSelric * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ 1012*f59d82ffSelric 1013*f59d82ffSelric * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to 1014*f59d82ffSelric external users by prefixing it with _ 1015*f59d82ffSelric 1016*f59d82ffSelric * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ 1017*f59d82ffSelric 1018*f59d82ffSelric * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external 1019*f59d82ffSelric users by prefixing it with _ 1020*f59d82ffSelric 1021*f59d82ffSelric2004-03-22 Love Hörnquist Åstrand <lha@it.su.se> 1022*f59d82ffSelric 1023*f59d82ffSelric * lib/krb5/pkinit.c: add missing } 1024*f59d82ffSelric 1025*f59d82ffSelric2004-03-21 Love Hörnquist Åstrand <lha@it.su.se> 1026*f59d82ffSelric 1027*f59d82ffSelric * kdc/pkinit.c: adapt to change of signature of 1028*f59d82ffSelric _krb5_pk_load_openssl_id 1029*f59d82ffSelric 1030*f59d82ffSelric * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add 1031*f59d82ffSelric prompter argument and use it 1032*f59d82ffSelric 1033*f59d82ffSelric * kuser/kinit.c: adapt to signature change of 1034*f59d82ffSelric krb5_get_init_creds_opt_set_pkinit 1035*f59d82ffSelric 1036*f59d82ffSelric * lib/krb5/krb5.3: add more stuff, 105 functions to go 1037*f59d82ffSelric 1038*f59d82ffSelric * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache 1039*f59d82ffSelric 1040*f59d82ffSelric * lib/krb5/krb5_rcache.3: framework for replay cache manpage 1041*f59d82ffSelric 1042*f59d82ffSelric * lib/krb5/krb5_string_to_key.3: document string to key functions 1043*f59d82ffSelric 1044*f59d82ffSelric * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 1045*f59d82ffSelric krb5_find_padata.3 krb5_generate_random_block.3 1046*f59d82ffSelric 1047*f59d82ffSelric * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length 1048*f59d82ffSelric 1049*f59d82ffSelric * lib/krb5/krb5.3: add some more, 137 to go 1050*f59d82ffSelric 1051*f59d82ffSelric * lib/krb5/krb5_principal.3: document krb5_get_default_principal 1052*f59d82ffSelric 1053*f59d82ffSelric * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey 1054*f59d82ffSelric 1055*f59d82ffSelric * lib/krb5/krb5_generate_random_block.3: document 1056*f59d82ffSelric krb5_generate_random_block 1057*f59d82ffSelric 1058*f59d82ffSelric * lib/krb5/krb5_find_padata.3: document padata functions 1059*f59d82ffSelric 1060*f59d82ffSelric * lib/krb5/krb5.3: add some more, 142 to go 1061*f59d82ffSelric 1062*f59d82ffSelric * lib/krb5/krb5_creds.3: drop .Pp before .Sh 1063*f59d82ffSelric 1064*f59d82ffSelric * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm 1065*f59d82ffSelric 1066*f59d82ffSelric * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname 1067*f59d82ffSelric and krb5_expand_hostname_realms 1068*f59d82ffSelric 1069*f59d82ffSelric * lib/krb5/krb5.3: add more functions, 147 to go 1070*f59d82ffSelric 1071*f59d82ffSelric * lib/krb5/krb5_creds.3: document krb5_creds 1072*f59d82ffSelric 1073*f59d82ffSelric * lib/krb5/krb5_get_init_creds.3: add more functions, some more 1074*f59d82ffSelric text 1075*f59d82ffSelric 1076*f59d82ffSelric * lib/krb5/krb5_ticket.3: document 1077*f59d82ffSelric krb5_ticket_get_authorization_data_type 1078*f59d82ffSelric 1079*f59d82ffSelric2004-03-20 Love Hörnquist Åstrand <lha@it.su.se> 1080*f59d82ffSelric 1081*f59d82ffSelric * lib/krb5/aes-test.c: remove #if 0'ed code 1082*f59d82ffSelric 1083*f59d82ffSelric * lib/krb5/krb5.3: add keyblock functions, 177 functions to go 1084*f59d82ffSelric 1085*f59d82ffSelric * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache 1086*f59d82ffSelric 1087*f59d82ffSelric * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket 1088*f59d82ffSelric 1089*f59d82ffSelric * lib/krb5/krb5_config.3: document krb5_config_free_strings and 1090*f59d82ffSelric krb5_config_file_free 