2005 lines
60 KiB
Plaintext
2005 lines
60 KiB
Plaintext
2005-12-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to
|
|
make samba happy
|
|
|
|
* fix-export: Build kdc-private.h.
|
|
|
|
2005-12-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (tgs_rep2): also print the principal for which
|
|
the enctype was missing
|
|
|
|
2005-12-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kaserver.c: Finish up transition from hdb_entry to
|
|
hdb_entry_ex.
|
|
|
|
* kdc/kerberos4.c: Finish up transition from hdb_entry to
|
|
hdb_entry_ex.
|
|
|
|
* kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex.
|
|
|
|
* kdc/kerberos5.c: Finish up transition from hdb_entry with
|
|
hdb_entry_ex.
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name): use
|
|
KRB5_DEFAULT_CCNAME.
|
|
|
|
* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to
|
|
default credential cache.
|
|
|
|
* lib/hdb/ndbm.c: memset hdb_entry_ex before use
|
|
|
|
* lib/hdb/db3.c: memset hdb_entry_ex before use
|
|
|
|
* lib/hdb/db.c: memset hdb_entry_ex before use
|
|
|
|
2005-12-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.3: Add some more entrypoints.
|
|
|
|
* lib/krb5/changepw.c: If there is a target principal, use the
|
|
realm of the realm to change the password with,
|
|
|
|
* kuser/kinit.c: Default to use DH when fetching keys.
|
|
|
|
* lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch
|
|
originally from Andrew Bartlet
|
|
|
|
* lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url
|
|
support, add ldapi support.
|
|
|
|
* kdc/kerberos5.c (tgs_make_reply): there are no such things a
|
|
keytypes any more, just use enctypes.
|
|
|
|
* kdc/kdc_locl.h: Remove private prototypes and instead include
|
|
<kdc-private.h>.
|
|
|
|
* kdc/Makefile.am: Build kdc-private.h and depend on it.
|
|
|
|
* kdc/config.c (configure): wrap line
|
|
|
|
* doc/kerberos4.texi: KDC 4 support is always compiled in.
|
|
|
|
* TODO: Remove some stuff that have been done.
|
|
|
|
* Makefile.am: Split long line
|
|
|
|
* doc/apps.texi: Spelling, From Måns Nilsson.
|
|
|
|
* doc/install.texi: spelling, From Måns Nilsson
|
|
|
|
2005-12-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_principal.3: Constify principal argument to on
|
|
krb5_principal_get_ functions.
|
|
|
|
* lib/krb5/principal.c: Constify principal argument to on
|
|
krb5_principal_get_ functions.
|
|
|
|
2005-12-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long
|
|
time ago
|
|
|
|
2005-12-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_keytab.c: more tests, From Andrew Bartlet
|
|
|
|
* lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return
|
|
NULL on success in the case 0 entries are allocated, From Andrew
|
|
Bartlet
|
|
|
|
2005-12-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on
|
|
failure to parse format specifier.
|
|
|
|
* lib/krb5/store-test.c: Free more of the allocated memory.
|
|
|
|
* lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated
|
|
memory, this function is only used by the test program.
|
|
|
|
* lib/krb5/parse-name-test.c: Free more of the allocated memory.
|
|
|
|
* lib/krb5/derived-key-test.c: Free more of the allocated memory.
|
|
|
|
2005-12-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: spelling, From Måns Nilsson
|
|
|
|
* lib/krb5/krb5_keytab.3: Memory keytab are now named and
|
|
refcounted.
|
|
|
|
* lib/krb5/test_keytab.c: Test that memory keytab are refcounted.
|
|
|
|
* lib/krb5/keytab_memory.c: Index by name and start reference
|
|
counting on entries.
|
|
|
|
2005-11-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.h (krb5_address_type): add
|
|
KRB5_ADDRESS_NETBIOS (20)
|
|
|
|
* lib/hdb/hdb.c (find_method): accept relative paths as old db
|
|
format too.
|
|
|
|
* lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype.
|
|
|
|
2005-11-29 Dave Love <fx@gnu.org>
|
|
|
|
* kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS.
|
|
|
|
2005-11-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c (libdefaults_entries): add
|
|
default_cc_name
|
|
|
|
* lib/hdb/hdb.c: Only match db databases on filename starting with
|
|
'/'.
|
|
|
|
* lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in
|
|
authenticator
|
|
|
|
* lib/krb5/rd_req.c (check_transited): explain the TR-type 0
|
|
better and why it matters.
|
|
|
|
* lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops
|
|
|
|
* lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior
|
|
to return NULL when its not found, and fcc when the name starts
|
|
with a '/'. Almost matches behavior in other parts of the code,
|
|
but can't really do that since the name passed in to this function
|
|
may only contain the prefix itself without the colon.
|
|
|
|
* lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not
|
|
colon (:) in the name, its a file credential cache
|
|
|
|
* lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory
|
|
|
|
* lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory
|
|
|
|
* lib/hdb/db.c (hdb_db_create): use calloc to allocate memory
|
|
|
|
2005-11-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session
|
|
key for delegated credentials
|
|
|
|
* kdc/kerberos5.c (_kdc_as_rep): add comment when we send
|
|
ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett
|
|
|
|
2005-11-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_get_full_name): new function
|
|
|
|
2005-11-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_crypto.c: Split encryption and s2k iterations to
|
|
diffrent counters, 38seconds of aes256 s2k is way too long.
|
|
|
|
* lib/krb5/test_crypto.c: Add timing code for s2k function.
|
|
|
|
2005-11-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: Print the time the principal expired, based on
|
|
patch from Andrew Bartlett.
|
|
|
|
2005-11-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/cache.c (krb5_cc_get_full_name): Add
|
|
|
|
2005-11-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: Spelling, From Michael Banck <mbanck@debian.org>
|
|
|
|
2005-10-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/headers.h: Maybe include <sys/param.h>.
|
|
|
|
2005-10-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
|
|
understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but
|
|
have KRB5_AUTHDATA_KDC_ISSUED commented out for now)
|
|
|
|
2005-10-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c: In the list caches view, rename the Status field
|
|
to Expires.
|
|
|
|
* lib/krb5/krb5_encrypt.3: Fix mdoc for
|
|
krb5_encrypt_EncryptedData, Johnny Lam <jlam@pkgsrc.org>
|
|
|
|
2005-10-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/gssapi_client.c: Check return value from asprintf
|
|
instead of string != NULL since it undefined behavior on
|
|
Linux. From Björn Sandell
|
|
|
|
2005-10-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are
|
|
generated from the DH groups, fail.
|
|
|
|
* kdc/pkinit.c (get_dh_param): Pass down config so this function
|
|
can check pkinit_dh_min_bits
|
|
|
|
* kdc/config.c: Fill in pkinit_dh_min_bits from configuration
|
|
file.
|
|
|
|
* kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration.
|
|
|
|
2005-10-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: Add option to require binding between reply
|
|
and response for the win2k version of the protocol.
|
|
|
|
2005-10-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/programming.texi: Text about Kerberos errors.
|
|
|
|
* lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the
|
|
Windows case to support the updated -09 protocol (using
|
|
asChecksum). Tell KDC we support this by sending
|
|
KRB5-PADATA-PK-AS-09-BINDING in the pa-data.
|
|
|
|
* lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY
|
|
too.
|
|
|
|
* lib/krb5/test_cc.c: Test krb5_cc_copy_cache and
|
|
krb5_cc_cache_match.
|
|
|
|
* lib/krb5/cache.c (krb5_cc_cache_match): add function that
|
|
iterates over all credential caches for a user and returns a
|
|
match.
|
|
|
|
* lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an
|
|
example.
|
|
|
|
2005-10-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/programming.texi: Try to explain krb5_ccache, krb5_principal
|
|
and errors.
