forked from heimdal/heimdal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog.2004
1485 lines (890 loc) · 44.1 KB
/
ChangeLog.2004
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2004-12-30 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
now (used in pkinit)
2004-12-29 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/Makefile.am: add CHECK_SYMBOLS
* lib/hdb/keys.c: make all_etypes static
* lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
-version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops
* kdc/kerberos5.c: use private version of principalname
* kdc/kerberos4.c: use private version of principalname
* kdc/hpropd.c: use private version of principalname
* kdc/524.c: use private version of principalname
* lib/krb5/rd_req.c: use private version of principalname
* lib/krb5/rd_cred.c: use private version of principalname
* lib/krb5/init_creds_pw.c: use private version of principalname
* lib/krb5/get_in_tkt.c: use private version of principalname
* lib/krb5/asn1_glue.c: make principalname functions private
* lib/krb5/krb5.h: add key usage for server referrals
2004-12-29 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/principal.c: make default_v4_name_convert static
* lib/krb5/crypto.c: make lots of crypto related variables static
* lib/krb5/acache.c: make default_acc_name static
2004-12-28 Love Hörnquist Åstrand <[email protected]>
* doc/setup.texi: add some text about samba, use example.com
* lib/hdb/hdb-ldap.c: Add account expiration for samba from James
F. Hranicky <[email protected]>.
Add LDAP_addmod_integer and use it.
2004-12-27 Love Hörnquist Åstrand <[email protected]>
* doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
fixes, from Dave Love
2004-12-18 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
needs pthread.h, threadlib is dead
2004-12-17 Love Hörnquist Åstrand <[email protected]>
* kdc/config.c (configure): check for deprecated
enforce-transited-policy is set and fail if it is
* lib/asn1/asn1_print.c: don't print garabage for octet strings
2004-12-13 Love Hörnquist Åstrand <[email protected]>
* kdc/main.c (main): catch sigpipe, we don't bother select()ing
for errors
* kdc/connect.c (handle_http_tcp): handle error from write(2)
* doc/setup.texi: clarify credentials refreshing stuff
* doc/setup.texi: add new node: Providing Kerberos credentials to
servers and programs
* doc/whatis.texi: fix spurious cross-reference makeinfo warning
* lib/hdb/hdb-ldap.c (pos): uppercase in character
2004-12-12 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
nibbels in the other order
* lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
attribute exists before we try to delete it LDAP__bytes2hex
encodes in strange byte order, is this really right ?
2004-12-11 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
entries, search for samba accounts too, From: "James F. Hranicky"
* lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
too
* lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
both krb5PrincipalName and uid, it must be broken, ignore it and
return it doesn't exists.
2004-12-10 Love Hörnquist Åstrand <[email protected]>
* kdc/hpropd.8: spelling, from OpenBSD
* kdc/kdc.8: use keeps for options, From OpenBSD k
2004-12-09 Love Hörnquist Åstrand <[email protected]>
* doc/setup.texi: document --random-key and the need to do backup
of the master key
* kdc/kstash.8: add --random-key
* kdc/kstash.c: add --random-key
2004-12-08 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/verify_krb5_conf.8: spelling, from openbsd
* lib/krb5/krb5_init_context.3: spelling, from openbsd
* lib/krb5/krb5.conf.5: spelling, from openbsd
* kuser/kdestroy.1: use keeps around options, spelling, from
openbsd
* kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
* kdc/hpropd.8: use keeps around options, from OpenBSD
* kdc/hprop.8: use keeps around options, from OpenBSD
2004-11-30 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/context.c (krb5_free_context): clear error string
before destroying mutex
(krb5_init_context): don't call krb5_free_context before there is a
mutex initialized
2004-11-18 Love Hörnquist Åstrand <[email protected]>
* kuser/kinit.c (get_new_tickets): only complain about ticket
renewable lifetime when the user asked for a specific renewable
lifetime
2004-11-15 Love Hörnquist Åstrand <[email protected]>
* kdc/kerberos5.c (find_keys): log what principal is missing
enctypes
2004-11-13 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
freeing data
* lib/krb5/init_creds_pw.c (change_password): handle old_options
being NULL From Guenther Deschner on samba-technical.