1091*f59d82ffSelric 1092*f59d82ffSelric * lib/krb5/krb5_create_checksum.3: add krb5_hmac 1093*f59d82ffSelric 1094*f59d82ffSelric * lib/krb5/krb5.3: add keyblock functions, 190 functions to go 1095*f59d82ffSelric 1096*f59d82ffSelric * lib/krb5/krb5_keyblock.3: update .Dd 1097*f59d82ffSelric 1098*f59d82ffSelric * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and 1099*f59d82ffSelric krb5_generate_random_keyblock 1100*f59d82ffSelric 1101*f59d82ffSelric * lib/krb5/krb5_init_context.3: add krb5_init_ets 1102*f59d82ffSelric 1103*f59d82ffSelric * lib/krb5/krb5_config.3: add more krb5_config_ functions and 1104*f59d82ffSelric prototypes 1105*f59d82ffSelric 1106*f59d82ffSelric * lib/krb5/krb5_init_context.3: document context modifcation 1107*f59d82ffSelric functions: address list, config file, use admin kdc, fcc version 1108*f59d82ffSelric 1109*f59d82ffSelric * lib/krb5/krb5_storage.3: document krb5_storage and related 1110*f59d82ffSelric functions 1111*f59d82ffSelric 1112*f59d82ffSelric * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc 1113*f59d82ffSelric manpages and test_acl test program 1114*f59d82ffSelric 1115*f59d82ffSelric * lib/krb5/krb5.3: add error string functions and sort 1116*f59d82ffSelric 1117*f59d82ffSelric * lib/krb5/krb5_warn.3: document krb5_abort and error string 1118*f59d82ffSelric functions 1119*f59d82ffSelric 1120*f59d82ffSelric * lib/krb5/krb5.3: add missing functions, only 285 left to 1121*f59d82ffSelric document 1122*f59d82ffSelric 1123*f59d82ffSelric * lib/krb5/krb5_crypto_init.3: remove various enctype related 1124*f59d82ffSelric function 1125*f59d82ffSelric 1126*f59d82ffSelric * lib/krb5/krb5_encrypt.3: add various enctype related function 1127*f59d82ffSelric here 1128*f59d82ffSelric 1129*f59d82ffSelric * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid 1130*f59d82ffSelric krb5_cksumtype_valid 1131*f59d82ffSelric 1132*f59d82ffSelric * lib/krb5/crypto.c: real return values for 1133*f59d82ffSelric krb5_{enctype,cksumtype}_valid 1134*f59d82ffSelric 1135*f59d82ffSelric * lib/krb5/krb5_create_checksum.3: add some functions and 1136*f59d82ffSelric descriptions 1137*f59d82ffSelric 1138*f59d82ffSelric * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions 1139*f59d82ffSelric 1140*f59d82ffSelric * lib/krb5/krb5_auth_context.3: document 1141*f59d82ffSelric krb5_auth_con_generatelocalsubkey 1142*f59d82ffSelric 1143*f59d82ffSelric * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags 1144*f59d82ffSelric 1145*f59d82ffSelric * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name 1146*f59d82ffSelric 1147*f59d82ffSelric * lib/krb5/krb5_init_context.3: document krb5_add_et_list 1148*f59d82ffSelric 1149*f59d82ffSelric * lib/krb5/krb524_convert_creds_kdc.3: document 1150*f59d82ffSelric krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache 1151*f59d82ffSelric 1152*f59d82ffSelric * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* 1153*f59d82ffSelric 1154*f59d82ffSelric * lib/krb5/test_acl.c: test for generic acl code 1155*f59d82ffSelric 1156*f59d82ffSelric * lib/krb5/acl.c: plug memory leak on file matching, 1157*f59d82ffSelric make it not fall over when no non matching acl, 1158*f59d82ffSelric make fnmatch matching useful by switching arguments 1159*f59d82ffSelric 1160*f59d82ffSelric2004-03-19 Love Hörnquist Åstrand <lha@it.su.se> 1161*f59d82ffSelric 1162*f59d82ffSelric * kdc/config.c: add --builtin-hdb command 1163*f59d82ffSelric 1164*f59d82ffSelric * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin 1165*f59d82ffSelric backends 1166*f59d82ffSelric 1167*f59d82ffSelric * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb 1168*f59d82ffSelric documentation 1169*f59d82ffSelric 1170*f59d82ffSelric * doc/win2k.texi: fix bugs in examples, add more restrictions, use 