|
|
|
|
2005-10-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_get_credentials.3: Add example how to use
|
|
krb5_get_credentials.
|
|
|
|
2005-10-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds.c: Rename private to opt_private.
|
|
|
|
* lib/krb5/init_creds_pw.c: Rename private to opt_private.
|
|
|
|
* lib/krb5/pkinit.c: rename element private to opt_private to make
|
|
c++ picky compilers less upset.
|
|
|
|
* lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element
|
|
private to opt_private to make c++ picky compilers less upset.
|
|
|
|
2005-10-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function
|
|
(_krb5_free_krbhst_info): expose to internal use
|
|
|
|
* lib/krb5/init_creds_pw.c: Prepare to pass down a
|
|
krb5_krbhst_info into the pre-auth mechs
|
|
|
|
* lib/krb5/pkinit.c: Inline short functions, share more code,
|
|
rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for
|
|
verification of KDC info, and general cleaning up.
|
|
|
|
2005-10-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir.
|
|
|
|
* lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR
|
|
"/krb5.moduli"
|
|
|
|
* lib/krb5/krb5_locl.h: Add forward declaration for
|
|
krb5_dh_moduli. Add define for MODULI_FILE.
|
|
|
|
* kdc/pkinit.c: Removing PK-INIT-19 support.
|
|
|
|
* lib/krb5/pkinit.c: Removing PK-INIT-19 support.
|
|
|
|
* lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on
|
|
success.
|
|
(krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists
|
|
|
|
* kdc/pkinit.c: Save DH group name and print it on success.
|
|
|
|
* lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it.
|
|
|
|
* kdc/pkinit.c: Check dh group parameters from client.
|
|
|
|
* lib/krb5/krb5_err.et: Match error code with pk-init-27.
|
|
|
|
* lib/krb5/pkinit.c: Update error codes. Add name to group. Change
|
|
return value of _krb5_dh_group_ok.
|
|
|
|
* lib/krb5/pkinit.c: Add support for reading a moduli-file for DH
|
|
parameters.
|
|
|
|
2005-10-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.1: Document --list-caches
|
|
|
|
* kuser/klist.c: Change short flag of --list-caches to -l (-v is
|
|
already used).
|
|
|
|
2005-10-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120.
|
|
|
|
* lib/krb5/acache.c (init_ccapi): return kerberos errors, callers
|
|
expect it
|
|
(acc_get_cache_first): don't leak memory or abort on malloc
|
|
failure
|
|
|
|
2005-10-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/kerberos.8: Update text about Kerberos RFC's.
|
|
|
|
2005-10-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c: Add option --list-caches that lists the avaible
|
|
caches and their status.
|
|
|
|
$ klist --list-caches
|
|
Principal Cache name Status
|
|
lha@E.KTH.SE 2 Valid
|
|
lha@SU.SE 1 Expired
|
|
lha/root@SU.SE 0 Expired
|
|
lha@N.L.NXS.SE Initial default ccache Expired
|
|
|
|
2005-09-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab_keyfile.c: Use all DES keys, not just
|
|
des-cbc-md5, verify that they all are the same.
|
|
|
|
* lib/krb5/mcache.c Implement the cache iteration functions.
|
|
|
|
* lib/krb5/acache.c: Implement the cache iteration functions.
|
|
|
|
* lib/krb5/test_cc.c: Test the new cache iteration functions.
|
|
|
|
* lib/krb5/cache.c: Add cache iteration funcations. Add internal
|
|
allocation function for the memory of a krb5_ccache, and use it.
|
|
|
|
* lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions
|
|
|
|
2005-09-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space.
|
|
|
|
* kdc/kerberos5.c: More verbose PK-INIT logging.
|
|
|
|
* kdc/pkinit.c: The public DH key is encoded as an INTEGER in
|
|
subjectPublicKey. Don't verify OID's for now.
|
|
|
|
* lib/krb5/pkinit.c: Support cached DH variable (still need to
|
|
store it though), don't check the oid of the DH signedData for
|
|
now.
|
|
|
|
2005-09-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and
|
|
the sender subkey. Both RFC1510 and RFC4120 say that you have to
|
|
use the session key, Heimdal uses subkey.
|
|
|
|
2005-09-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: Don't check oid's too closely, they change in
|
|
Windows Vista.
|
|
|
|
2005-09-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the
|
|
protocol.
|
|
|
|
* kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19)
|
|
|
|
* lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL
|
|
to make sure its not freed.
|
|
|
|
2005-09-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length
|
|
it set to 1, and content is 0x01, use the afs3 string-to-key.
|
|
|
|
* kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted
|
|
key, use send the opaque, length 1 (with content set to 0x01) in
|
|
ETYPE-INFO2-ENTRY.
|
|
|
|
* lib/krb5/kcm.c: Remove signedness warnings.
|
|
|
|
2005-09-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: Use libtool's default values for building
|
|
shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves
|
|
building problems users have on Mac OS X.
|
|
|
|
2005-09-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/changepw.c: Constify password.
|
|
|
|
2005-09-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_mk_req.3: Document krb5_rd_req.
|
|
|
|
* lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3
|
|
|
|
* lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact,
|
|
krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock,
|
|
krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep,
|
|
krb5_build_ap_req, krb5_verify_ap_req.
|
|
|
|
2005-09-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at
|
|
all, use KRB5-PADATA-AFS3-SALT
|
|
|
|
2005-08-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (log_timestamp): endtime, not endtype
|
|
|
|
2005-08-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: Check for <sys/ucred.h>.
|
|
|
|
* kcm/connect.c (update_client_creds): in case there is no
|
|
UCRED_VERSION, skip LOCAL_PEERCRED
|
|
|
|
* kcm/headers.h: include <sys/ucred.h>
|
|
|
|
2005-08-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/rd_req.c (check_transited): Allow empty content of type
|
|
0 because that is was Microsoft generates in their TGT.
|
|
|
|
* kdc/kerberos5.c (fix_transited_encoding): Allow empty content of
|
|
type 0 because that is was Microsoft enerates in their TGT.
|
|
|
|
2005-08-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/intro.texi: RFC 4120 replaces RFC 1510
|
|
|
|
2005-08-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: Add --disable-afs-support.
|
|
|
|
2005-08-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but
|
|
not TESTS, I have no same dns to use.
|
|
|
|
* lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname()
|
|
and krb5_expand_hostname_realms().
|
|
|
|
* configure.in: Build KCM if we have doors or unix sockets.
|
|
|
|
* lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove
|
|
shadowing variable.
|
|
|
|
* lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings,
|
|
plug memory leak. From: Stefan Metzmacher <metze@samba.org>
|
|
|
|
* lib/krb5/krb5_config.3: Document what happens with NULL to
|
|
krb5_config_free_strings
|
|
(nothing). Mdoc nit.
|
|
|
|
2005-08-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c (check_for_tgt): Re-order code so it only free the
|
|
credential if one was returned.
|
|
|
|
* lib/krb5/test_crypto_wrapping.c: Fix printing of size_t.
|
|
|
|
2005-08-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/dbinfo.c: provide interface to find databases
|
|
|
|
* lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys
|
|
|
|
2005-08-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply.
|
|
|
|
2005-08-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c: Save the request buffer so that
|
|
pre-auth mechanism that needs it can verify the reply.
|
|
|
|
2005-08-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_mem.c: Rename logf to avoid shadowing.
|
|
|
|
* lib/krb5/krb5_keytab.3: Fix the version number for
|
|
fcc-mit-ticketflags.
|
|
|
|
* lib/krb5/fcache.c: Revert previous, I was confused.
|
|
|
|
* lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in
|
|
COMPATIBILITY section.