2004-11-12 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_get_init_creds.3: add more text describing the
krb5_get_init_creds functions
2004-11-11 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
again
2004-11-10 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb.asn1: use constrained integers
2004-11-09 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_get_init_creds.3: add description for opt_init,
opt_alloc, opt_free
* lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
* lib/krb5/init_creds.c: unexport
krb5_get_init_creds_opt_free_pkinit
* lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
get_init_creds_common
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
options NULL, just make a clean copy
2004-11-01 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
so we don't leak it on error
2004-10-31 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5.conf.5: unbreak 2b entry
* lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
sockaddr but rather a kerberos address, deal with that. Based on
bug report from Jakob Schlyter <[email protected]>.
2004-10-30 Love Hörnquist Åstrand <[email protected]>
* kdc/connect.c: Make sure argument passed to ctype isn't signed
char
2004-10-14 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: match new error names
* lib/krb5/krb5_err.et: make error messages sane again
2004-10-13 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/keytab.c: use KRB5_KT_BADNAME
* lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
version bump) add KRB5_DELTAT_BADFORMAT
* lib/krb5/krb5.conf.5: time defaults to "s"
* lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
MIT's behavior was actually that it failed to parse the number
(and thus used the default). Even better, ticket_lifetime (that
was a consumer supposed a of the interface) was documented but
never implemented, when it was implemented, people configuraiton
files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a
failure code.
* lib/asn1/k5.asn1: sync enctypes with pkinit branch
* lib/asn1/parse.y (readd) support negative numbers
* lib/asn1/lex.l: support hex numbers
2004-10-12 Love Hörnquist Åstrand <[email protected]>
* kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
* lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
for rc2 don't to padding for blocksize 1
* lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
Move keyset parsing and password based keyset generation into hdb.
Requested by Andrew Bartlett <[email protected]> for hdb-ldb
backend.
2004-10-07 Love Hörnquist Åstrand <[email protected]>
* kuser/kinit.c: adapt to new signature of
krb5_get_init_creds_opt_set_pkinit
* lib/krb5/pkinit.c: free openssl engine deal with
RecipientIdentifier -> CMSIdentifier and heim_any -> name change
improve error messages
* kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
-> CMSIdentifier and heim_any -> name change
2004-10-04 Johan Danielsson <[email protected]>
* kuser/klist.c: use rtbl_set_separator
2004-10-03 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
user options first
* lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
openssl engine support for private key
* lib/krb5/crypto.c: support padding as its done in CMS
* kdc/pkinit.c: improve error logging
* kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
2004-09-30 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5.conf.5: assume minutes for time
* lib/krb5/config_file.c (krb5_config_vget_time_default): use
krb5_string_to_deltat
* lib/krb5/appdefault.c (krb5_appdefault_time): use
krb5_string_to_deltat
* lib/krb5/time.c (krb5_string_to_deltat): set default unit to
minute for compatibility with MIT Kerberos.
2004-09-28 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
message safe" transport if we get back
KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
2004-09-23 Johan Danielsson <[email protected]>
* admin/list.c: use rtbl
* admin/ktutil-commands.in: slc source file
* lib/krb5/constants.c: check
/Library/Preferences/edu.mit.Kerberos on OSX
2004-09-21 Johan Danielsson <[email protected]>
* lib/krb5/time.c (krb5_format_time): check return value from
localtime and strftime
2004-09-14 Johan Danielsson <[email protected]>
* kuser/kinit.c: make sure we don't always get renewable creds
2004-09-11 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/acache.c: use krb5_ccapi.h
* lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
separate (not installed) file
* lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
since AM_CPPFLAGS overridden by target specific _CPPFLAGS
2004-09-08 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: make variable shorter, make error messages
from pkinit, make freeing easier
2004-09-06 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
* lib/krb5/crypto.c (seed_something): avoid poking at memory that
is uninitialized, make valgrind unhappy. Pointd out by
[email protected]. While where, plug the fd leak.