1171*f59d82ffSelric example.com as an example. From: Pavel Ferdan 1172*f59d82ffSelric <xferdan@informatics.muni.cz> 1173*f59d82ffSelric 1174*f59d82ffSelric2004-03-18 Johan Danielsson <joda@pdc.kth.se> 1175*f59d82ffSelric 1176*f59d82ffSelric * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] 1177*f59d82ffSelric password_lifetime; from Henry B. Hotz 1178*f59d82ffSelric 1179*f59d82ffSelric2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> 1180*f59d82ffSelric 1181*f59d82ffSelric * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY 1182*f59d82ffSelric is set send subkey 1183*f59d82ffSelric (generate if needed) 1184*f59d82ffSelric 1185*f59d82ffSelric * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY 1186*f59d82ffSelric 1187*f59d82ffSelric2004-03-14 Love Hörnquist Åstrand <lha@it.su.se> 1188*f59d82ffSelric 1189*f59d82ffSelric * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, 1190*f59d82ffSelric and free memory in error path, assume realloc(NULL, ...) works, 1191*f59d82ffSelric factor out common code, indent 1192*f59d82ffSelric 1193*f59d82ffSelric2004-03-12 Love Hörnquist Åstrand <lha@it.su.se> 1194*f59d82ffSelric 1195*f59d82ffSelric * lib/krb5/verify_krb5_conf.c: understand [password_quality] 1196*f59d82ffSelric spelling 1197*f59d82ffSelric 1198*f59d82ffSelric * kuser/kgetcred.1: document --canonicalize 1199*f59d82ffSelric 1200*f59d82ffSelric * kuser/kgetcred.c: add --canonicalize 1201*f59d82ffSelric 1202*f59d82ffSelric2004-03-10 Love Hörnquist Åstrand <lha@it.su.se> 1203*f59d82ffSelric 1204*f59d82ffSelric * lib/krb5/fcache.c (fcc_store_cred): NULL terminate 1205*f59d82ffSelric krb5_config_get_bool_default' arglist 1206*f59d82ffSelric 1207*f59d82ffSelric2004-03-09 Love Hörnquist Åstrand <lha@it.su.se> 1208*f59d82ffSelric 1209*f59d82ffSelric * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply 1210*f59d82ffSelric 1211*f59d82ffSelric * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry 1212*f59d82ffSelric 1213*f59d82ffSelric * kdc/pkinit.c: pass client hdb_entry to pk_check_client 1214*f59d82ffSelric 1215*f59d82ffSelric * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client 1216*f59d82ffSelric 1217*f59d82ffSelric * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its 1218*f59d82ffSelric more like that language in RFC3280 1219*f59d82ffSelric 1220*f59d82ffSelric * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since 1221*f59d82ffSelric its more like that language in RFC3280 1222*f59d82ffSelric 1223*f59d82ffSelric * lib/krb5/krb5.conf.5: document 1224*f59d82ffSelric [libdefaults]fcc-mit-ticketflags=boolean 1225*f59d82ffSelric 1226*f59d82ffSelric * lib/krb5/fcache.c (fcc_store_cred): use 1227*f59d82ffSelric [libdefaults]fcc-mit-ticketflags=boolean to decide what format to 1228*f59d82ffSelric write the fcc in. Default to mit version (aka heimdal 0.7) 1229*f59d82ffSelric 1230*f59d82ffSelric * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and 1231*f59d82ffSelric _krb5_store_creds_heimdal_pre_0_7 that store the creds in just 1232*f59d82ffSelric that format make krb5_store_creds default to mit format 1233*f59d82ffSelric 1234*f59d82ffSelric * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is 1235*f59d82ffSelric the higher bits of the bitfield 1236*f59d82ffSelric 1237*f59d82ffSelric2004-03-08 Love Hörnquist Åstrand <lha@it.su.se> 1238*f59d82ffSelric 1239*f59d82ffSelric * lib/krb5/store.c (krb5_store_creds): add disabled code that 1240*f59d82ffSelric store the ticket flags in reverse order 1241*f59d82ffSelric (bitswap32): new function 1242*f59d82ffSelric 1243*f59d82ffSelric * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags 1244*f59d82ffSelric are set, its a mit cache, reverse the bits, bug pointed out by 1245*f59d82ffSelric Sergio Gelato <Sergio.Gelato@astro.su.se> 