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket
|
|
flags.
|
|
|
|
* kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break;
|
|
|
|
* lib/krb5/krb5_create_checksum.3: Update prototype for
|
|
krb5_create_checksum.
|
|
|
|
* kdc/pkinit.c: Make compile.
|
|
|
|
* lib/krb5/pkinit.c: Implement verification of asChecksum, now
|
|
client side code is using -27 of the pk-init draft.
|
|
|
|
* kdc/kdc_locl.h: update prototype for _kdc_as_rep
|
|
|
|
* kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC.
|
|
|
|
* kdc/process.c: Pass down the request buffer to _kdc_as_rep().
|
|
|
|
* kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to
|
|
_kdc_pk_mk_pa_reply.
|
|
|
|
2005-08-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/ext.c: HDB extensions access glue.
|
|
|
|
* kcm/acquire.c: Use krb5_set_password instead of
|
|
krb5_change_password.
|
|
|
|
* configure.in: Add tests/Makefile and tests/db/Makefile.
|
|
|
|
* NEWS: New ASN.1 compiler
|
|
|
|
* lib/hdb/Makefile.am: Build extensions.
|
|
|
|
* lib/hdb/print.c: Print extensions.
|
|
|
|
* lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory
|
|
extension".
|
|
|
|
* lib/hdb/hdb.h: Update interface version (and indent).
|
|
|
|
* lib/hdb/hdb.asn1: Add support for HDB-extension.
|
|
|
|
2005-08-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_pkinit_dh2key.c: add tests vectors from
|
|
"Liqiang(Larry) Zhu" <lzhu@windows.microsoft.com>
|
|
|
|
* lib/hdb/mkey.c: Expose the crypto operations on the master key.
|
|
|
|
* lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet
|
|
|
|
2005-08-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the
|
|
ENC-TS case. From: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify
|
|
authenticator" once, its already done by
|
|
tgs_check_authenticator().
|
|
|
|
* kdc/kerberos5.c: Indent strings.
|
|
|
|
* kdc/kerberos5.c (log_timestamp): avoid shadow warnings From:
|
|
Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and
|
|
krb5_verify_opt_free.
|
|
|
|
* lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and
|
|
krb5_verify_opt_free.
|
|
|
|
* lib/hdb/db3.c (DB_open): catch errors from the d->open calls
|
|
instead of letting them slip though to d->cursor. Bug repport from
|
|
Andrew Bartlett <abartlet@samba.org>
|
|
|
|
2005-07-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/Makefile.am (kdc_LDADD): add LDADD
|
|
|
|
2005-07-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in
|
|
ENC-TS preauth, both for failure and success.
|
|
|
|
* kdc/hprop.c: Use the _krb5_krb_life_to_time function from
|
|
libkrb5 instead of including our own here too.
|
|
|
|
* kdc/kerberos5.c: indent printf strings
|
|
|
|
* lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with
|
|
keyusage 0 in case the key was encrypted with MIT Kerberos (old
|
|
patch from Johan)
|
|
|
|
2005-07-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: update to pkinit-27
|
|
|
|
2005-07-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module.
|
|
|
|
2005-07-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_pkinit_dh2key.c: framework for testing
|
|
_krb5_pk_octetstring2key
|
|
|
|
* kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a
|
|
krb5_socklen_t
|
|
|
|
* kdc/connect.c (de_http): sscanf takes a char *, not unsigned
|
|
ditto, cast approriately
|
|
|
|
* lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output
|
|
unsigned char to match openssl
|
|
|
|
2005-07-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE.
|
|
|
|
2005-07-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory
|
|
|
|
* lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call
|
|
krb5_cc_retrieve_cred once, and plug memory leak.
|
|
|
|
2005-07-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: the new asn.1 compiler includes the modules
|
|
name in the depend file
|
|
|
|
* lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return
|
|
value from krb5_storage_from_fd
|
|
|
|
* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute
|
|
to the DH when the server doesn't support the cached DH request.
|
|
|
|
* lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments
|
|
|
|
2005-07-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: clean up pk-init DH support, not finished
|
|
yet; improve error reporting
|
|
|
|
* lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key
|
|
function used in pk-init-25
|
|
|
|
* configure.in: Use a configure switch to turn on PK-INIT, not by
|
|
detecting existence of the new ASN.1 library.
|
|
|
|
* lib/asn1: Much improved ASN.1 compiler from joda-choice-branch.
|
|
|
|
Highlighs for the compiler is support for CHOICE and in general better
|
|
support for tags. This compiler support most of what is needed for
|
|
PK-INIT, LDAP, X.509, PKCS-12 and many other protocols.
|
|
|
|
2005-07-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1: make scope variables unique to avoid shadow warnings
|
|
|
|
2005-07-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.h: comment out paramenter name in typedef
|
|
functions to avoid shadow warnings
|
|
|
|
* lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const
|
|
|
|
* kuser/klist.c: If there are no addresses, print addressless
|
|
instead of nothing.
|
|
|
|
* lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping
|
|
|
|
* lib/krb5/crypto.c (wrapped_length): the underived encrypted
|
|
types checksum are all unkeyed (matches the code in
|
|
encrypt_internal() and encrypt_internal_special())
|
|
|
|
* lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't
|
|
not supported
|
|
|
|
* lib/krb5/test_crypto_wrapping.c: test encryption wrapping
|
|
|
|
* lib/krb5/test_crypto.c (time_encryption): free cleartext buffer
|
|
|
|
2005-07-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O
|
|
otherwise am_aux_dir will be expanded using ac_aux_dir before the
|
|
later is set.
|
|
|
|
* configure.in: check for strings.h explicitly instead of
|
|
depending on AC_HEADER_STDC to check it for us
|
|
|
|
2005-07-07 Assar Westerlund <assar@kth.se>
|
|
|
|
* configure.in: add AM_PROG_CC_C_O for automake 1.9
|
|
|
|
2005-07-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when
|
|
returning a new error
|
|
|
|
* lib/krb5/keytab.c: krb5_kt_close frees all resources, even on
|
|
error.
|
|
|
|
* lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused,
|
|
remove From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
|
|
|
|
2005-07-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/win2k.texi: arcfour-hmac-md5 support for windows cross was
|
|
added in w2k3-sp1 From David Love
|
|
|
|
* doc/setup.texi: document kadmin command password-quality instead
|
|
of the not installed test_pw_quality
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: Spelling, from David Love
|
|
|
|
* fix-export: build kdc-protos.h
|
|
|
|
2005-07-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc: prefix pkinit symbols with _kdc
|
|
|
|
* kuser/kinit.c: avoid shadowing variables
|
|
|
|
* kuser: s/optind/optidx/
|
|
|
|
* kdc: adapt pkinit code to libkdc split
|
|
|
|
2005-06-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create
|
|
|
|
* tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create
|
|
|
|
* kdc/kdc_locl.h: indent, remove dup prototypes
|
|
|
|
* kdc/libkdc: don't pollute namespace, generate public headerfile
|
|
|
|
* lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work
|
|
just like krb5_425_conv_principal_ext but takes a context variable
|
|
for the verification function
|
|
|
|
* kdc/Makefile.am: there is no export script, not pretend there is
|
|
|
|
* kdc: Merge in the libkdc/kdc configuration split from Andrew
|
|
Bartlet <abartlet@samba.org>
|
|
|
|
* lib/krb5/crypto.c: optionally compile in support for afs string2key
|
|
|
|
* configure.in: add --disable-afs-string-to-key to allow removal
|
|
of support for afs string2key (and dependency on crypt)
|
|
|
|
2005-06-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and
|
|
TGS-REQ, for auditing
|
|
|
|
* kdc/kerberos5.c (as_req): print the supported encryption types
|
|
so its possible to know what clients to update.
|
|
(find_rpath): return const char * and update callers.
|
|
|
|
2005-06-28 Luke Howard <lukeh@padl.com>
|
|
|
|
* kcm/connect.c: fix arguments to kcm_log() when reporting
|
|
sendmsg() error
|
|
|
|
* kcm/connect.c: don't send socket address in msghdr, it
|
|
returns an already connected error on Linux
|
|
|
|
2005-06-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/524.c: Always include <krb5-v4compat.h>.
|
|
|
|
2005-06-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/intro.texi: no more libdes, gssapi lib is complete
|
|
|
|
* lib/krb5/krb5.conf.5: Documentation for password quality
|
|
control. From: "James F. Hranicky" <jfh@cise.ufl.edu>
|
|
|
|
* lib/krb5/verify_krb5_conf.c (password_quality_entries): add
|
|
min_length and min_classes
|
|
|
|
* kdc/kaserver.c: log the kaserver requests, avoid shadowing
|
|
variables
|
|
|
|
* lib/hdb/db3.c (DB_open): in case of error, close database
|
|
|
|
* lib/hdb/ndbm.c (NDBM_open): in case of error, close database
|
|
|
|
* lib/hdb/db.c (DB_open): in case of error, close database
|
|
|
|
2005-06-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/kcm.8: fix example
|
|
|
|
2005-06-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/rd_rep.c: indent
|
|
|
|
* lib/krb5/rd_rep.c (krb5_rd_rep): check if
|
|
KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp
|
|
should be checked, DCE-STYLE gssapi needs to be able to tweek this
|
|
|
|
* kdc/string2key.c: rename optind to optidx
|
|
|
|
* lib/hdb/convert_db.c: rename optind to optidx
|
|
|
|
* lib/hdb/keytab.c: const poison, add a unconst where needed
|
|
|
|
* lib/krb5/crypto.c (krb5_string_to_key): unconst password
|
|
|
|
* lib/asn1/k5.asn1: rename pvno to krb5-pvno
|
|
|
|
* lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc):
|
|
unconst argument
|
|
|
|
* lib/krb5/verify_krb5_conf.c: rename optind to optidx
|
|
|
|
* lib/krb5/transited.c: rename the temporary string variable to
|
|
`str'
|
|
|
|
* lib/krb5/test_crypto.c: rename optind to optidx
|
|
|
|
* lib/krb5/test_alname.c: rename optind to optidx
|
|
|
|
* lib/krb5/store.c: unconst argument to krb5_store (XXX this
|
|
should be fixed, krb5_store doesn't need to modify its argument)
|
|
|
|
* lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing
|
|
unnessecery variable ret
|
|
|
|
* lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery
|
|
variable len
|
|
|
|
* lib/krb5/prog_setup.c: rename optind to optidx
|
|
|
|
* lib/krb5/padata.c: rename variable index to idx
|
|
|
|
* lib/krb5/log.c: rename variable time to timestr to avoid
|
|
shadowing
|
|
|
|
* lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to
|
|
avoid shadowing
|
|
|
|
* lib/krb5/krbhst-test.c: rename optind to optidx
|
|
|
|
* lib/krb5/kcm.c: unconst argumen to connect, unconst argument to
|
|
krb5_store (XXX this should be fixed, krb5_store doesn't need to
|
|
modify its argument)
|
|
|
|
* lib/krb5/init_creds_pw.c (default_s2k_func): unconst password
|
|
|
|
* lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning
|
|
|
|
2005-06-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/principal.c: rename index to idx
|
|
|
|
* lib/krb5/mk_error.c: use rk_UNCONST
|
|
|
|
* lib/krb5/fcache.c: rename to avoid shadowing
|
|
|
|
* lib/krb5/config_file.c: rename to avoid shadowing
|
|
|
|
* lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the
|
|
string instead of losing const
|
|
|
|
* lib/krb5/addr_families.c: use rk_UNCONST to silence const
|
|
warning
|
|
|
|
* lib/krb5/addr_families.c: rename sin to sin4
|
|
|
|
* lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed
|
|
variables
|
|
|
|
* lib/asn1/main.c: rename optind to optidx
|
|
|
|
* lib/asn1/gen_copy.c: rename to avoid shadowing
|
|
|
|
* lib/asn1/gen_locl.h: rename function filename to get_filename
|
|
|
|
* lib/asn1/lex.l: use get_filename
|
|
|
|
* lib/asn1/gen.c: rename function filename to get_filename
|
|
|
|
* lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle
|
|
|
|
* configure.in: add headers and prototypes to logwtmp, logout and
|
|
openpty checks
|
|
|
|
* configure.in: include headerfiles and set prototype for tgetent
|
|
|
|
* kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the
|
|
string
|
|
|
|
* kdc/kerberos5.c: replace strndup with inline copy, free data on
|
|
failure
|
|
|
|
* lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup
|
|
with inline copy
|
|
|
|
* lib/krb5/log.c: rename close and log to avoid shadow warnings
|
|
|
|
* lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two
|
|
of the local `realm' to srealm to avoid shadowing
|
|
|
|
* kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to
|
|
avoid shadow warning
|
|
|
|
* kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow
|
|
warning
|
|
|
|
2005-06-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* Release 0.7, see branch
|
|
|
|
2005-06-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES +=
|
|
kcm.h
|
|
|
|
* kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from
|
|
krb5_init_context
|
|
|
|
* kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from
|
|
krb5_init_context
|
|
|
|
* lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT
|
|
from krb5_init_context From: Mathias Feiler
|
|
<feiler@uni-hohenheim.de>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: Add more missig entires, from
|
|
Mathias Feiler <feiler@uni-hohenheim.de>
|
|
|
|
2005-06-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c (pk_principal_from_X509): remember to free
|
|
KRB5PrincipalName
|
|
|
|
* lib/krb5/log.c (krb5_closelog): free all content in
|
|
krb5_log_facility
|
|
|
|
2005-06-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/524.c: init kvno to please gcc
|
|
|
|
* kdc/kaserver.c (do_authenticate): check return value from
|
|
unparse_auth_args
|
|
|
|
2005-06-07 Dave Love <fx@gnu.org>
|
|
|
|
* doc/setup.texi: Spelling.
|
|
|
|
* doc/programming.texi: Spelling.
|
|
|
|
2005-06-02 Dave Love <fx@gnu.org>
|
|
|
|
* kcm/connect.c (kcm_door_server): Make static.
|
|
|
|
* kcm/kcm_locl.h (disallow_getting_krbtgt): Declare.
|
|
|
|
2005-06-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/mit_dump.c (mit_prop_dump): cast argument to
|
|
krb5_parse_principal to avoid warning
|
|
|
|
* kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to
|
|
mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit
|
|
codebase
|
|
|
|
2005-06-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/store.c: If we are allocating 0 entires, avoid failing
|
|
if ALLOC returns NULL
|
|
|
|
* lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm
|
|
|
|
* lib/krb5/cache.c: When returning a new error code, set error
|
|
string.
|
|
|
|
2005-05-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab_file.c: Adapt to changed signature of
|
|
_krb5_xunlock, clear more error string where needed.
|
|
|
|
* lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it
|
|
into something sensable
|
|
|
|
2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from
|
|
server entry to encrypted ticket flags
|
|
|
|
2005-05-30 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kdc/connect.c: rename sendlength to prependlength (which
|
|
hopefully better represents its purpose), and change type to
|
|
krb5_boolean
|
|
|
|
* kdc/connect.c: log signal causing exit
|
|
|
|
* kdc/main.c (sigterm): set exit_flag to signal causing exit;
|
|
(main): trap SIGXCPU
|
|
|
|
2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/kcm.8: document --disallow-getting-krbtgt and --door-path
|
|
|
|
* kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not
|
|
client
|
|
|
|
* kcm/main.c: ignore SIGPIPE
|
|
|
|
* kcm/protocol.c: Add option to disallow getting krbtgt out from
|
|
from KCM. KCM will do the fetching part itself.