1246*f59d82ffSelric 1247*f59d82ffSelric2004-03-07 Love Hörnquist Åstrand <lha@it.su.se> 1248*f59d82ffSelric 1249*f59d82ffSelric * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * 1250*f59d82ffSelric 1251*f59d82ffSelric * kuser/kinit.c: when running kinit with a subprocess, fetch new 1252*f59d82ffSelric tickets after half the tickets lifetime 1253*f59d82ffSelric 1254*f59d82ffSelric * lib/hdb/hdb.c: spelling 1255*f59d82ffSelric 1256*f59d82ffSelric * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba 1257*f59d82ffSelric password database. From: Andrew Bartlett <abartlet@samba.org> 1258*f59d82ffSelric 1259*f59d82ffSelric * kdc/config.c: add --disable-DES 1260*f59d82ffSelric 1261*f59d82ffSelric * kdc/kdc.8: document --detach and --disable-DES 1262*f59d82ffSelric 1263*f59d82ffSelric * kdc/kerberos5.c: check if enctype is disabled before using it 1264*f59d82ffSelric 1265*f59d82ffSelric * lib/krb5/crypto.c: add support for disabling checksum/encryption 1266*f59d82ffSelric types 1267*f59d82ffSelric 1268*f59d82ffSelric * tools/kdc-log-analyze.pl: add more cases 1269*f59d82ffSelric 1270*f59d82ffSelric * kdc/connect.c: on strange tcp error; log local port number and 1271*f59d82ffSelric socket type 1272*f59d82ffSelric 1273*f59d82ffSelric * lib/asn1/der.h: fix prototype of encode_utf8string 1274*f59d82ffSelric 1275*f59d82ffSelric * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder 1276*f59d82ffSelric 1277*f59d82ffSelric * lib/asn1/lex.l: added dummy parsing of CHOICE 1278*f59d82ffSelric 1279*f59d82ffSelric * lib/asn1/parse.y: added dummy parsing of CHOICE 1280*f59d82ffSelric 1281*f59d82ffSelric * lib/asn1/k5.asn1: drop SMTP_NAME 1282*f59d82ffSelric 1283*f59d82ffSelric2004-03-06 Love Hörnquist Åstrand <lha@it.su.se> 1284*f59d82ffSelric 1285*f59d82ffSelric * lib/hdb/Makefile.am: support building ldap backend as module 1286*f59d82ffSelric sort asn1 hdb files 1287*f59d82ffSelric 1288*f59d82ffSelric * lib/hdb/hdb.c: when building ldap as a shared module, don't 1289*f59d82ffSelric include it in the list 1290*f59d82ffSelric 1291*f59d82ffSelric * configure.in: add --enable-hdb-openldap-module 1292*f59d82ffSelric 1293*f59d82ffSelric * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared 1294*f59d82ffSelric module 1295*f59d82ffSelric 1296*f59d82ffSelric * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew 1297*f59d82ffSelric Bartlett <abartlet@samba.org> 1298*f59d82ffSelric 1299*f59d82ffSelric * lib/krb5/crypto.c (decrypt_internal_special): do not not modify 1300*f59d82ffSelric the original data test case from Ronnie Sahlberg 1301*f59d82ffSelric <ronnie_sahlberg@ozemail.com.au> 1302*f59d82ffSelric 1303*f59d82ffSelric2004-03-03 Love Hörnquist Åstrand <lha@it.su.se> 1304*f59d82ffSelric 1305*f59d82ffSelric * lib/krb5/test_cc.c: more cc tests, mostly related to mcc 1306*f59d82ffSelric behavior 1307*f59d82ffSelric 1308*f59d82ffSelric * lib/krb5/mcache.c (mcc_get_principal): also check for 1309*f59d82ffSelric primary_principal == NULL now that that isn't used as dead flag 1310*f59d82ffSelric 1311*f59d82ffSelric * lib/krb5/mcache.c: don't overload the primary_principal == NULL 1312*f59d82ffSelric as dead since that doesn't always work. Based on patch from 1313*f59d82ffSelric Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me 1314*f59d82ffSelric 1315*f59d82ffSelric2004-02-22 Love Hörnquist Åstrand <lha@it.su.se> 1316*f59d82ffSelric 1317*f59d82ffSelric * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp 1318*f59d82ffSelric 1319*f59d82ffSelric * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp 1320*f59d82ffSelric 1321*f59d82ffSelric * lib/hdb/db3.c: fix all db >= 4.1 cases 1322*f59d82ffSelric 1323*f59d82ffSelric * doc/setup.texi: add text about hostname to realm mapping using 1324*f59d82ffSelric DNS 1325*f59d82ffSelric 