|
|
|
|
* kcm/config.c: Add option to disallow getting krbtgt out from
|
|
from KCM. KCM will do the fetching part itself.
|
|
|
|
2005-05-30 Luke Howard <lukeh@padl.com>
|
|
|
|
* kcm/events.c: if credentials have expired when attempting
|
|
to renew, attempt to reacquire them using initial creds
|
|
|
|
2005-05-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_principal.3: Spelling, from Björn Sandell
|
|
|
|
* doc/setup.texi: spelling, from Björn Sandell
|
|
|
|
* lib/krb5/name-45-test.c: XXX don't run the test unless the
|
|
machine is in kth.se or su.se because it depends on local resolver
|
|
configuration.
|
|
|
|
* lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't
|
|
exists
|
|
|
|
* kcm/connect.c: fix doors support, fix signedness warnings
|
|
|
|
* kcm/config.c: add --door-path=
|
|
|
|
* configure.in: comment what the "detect doors on solaris"
|
|
fragment tries to do
|
|
|
|
* kcm/acquire.c (generate_random_pw): fix signed-ness warnings
|
|
|
|
* kcm/connect.c (update_client_creds): fix compile error in the
|
|
getpeerucred case
|
|
|
|
* lib/krb5/test_cc.c: change format for expantion variables in
|
|
default_cc_name to %{variable} to not confuse them with shell
|
|
ditto
|
|
|
|
* kcm/headers.h: Maybe include <door.h>.
|
|
|
|
* kcm/kcm_locl.h: add extern door_path;
|
|
|
|
* configure.in: detect doors using door_create
|
|
|
|
* kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on
|
|
LIB_door_create
|
|
|
|
* lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door
|
|
|
|
* lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to
|
|
kcm
|
|
|
|
* lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create
|
|
|
|
* lib/krb5/krb5_locl.h: Maybe include <sys/mman.h>, maybe include
|
|
<door.h>.
|
|
|
|
* lib/krb5/kcm.c (kcm_send_request): add support for doing a door
|
|
call to kcm
|
|
|
|
* lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with
|
|
system headerfiles that pollute the name space
|
|
|
|
* kcm/kcm.8: change format for expantion variables in
|
|
default_cc_name to %{variable} to not confuse them with shell
|
|
ditto
|
|
|
|
* lib/krb5/krb5.conf.5: change format for expantion variables in
|
|
default_cc_name to %{variable} to not confuse them with shell
|
|
ditto
|
|
|
|
* lib/krb5/cache.c (_krb5_expand_default_cc_name): change format
|
|
for expantion variables to %{variable} to not confuse them with
|
|
shell ditto
|
|
|
|
* kcm/connect.c: add LOCAL_PEERCRED and experimental doors support
|
|
|
|
2005-05-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/kf/kfd.c: case uid_t to unsigned long in printf format
|
|
|
|
2005-05-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_auth_context.3: remove trailing space
|
|
|
|
2005-05-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/connect.c (do_request): use sendmsg to send the reply
|
|
|
|
* fix-export: add make_proto for kcm/kcm_protos.h
|
|
|
|
* kcm/kcm_locl.h: remove prototypes and add <kcm_protos.h>
|
|
|
|
* kcm/Makefile.am (kcm_SOURCES): add headerfiles
|
|
(kcm_protos.h): generate prototypes
|
|
|
|
* kcm/protocol.c: fix error in last commit, use right function
|
|
|
|
* kcm/headers.h: include <ucred.h> if we have getpeerucred
|
|
|
|
* configure.in: check for functions getpeerucred and getpeereid
|
|
|
|
* kcm/connect.c (update_client_creds): add support for
|
|
getpeerucred and getpeereid
|
|
|
|
* lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by
|
|
[libdefaults]kcm_socket=/path
|
|
|
|
2005-05-24 David Love <fx@gnu.org>
|
|
|
|
* kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling
|
|
|
|
2005-05-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/protocol.c: Merge the description and function jumptables
|
|
into one structure. Use the length of the array when checking if
|
|
opcode is value, not a constant.
|
|
|
|
* kcm/kcm_locl.h: struct kcm_op: jumptable structure
|
|
|
|
* kcm/main.c: move declaration of detach_from_console away from
|
|
here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it.
|
|
|
|
* kcm/kcm_locl.h: move declaration of detach_from_console here
|
|
|
|
* kdc/config.c: Don't test HAVE_DAEMON since roken supplies it.
|
|
|
|
2005-05-23 Dave Love <fx@gnu.org>
|
|
|
|
* kcm/config.c: Don't test HAVE_DAEMON since roken supplies it.
|
|
|
|
* kdc/main.c: Don't test HAVE_DAEMON since roken supplies it.
|
|
|
|
2005-05-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_keytab.3: document WRFILE and JAVA14
|
|
|
|
2005-05-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes,
|
|
return and ignore the error
|
|
|
|
* lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count'
|
|
have good values
|
|
|
|
* lib/krb5/test_keytab.c: tests all keytab format
|
|
|
|
2005-05-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding
|
|
errors, fail. Make sure we free memory on error.
|
|
(pk_verify_chain_standard): make sure we provide good errors.
|
|
|
|
* lib/krb5/verify_krb5_conf.c: add missing options, prompted by
|
|
James F. Hranicky mail to heimdal-discuss
|
|
|
|
* lib/krb5/verify_krb5_conf.c: add pkinit and password quailty
|
|
check options
|
|
|
|
* lib/krb5/pkinit.c (pk_verify_chain_standard): store better error
|
|
message in the context for certificate errors.
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all
|
|
krb5_free_x_content like functions to make sure data doesnt get
|
|
reused, idea from Wynn Wilkes <wwilkes@vintela.com>
|
|
|
|
* configure.in: depend on automake 1.8, we don't test anything
|
|
older
|
|
|
|
* lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment
|
|
that the caller always free out_md; remove comment about memory,
|
|
it doesn't happen.
|
|
(init_cred_loop): free ctx->as_req.padata when its reset (From Wynn
|
|
Wilkes <wwilkes@vintela.com>), move a comment close the the code
|
|
|
|
* lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call
|
|
krb5_kt_free_entry after each krb5_kt_next_entry.
|
|
|
|
* lib/krb5/keytab_file.c (fkt_remove_entry): need to call
|
|
krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn
|
|
Wilkes <wwilkes@vintela.com>
|
|
|
|
2005-05-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: TESTS += test_keytab
|
|
|
|
* lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks,
|
|
avoid crashing on empty keytab
|
|
|
|
* lib/krb5/krb5_keytab.3: document behavior of
|
|
krb5_kt_remove_entry
|
|
|
|
* lib/krb5/keytab_memory.c (mkt_remove_entry): check if there
|
|
isn't any entries in the keytab before removing any since that
|
|
leads to bad pointer arithmetic and crashing. From: Wynn Wilkes
|
|
<wwilkes@vintela.com>. Make the function return KRB5_KT_NOTFOUND
|
|
if the entry wasn't in the keytab (just like the filebased
|
|
keytab).
|
|
|
|
* lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab
|
|
|
|
* lib/krb5{addr_families,context,creds,free,keyblock,
|
|
mit_glue,rd_error}.c:zero out content of all krb5_free_x_content
|
|
like functions to make sure data doesnt get reused, idea from
|
|
Wynn Wilkes <wwilkes@vintela.com>
|
|
|
|
* lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK
|
|
|
|
* lib/krb5/krb5.3: add krb5_cc_new_unique
|
|
|
|
2005-05-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (fcc_get_first): check return value from
|
|
malloc, memset the structure, make sure cursor doesn't point to
|
|
freed memory on failure. From: Wynn Wilkes <wwilkes@vintela.com>
|
|
|
|
* lib/krb5/krb5_auth_context.3: document
|
|
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
|
|
|
|
* lib/krb5/get_cred.c: Remove expired credentials, based on
|
|
patches and comments from Anders Magnusson <ragge@ltu.se> and Wynn
|
|
Wilkes <wwilkes@vintela.com>
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor
|
|
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted
|
|
(ENCTYPE_NULL) credentials. for use with old mit server and java based
|
|
ones as they can't handle encrypted KRB-CRED. Note that the option
|
|
needs to turned on because if the consumer sends the KRB-CRED in
|
|
clear bad things will happen.
|
|
|
|
* lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops
|
|
|
|
* lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok
|
|
to return from krb5_get_credentials.
|
|
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials
|
|
be unencrypted, for compatibility with mit kerberos and java
|
|
kerberos. krb5_javakt_ops: export
|
|
|
|
2005-05-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that
|
|
doesn't the use extended kvnos, as hinted, this is needed for
|
|
Java's Kerberos implementation.
|
|
|
|
2005-05-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25
|
|
enckey, still no DH
|
|
|
|
* kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey,
|
|
still no DH
|
|
|
|
* kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and
|
|
pkinit-25 pa-data, return empty pkinit pa-data in the
|
|
PREAUTH_REQUIRED krb-error
|
|
|
|
* doc/ack.texi: add pkinit people
|
|
|
|
* lib/krb5/krb5_storage.3: document krb5_storage_is_flags
|
|
|
|
* lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3,
|
|
krb5_krbhst_init.3,krb5_storage.3}:
|
|
make more pretty, from Björn Sandell
|
|
|
|
2005-05-09 Dave Love <fx@gnu.org>
|
|
|
|
* doc/setup.texi: Fix and clarify password quality check examples.
|
|
|
|
2005-05-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead
|
|
of HAVE_GETPWNAM_R From: Dave Love <d.love@dl.ac.uk>
|
|
|
|
2005-05-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/addr_families.c (krb5_print_address): catch when the
|
|
unknown adress don't fit. From Björn Sandell <biorn@dce.chalmers.se>
|
|
|
|
2005-05-05 Dave Love <d.love@dl.ac.uk>
|
|
|
|
* configure.in: fix type right test, include <termios.h> for
|
|
sys/strtty.h, not sys/ptyvar.h
|
|
|
|
2005-05-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: spelling
|
|
|
|
2005-05-04 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: expand on what "trailing component" means
|
|
|
|
2005-05-04 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/rd_cred.c: put address comparison in separate function
|
|
|
|
* lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory
|
|
for access files, all of which is handled like the regular
|
|
~/.k5login
|
|
|
|
* lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for
|
|
access files, all of which is handled like the regular ~/.k5login
|
|
|
|
2005-05-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/ack.texi: Clearify what version of libdes we are using and
|
|
who's code in it we are using.
|
|
|
|
* kcm/kcm.8: more text about usage
|
|
|
|
* kcm/Makefile.am: man_MANS += kcm.8
|
|
|
|
* kcm/kcm.8: initial manpage
|
|
|
|
* configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define
|
|
PKINIT
|
|
|
|
2005-05-02 Dave Love <fx@gnu.org>
|
|
|
|
* configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h.
|
|
|
|
2005-05-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* tools/krb5-config.in: add com_err to required libs
|
|
|
|
* lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in
|
|
length
|
|
|
|
* lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of
|
|
nonce for windows, remove the code that removed the signed
|
|
bit. Instead add comment that they still need to be the same
|
|
(Kerberos protocol nonce and pk-init nonce) for Windows.
|
|
|
|
2005-05-02 David Love <fx@gnu.org>
|
|
|
|
* lib/krb5/crypto.c: Don't declare des_salt &c as static with
|
|
incomplete type (invalid in c89, at least).
|
|
|
|
2005-05-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_locl.h: include <crypt.h>
|
|
|
|
2005-05-02 David Love <fx@gnu.org>
|
|
|
|
* kcm/connect.c (init_socket): rename variable sun to un to avoid
|
|
namespace collision.
|
|
(handle_stream): Cast arg of krb5_warnx.
|
|
|
|
2005-04-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the
|
|
highest bit to make windows PK-INIT happy. Also make the nonces
|
|
the same, again for windows, they are using pk-init-9.
|
|
|
|
XXX check if it isn't the that nonce is an unsigned variable so
|
|
its just a asn1 mismatch.
|
|
|
|
* kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id
|
|
|
|
* kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit
|
|
|
|
* lib/krb5/pkinit.c: Pass prompter data to the prompter function,
|
|
implement a UI prompter function wrapping the kerberos prompter
|
|
function so that the the OpenSSL ENGINE can ask for a password
|
|
when loading the private key. From: Douglas E. Engert
|
|
|
|
* lib/krb5: add <err.h> in test programs
|
|
|
|
* configure.in: sys/ptyvar.h might need <sys/tty.h>
|
|
|
|
* lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la
|
|
|
|
2005-04-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/Makefile.am: use $(LIB_com_err)
|
|
|
|
2005-04-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c (krb5_set_config_files): ignore permission
|
|
denied on configuration files, user might not be allowed to read
|
|
/var/heimdal/kdc.conf
|
|
|
|
2005-04-26 Dave Love <fx@gnu.org>
|
|
|
|
* lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get
|
|
posix getpwnam_r
|
|
|
|
2005-04-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/gen_glue.c: switch the units variable to a
|
|
function. gcc-4.1 needs the size of the structure if its defined
|
|
as extern struct units foo_units[] an we don't want to include
|
|
<parse_units.h> in the generate headerfile
|
|
|
|
2005-04-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart,
|
|
krb5ValidEnd, krb5PasswordEnd From Howard Chu
|
|
|
|
2005-04-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/whatis.texi: comment out docbook stuff for now
|
|
|
|
* kuser/klist.c: use strlcpy
|
|
|
|
* doc/ack.texi: we no longer use eay libdes, make acknowledgment
|
|
still be there, but claim that we no longer use it. Mark editline
|
|
to be a modified version as required by the license.
|
|
|
|
* lib/krb5/pkinit.c: use the unexported oid_to_enctype function
|
|
|
|
* lib/krb5/crypto.c: unexport the oid_to_enctype function, not for
|
|
external consumers
|
|
|
|
* kdc/Makefile.am: always add kaserver
|
|
|
|
* lib/krb5/krb5_ccache.3: document krb5_cc_new_unique
|
|
|
|
* lib/krb5/cache.c (krb5_cc_new_unique): new function to create a
|
|
new credential cache
|
|
|
|
* kdc/headers.h: don't include kerberos 4 headers here
|
|
|
|
* kdc/hpropd.c: include kerberos 4 headers here
|
|
|
|
* kdc/connect.c: add kaserver support independ of having krb4
|
|
support
|
|
|
|
* kdc/config.c: add kaserver support unconditionally, make kdc
|
|
only fail to start when there are no v4 realm configured and
|
|
krb4/kaserver is turned on
|
|
|
|
* kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and
|
|
so kaserver support is always compiled in (still default disabled)
|
|
|
|
* lib/krb5/v4_glue.c: simplify error handling
|
|
|
|
* doc/whatis.texi: add docbook version macro of @sub
|
|
|
|
* doc/heimdal.texi: change the wrapping around the Top node to
|
|
ifnottex, make html generation work
|
|
|
|
* lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell
|
|
<biorn@dce.chalmers.se>
|
|
|
|
* lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell
|
|
<biorn@dce.chalmers.se>
|
|
|
|
* lib/krb5/krb5_data.3: spelling, from Björn Sandell
|
|
<biorn@dce.chalmers.se>
|
|
|
|
* lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell
|
|
<biorn@dce.chalmers.se>
|
|
|
|
* lib/krb5/krb5_address.3: spelling, from Björn Sandell
|
|
<biorn@dce.chalmers.se>
|
|
|
|
2005-04-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so
|
|
kerberos 4 is always compiled in (still default disabled)
|
|
|
|
* kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and
|
|
so kerberos 4 is always compiled in (still default disabled)
|
|
|
|
* lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data
|
|
|
|
* lib/krb5/convert_creds.c: Move the kerberos v4 replacement
|
|
functions to v4_glue.c
|
|
|
|
* lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to
|
|
be a KDC, move the v4 bits over here
|
|
|
|
* lib/krb5/krb5-v4compat.h: add more v4 defines
|
|
|
|
2005-04-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswdd.c: Support multi-realms databases, requires
|
|
that all the realms are configured on the KDC in krb5.conf with
|
|
[libdefaults]default_realm stanzas.