1326*f59d82ffSelric2004-02-20 Love Hörnquist Åstrand <lha@it.su.se> 1327*f59d82ffSelric 1328*f59d82ffSelric * kdc/pkinit.c: update error codes 1329*f59d82ffSelric 1330*f59d82ffSelric * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ 1331*f59d82ffSelric 1332*f59d82ffSelric * lib/krb5/pkinit.c: update error codes 1333*f59d82ffSelric 1334*f59d82ffSelric2004-02-19 Love Hörnquist Åstrand <lha@it.su.se> 1335*f59d82ffSelric 1336*f59d82ffSelric * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() 1337*f59d82ffSelric 1338*f59d82ffSelric * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling 1339*f59d82ffSelric 1340*f59d82ffSelric * lib/krb5/store.c: handle memory allocate errors 1341*f59d82ffSelric 1342*f59d82ffSelric * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, 1343*f59d82ffSelric and don't put an error in the error strings then 1344*f59d82ffSelric 1345*f59d82ffSelric2004-02-13 Love Hörnquist Åstrand <lha@it.su.se> 1346*f59d82ffSelric 1347*f59d82ffSelric * kdc/pkinit.c: s/heim_big_integer/heim_integer/ 1348*f59d82ffSelric 1349*f59d82ffSelric * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ 1350*f59d82ffSelric 1351*f59d82ffSelric * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors 1352*f59d82ffSelric 1353*f59d82ffSelric * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT 1354*f59d82ffSelric errors 1355*f59d82ffSelric 1356*f59d82ffSelric * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors 1357*f59d82ffSelric 1358*f59d82ffSelric2004-02-12 Love Hörnquist Åstrand <lha@it.su.se> 1359*f59d82ffSelric 1360*f59d82ffSelric * configure.in: rename AC_WFLAGS to rk_WFLAGS 1361*f59d82ffSelric 1362*f59d82ffSelric * acinclude.m4: use m4_define, over-quote string 1363*f59d82ffSelric 1364*f59d82ffSelric2004-02-11 Love Hörnquist Åstrand <lha@it.su.se> 1365*f59d82ffSelric 1366*f59d82ffSelric * lib/krb5/init_creds_pw.c (change_password): handle that 1367*f59d82ffSelric printf("%.*s", 0, (void*)NULL); doesn't work on solaris 1368*f59d82ffSelric 1369*f59d82ffSelric2004-02-10 Love Hörnquist Åstrand <lha@it.su.se> 1370*f59d82ffSelric 1371*f59d82ffSelric * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", 1372*f59d82ffSelric 0, (void*)NULL); doesn't work on solaris 1373*f59d82ffSelric 1374*f59d82ffSelric * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses 1375*f59d82ffSelric some locate.updatedb, use FILES section to describe where the file 1376*f59d82ffSelric is instead. 1377*f59d82ffSelric 1378*f59d82ffSelric2004-02-07 Love Hörnquist Åstrand <lha@it.su.se> 1379*f59d82ffSelric 1380*f59d82ffSelric * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned 1381*f59d82ffSelric for certain negative integers, it got the length wrong" , from 1382*f59d82ffSelric Panasas, Inc. 1383*f59d82ffSelric 1384*f59d82ffSelric * lib/asn1/der_length.c: Fix len_unsigned for certain negative 1385*f59d82ffSelric integers, it got the length wrong, fix from Panasas, Inc. 1386*f59d82ffSelric 1387*f59d82ffSelric rename len_int and len_unsigned to _heim_\& 1388*f59d82ffSelric 1389*f59d82ffSelric * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int 1390*f59d82ffSelric 1391*f59d82ffSelric2004-02-06 Dave Love <d.love@dl.ac.uk> 1392*f59d82ffSelric 1393*f59d82ffSelric * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, 1394*f59d82ffSelric security/pam_appl.h tests. 1395*f59d82ffSelric 1396*f59d82ffSelric2004-02-03 Love Hörnquist Åstrand <lha@it.su.se> 1397*f59d82ffSelric 1398*f59d82ffSelric * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add 1399*f59d82ffSelric up the size of all the elements, don't use just the size of the 1400*f59d82ffSelric last element. 