|
|
|
|
2005-04-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden
|
|
|
|
* lib/krb5/addr_families.c: catch two more snprintf problems
|
|
|
|
2005-04-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: this lib include com_err, add -com_err to
|
|
CHECK_SYMBOLS
|
|
|
|
* appl/test/http_client.c: cast ssize_t to unsigned long, fix
|
|
printf format
|
|
|
|
2005-04-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames
|
|
|
|
* lib/krb5/get_host_realm.c: check return value of snprintf
|
|
|
|
* lib/krb5/test_addr.c: check address truncation
|
|
|
|
* lib/krb5/addr_families.c: check return values from snprintf and
|
|
clean up semantics of ret_len
|
|
|
|
* lib/krb5/krb5_address.3: clarify what ret_len is in
|
|
krb5_print_address
|
|
|
|
* lib/krb5/test_kuserok.c: add --version and --help
|
|
|
|
* lib/krb5/kuserok.c: use getpwnamn_r if it exists
|
|
|
|
* lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok
|
|
|
|
* lib/krb5/test_kuserok.c: test program for krb5_kuserok
|
|
|
|
2005-04-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c (acc_resolve): if open_default_ccache failed
|
|
with ccErrCCacheNotFound try again with create_default_ccache,
|
|
this fixes the problem where the security server apperenly haven't
|
|
started yet on Mac OS X
|
|
|
|
* lib/krb5/get_default_principal.c
|
|
(_krb5_get_default_principal_local): add, for use of functions
|
|
that in ccache layer to avoid recursive calls.
|
|
|
|
* lib/hdb/hdb-ldap.c: drop <ctype.h>, no longer use any of the is*
|
|
macros in this file
|
|
|
|
* include/make_crypto.c: cast to unsigned char to make sure its
|
|
not negative when passing it to is* functions
|
|
|
|
2005-04-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/programming.texi: remove manpage macro, add some more
|
|
references to manpages
|
|
|
|
* doc/heimdal.texi: define manpage macro
|
|
|
|
* doc/setup.texi: document new password policy code
|
|
|
|
* kpasswd/kpasswdd.c: add verifier libraries with
|
|
kadm5_add_passwd_quality_verifier
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_keyblock_init
|
|
|
|
2005-04-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the
|
|
same, and clients
|
|
(klog) can deal with that the kaserver returns the same thing for
|
|
both
|
|
|
|
* lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill
|
|
in a keyblock from key data.
|
|
|
|
2005-04-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: rk_WIN32_EXPORT for roken
|
|
|
|
2005-04-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/gssapi_server.c: print out client principla of
|
|
delegated credential
|
|
|
|
2005-04-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check
|
|
for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert
|
|
|
|
2005-04-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* .cvsignore: ignore more generate files
|
|
|
|
2005-04-04 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-der.c: use size_t, print size_t by casting to
|
|
unsigned long
|
|
|
|
* lib/krb5/test_crypto.c: print size_t by casting to unsigned long
|
|
|
|
* lib/krb5/acache.c: Argument to create_new_ccache is a principal,
|
|
not a credential cache name. Clean up lossage related to this
|
|
problem.
|
|
|
|
* lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int
|
|
|
|
* lib/krb5/addr_families.c
|
|
(krb5_address_prefixlen_boundary,krb5_free_address):
|
|
use find_atype when we are dealing with a kerberos address type
|
|
|
|
* lib/krb5/aes-test.c: size_t vs int + fix printf
|
|
|
|
* lib/krb5/pkinit.c: Since the decode can't make out the diffrence
|
|
between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to
|
|
verify both cases
|
|
|
|
2005-04-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/uu_client.c: print size_t by casting to unsigned long
|
|
|
|
2005-04-01 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kdc/kerberos4.c (do_version4): check client and server max_life
|
|
|
|
* kdc/kaserver.c (do_getticket): check client max_life
|
|
|
|
2005-03-31 Love <lha@kth.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: const poison
|
|
|
|
* lib/krb5/test_alname.c: const poison
|
|
|
|
* lib/asn1/main.c: const poison
|
|
|
|
* lib/krb5/test_addr.c: test parse IPv6 RANGE addresses
|
|
|
|
* lib/krb5/addr_families.c: implement mask boundary for IPv6
|
|
|
|
* lib/asn1/gen.c: avoid const string warnings steming from
|
|
writeable-string
|
|
|
|
2005-03-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: TESTS += test_addr
|
|
|
|
* lib/krb5/test_addr.c: simple test for addresses
|
|
|
|
* lib/krb5/addr_families.c: make RANGE parse prefixlen style
|
|
addresses too, fix printing of RANGE addresses, add
|
|
krb5_address_prefixlen_boundary
|
|
|
|
* lib/krb5/krb5_keytab.3: stop memory leak in example, expand on
|
|
wildcards
|
|
|
|
2005-03-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_principal.3: spelling, from Tomas Olsson
|
|
|
|
* lib/krb5/krb5_warn.3: spelling, from Tomas Olsson
|
|
|
|
2005-03-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c: add mutex for global variables, clean up
|
|
returned error codes, implement storing addresses into the ccapi
|
|
|
|
* appl/test/gssapi_server.c: free memory, make error strings match
|
|
|
|
* appl/test/gssapi_server.c: use print_gss_name, print server name
|
|
too
|
|
|
|
* appl/test/gss_common.h (print_gss_name): common code for
|
|
printing gss name
|
|
|
|
* appl/test/gss_common.c (print_gss_name): common code for
|
|
printing gss name
|
|
|
|
* appl/test/http_client.c: Make constent with rest of the gssapi
|
|
test programs
|
|
|
|
2005-03-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/keys.c: AES is enabled by default, remove ifdefs
|
|
|
|
* lib/krb5/crypto.c: AES is enabled by default, remove ifdefs
|
|
|
|
* lib/krb5/aes-test.c: use hex encoder from roken AES is enabled
|
|
by default, remove ifdefs
|
|
|
|
* kdc/kerberos5.c: AES is enabled by default, remove ifdefs
|
|
|
|
2005-03-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: Add some text about modifying the database
|
|
|
|
2005-03-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: widen lifetime/renewal warning text field, also
|
|
make use of unparse_time_approx, no need to be specific to the
|
|
second when ticket needs to be renewed or their lifetime.
|
|
|
|
* doc/heimdal.texi: copyright maintenance, drop eay, use updated
|
|
UCB license
|
|
|
|
* lib/krb5/crypto.c: more static and unsigned issues
|
|
|
|
* lib/krb5/crypto.c: fix signedness issues, prompted by report of
|
|
Magnus Ahltorp
|
|
|
|
2005-03-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_keytab.3: more text about how to free returned
|
|
resources
|
|
|
|
2005-03-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: handle the -25 generation path
|
|
|
|
* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19
|
|
|
|
* lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes
|
|
|
|
2005-03-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: use generated oid's
|
|
|
|
* lib/krb5/pkinit.c: use generated oid's
|
|
|
|
2005-03-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: update to the asn1 structures used in -25's
|
|
|
|
* lib/krb5/pkinit.c: update to the asn1 structures used in -25's
|
|
|
|
2005-03-04 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: use the newly written hex function from
|
|
roken and remove the old implementation
|
|
|
|
2005-03-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/http_client.c: allow specifing port to connect to
|
|
|
|
2005-02-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: bump version to 21:0:4
|
|
|
|
* lib/hdb/Makefile.am: bump version to 8:0:1
|
|
|
|
* lib/asn1/Makefile.am: bump version to 7:0:1
|
|
|
|
2005-02-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c (DES_string_to_key_int): must check for weak
|
|
keys after doing the DES_cbc_cksum
|
|
|
|
2005-02-19 Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/krbhst.c: set KD_CONFIG after calling
|
|
config_get_hosts() in kpasswd_get_next()
|
|
From: Wynn Wilkes <wynnw@vintela.com>
|
|
|
|
2005-02-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/db3.c (DB_open): correct the check for O_RDONLY
|
|
From: Chaskiel M Grundman <cg2v@andrew.cmu.edu>
|
|
|
|
2005-02-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to
|
|
make %d work
|
|
|
|
2005-02-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the
|
|
caller requested to provide the user with a glue what the caller
|
|
was asking for.
|
|
|
|
2005-02-05 Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop
|
|
|
|
* kcm/acquire.c: don't leak salt if keyproc called multiple
|
|
times
|
|
|
|
* kcm/config.c: allow KCM system ccache to be configured from
|
|
krb5.conf, in the system_ccache stanza of [kcm]
|
|
|
|
2005-02-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kcm/protocol.c: use -1 as the invalid pid number
|
|
|
|
* kcm/connect.c: support SCM_CREDS (for NetBSD)
|
|
|
|
* kcm/Makefile.am: LDADD += LIB_pidfile
|
|
|
|
* kcm/connect.c: make it possible to build on systems without
|
|
SO_PEERCRED (still doesn't work)
|
|
|
|
* kcm/config.c: cast argument to isdigit to unsigned char
|
|
|
|
* lib/krb5/krb5.conf.5: document large_msg_size
|
|
|
|
* lib/krb5/context.c (init_context_from_config_file): init
|
|
large_msg_size to 6000
|
|
|
|
* lib/krb5/krb5.h (krb5_context_data): add large_msg_size,
|
|
threshold where we start to use transport protocols without tiny
|
|
max data transport sizes.
|
|
|
|
* lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h
|
|
by now
|
|
|
|
2005-02-02 Luke Howard <lukeh@padl.com>
|
|
|
|
* configure.in: generate kcm/Makefile
|
|
|
|
* Makefile.am: recurse into kcm/ if KCM defined
|
|
|
|
* kcm: add KCM daemon
|
|
|
|
2005-02-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again
|
|
|
|
* lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add
|
|
some more error strings
|
|
|
|
2005-02-02 Luke Howard <lukeh@padl.com>
|
|
|
|
* configure.in: add --enable-kcm option for Kerberos
|
|
Credentials Manager (KCM)
|
|
|
|
* lib/krb5/Makefile.am: add kcm.c
|
|
|
|
* lib/krb5/cache.c: use cc_retrieve_cred if present rather
|
|
than enumerating ccache
|
|
|
|
* lib/krb5/context.c: register KCM cc_ops
|
|
|
|
* lib/krb5/get_cred.c: pass all options to cc_retrieve_cred
|
|
|
|
* lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock
|
|
|
|
* lib/krb5/kcm.[ch]: add initial implementation of KCM
|
|
client library
|
|
|
|
* lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops
|
|
|
|
* lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp
|
|
|
|
* lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag
|
|
|
|
2005-01-24 Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/init_creds_pw.c: allow NULL in_options to be passed
|
|
krb5_get_init_creds_password()
|
|
|
|
* kdc/kerberos5.c: don't crash when logging no server etype
|
|
support if client == NULL
|
|
|
|
2005-01-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love
|
|
<d.love@dl.ac.uk>
|
|
|
|
2005-01-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/apps.texi: Texinfo fixes. Text about irix 6.5 using
|
|
PAM. From: Dave Love <d.love@dl.ac.uk>
|
|
|
|
2005-01-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: cast argument to isdigit to
|
|
unsigned char
|
|
|
|
* lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned
|
|
char
|
|
|
|
* lib/asn1/hash.c (hashcaseadd): cast argument to toupper to
|
|
unsigned char
|
|
|
|
* appl/kf/kfd.c (kfd_match_version): cast argument to islower to
|
|
unsigned char
|
|
|
|
* lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled
|
|
|
|
* lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more
|
|
text about krb5_enctype_valid
|
|
|
|
* lib/krb5/krb5_create_checksum.3: drop
|
|
krb5_checksum_is_disabled
|
|
|
|
* lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled
|
|
|
|
* lib/krb5/context.c: krb5_enctype_is_disabled is the same thing
|
|
as krb5_enctype_valid, so use the later since its older and the
|
|
api doesn't really need another entry point
|
|
|
|
* lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as
|
|
krb5_enctype_valid, so use the later since its older and the api
|
|
doesn't really need another entry point
|
|
|
|
* kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as
|
|
krb5_enctype_valid, so use the later since its older and the api
|
|
doesn't really need another entry point
|
|
|
|
2005-01-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswdd.8: document --addresses, controls what
|
|
addresses kpasswd should listen too
|
|
|
|
* kpasswd/kpasswdd.c: add --addresses, controls what addresses
|
|
kpasswd should listen too
|
|
|
|
* lib/krb5/addr_families.c (krb5_parse_address): filter out dup
|
|
addresses from getaddrinfo
|
|
|
|
* kpasswd/kpasswd.1: document -c
|
|
|
|
* kpasswd/kpasswd.c: allow specifying a credential cache to use
|
|
for the admin principal
|
|
|
|
* include/bits.c: constify to avoid warning with -Wwrite-string
|
|
|
|
* NEWS: add 0.6.2 and 0.6.3 items
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended
|
|
|
|
* lib/krb5/krb5_is_thread_safe.3: document function
|
|
|
|
* lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3
|
|
|
|
* lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the
|
|
library was compiled with multithreading support. If not,
|
|
application must global lock the library, it it uses threads that
|
|
call kerberos functions at the same time.
|
|
|
|
2005-01-05 Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/auth_context.c: use krb5_generate_subkey_extended()
|
|
|
|
* lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION
|
|
|
|
* lib/krb5/build_auth.c: support for enctype negotiation
|
|
(client sends EtypeList in Authenticator authz data)
|
|
|
|
* lib/krb5/context.c: mutex should be destroyed last in
|
|
krb5_free_context()
|
|
|
|
* lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(),
|
|
set *subkey to NULL if key geneartion fails
|
|
|
|
* lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA
|
|
|
|
* lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56
|
|
|
|
* lib/krb5/rd_req.c: support for enctype negotiation
|
|
(client sends EtypeList in Authenticator authz data)
|
|
|
|
2005-01-04 Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/asn1/k5.asn1: add authorization data types for enctype
|
|
negotiation implementation
|
|
|
|
2005-01-04 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/changepw.c (change_password_loop): on failing to find a
|
|
kdc, set result_code to KRB5_KPASSWD_HARDERROR
|
|
|
|
2005-01-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/heimdal.texi: Happy New Year
|
|
|