1401*f59d82ffSelric 1402*f59d82ffSelric * lib/krb5/aes-test.c: add "next iv" test for aes128, check 1403*f59d82ffSelric decryption case too 1404*f59d82ffSelric 1405*f59d82ffSelric * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of 1406*f59d82ffSelric the next to last block, fix decryption case too 1407*f59d82ffSelric 1408*f59d82ffSelric * lib/krb5/aes-test.c: add "next iv" test for aes128 1409*f59d82ffSelric 1410*f59d82ffSelric * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of 1411*f59d82ffSelric the next to last block 1412*f59d82ffSelric 1413*f59d82ffSelric * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode 1414*f59d82ffSelric error 1415*f59d82ffSelric 1416*f59d82ffSelric * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode 1417*f59d82ffSelric error 1418*f59d82ffSelric 1419*f59d82ffSelric * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 1420*f59d82ffSelric encode error 1421*f59d82ffSelric 1422*f59d82ffSelric * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode 1423*f59d82ffSelric error 1424*f59d82ffSelric 1425*f59d82ffSelric * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 1426*f59d82ffSelric encode error 1427*f59d82ffSelric 1428*f59d82ffSelric * lib/krb5/build_auth.c (krb5_build_authenticator): abort on 1429*f59d82ffSelric internal asn1 encode error 1430*f59d82ffSelric 1431*f59d82ffSelric * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal 1432*f59d82ffSelric asn1 encode error 1433*f59d82ffSelric 1434*f59d82ffSelric2004-01-30 Love Hörnquist Åstrand <lha@it.su.se> 1435*f59d82ffSelric 1436*f59d82ffSelric * doc/setup.texi: some text about order of [capaths] realms 1437*f59d82ffSelric 1438*f59d82ffSelric2004-01-25 Love Hörnquist Åstrand <lha@it.su.se> 1439*f59d82ffSelric 1440*f59d82ffSelric * lib/krb5/context.c: register WRFILE ops 1441*f59d82ffSelric 1442*f59d82ffSelric * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) 1443*f59d82ffSelric 1444*f59d82ffSelric * lib/krb5/krb5.h: add krb5_wrfkt_ops 1445*f59d82ffSelric 1446*f59d82ffSelric * kpasswd/kpasswdd.c (change): use the right password when 1447*f59d82ffSelric changing the password 1448*f59d82ffSelric 1449*f59d82ffSelric2004-01-21 Love Hörnquist Åstrand <lha@it.su.se> 1450*f59d82ffSelric 1451*f59d82ffSelric * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it 1452*f59d82ffSelric means that the filesystem doesn't support locking 1453*f59d82ffSelric 1454*f59d82ffSelric * lib/krb5/keytab.c: remove #if 0 out file locking code 1455*f59d82ffSelric 1456*f59d82ffSelric2004-01-19 Love Hörnquist Åstrand <lha@it.su.se> 1457*f59d82ffSelric 1458*f59d82ffSelric * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the 1459*f59d82ffSelric size of all the elements, don't use just the size of the last 1460*f59d82ffSelric element. 1461*f59d82ffSelric 1462*f59d82ffSelric2004-01-13 Love Hörnquist Åstrand <lha@it.su.se> 1463*f59d82ffSelric 1464*f59d82ffSelric * kuser/kinit.c (renew_validate): if renewable_flag and not time 1465*f59d82ffSelric specifed, use "1 month" 1466*f59d82ffSelric 1467*f59d82ffSelric2004-01-08 Love Hörnquist Åstrand <lha@it.su.se> 1468*f59d82ffSelric 1469*f59d82ffSelric * lib/krb5/krb5_keyblock.3: add prototypes, describe 1470*f59d82ffSelric krb5_keyblock_zero 1471*f59d82ffSelric 1472*f59d82ffSelric2004-01-05 Love Hörnquist Åstrand <lha@it.su.se> 1473*f59d82ffSelric 1474*f59d82ffSelric * lib/krb5/get_for_creds.c (add_addrs): don't add same address 1475*f59d82ffSelric multiple times 1476*f59d82ffSelric 1477*f59d82ffSelric * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to 1478*f59d82ffSelric handle errors better for previous commit 1479*f59d82ffSelric 1480*f59d82ffSelric * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets 1481*f59d82ffSelric are address-less, forward address-less tickets. 1482*f59d82ffSelric 1483*f59d82ffSelric * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and 1484*f59d82ffSelric export it 1485*f59d82ffSelric 1486