2004-09-05 Love Hörnquist Åstrand <[email protected]>
* lib/asn1/der_get.c (decode_*): name all tag-length variables the
same
(decode_enumerated): check that the tag-length is not longer the length
* lib/asn1/der_get.c (decode_boolean): fail if length of tag is
larger then len
2004-08-31 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
set in case of failure too, free unconditionally on exit to avoid
memory leak
2004-08-23 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
free
2004-08-20 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/context.c (krb5_get_err_text): if neither of com_right
nor strerror finds the error-code, return Unknown error.
2004-08-19 Johan Danielsson <[email protected]>
* lib/krb5/krb5_kuserok.3: update to reality
* lib/krb5/kuserok.c: if a .k5login file exist, don't give
implicit rights to anyone; also check owner/mode of .k5login
2004-08-15 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
* lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
* lib/krb5/krb5.3: add krb5_getportbyname
* lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid
* lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
2004-08-13 Love Hörnquist Åstrand <[email protected]>
* kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
from the client and filter them out.
* lib/krb5/krb5_string_to_key.3: document krb5_free_salt
2004-08-12 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_ticket.3: data needs to be freed when using
krb5_ticket_get_authorization_data_type
2004-08-11 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/test_cc.c: test variables in default_cc_name
* lib/krb5/krb5.conf.5: explain support for varibles in
[libdefaults]default_cc_name
* lib/krb5/cache.c: drop ${time}, its not very useful
* lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
variables in the default cc name. Supported variables now are:
${time},${uid} and ${null}
* lib/krb5/krb5.conf.5: document default_cc_name
* lib/krb5/cache.c (krb5_cc_set_default_name):
s/libdefault/libdefaults/
2004-08-06 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/acache.c: replace magic 3 with ccapi_version_3
* lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
* lib/krb5/krb5.h: add krb5_acc_ops
* lib/krb5/acache.c: CCAPI v3 implementation, the read only
support was from Magnus Ahltorp and then extended by me to support
all other operations. Tested with MIT kerberos cc cache
implementation on MacOS 10.3.3
* lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
default cc name, this is not very useful for general purpose glue
since its not possible to glue in user information (like uid), but
for CCAPI it works just fine
2004-08-05 Love Hörnquist Åstrand <[email protected]>
* kuser/kgetcred.1: document --cache/-c
* kuser/kgetcred.c: allow to specify what credential cache to use
2004-08-03 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
* lib/krb5/krb5_eai_to_heim_errno.3: document
krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
* lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
krb5_h_errno_to_heim_errno
2004-07-26 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
result should be free with krb5_free_host_realm drop
krb5_get_host_realm text
* lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
should be free with krb5_free_host_realm
* lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
* lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
* lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
* lib/krb5/Makefile.am: man_MANS += krb5_rd_error
* lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
* lib/krb5/krb5_warn.3: clarify on what string
krb5_free_error_string should operate on
* lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
* lib/krb5/Makefile.am: krb5_get_credentials,
krb5_get_forwarded_creds and friends
* lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
and friends
* lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
friends
2004-07-23 Love Hörnquist Åstrand <[email protected]>
* kuser/klist.c (print_cred_verbose): keytypes are no longer, use
enctype
2004-07-22 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
compilers, From metze at samba.org
2004-07-20 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/test_cc.c: more cc tests
* lib/krb5/krb5_check_transited.3: document krb5_check_transited
2004-07-19 Love Hörnquist Åstrand <[email protected]>
* kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
principal in cert work From: Mayur Patel <[email protected]>
2004-07-18 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am: add krb5_verify_init_creds.3
* lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
2004-07-15 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_set_password.3: spelling from [email protected]
description for krb5_passwd_result_to_string
2004-07-14 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
fixes; split sentence in two for better understanding. From
[email protected]. Describe krb5_set_password_using_ccache while here.
* lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
Stone <[email protected]>
* lib/krb5/changepw.c (process_reply): cast ssize_t to long and
print that From NetBSD via Havard Eidnes.
2004-07-09 Love Hörnquist Åstrand <[email protected]>
* configure.in: fix helpstring for hdb-openldap-module
* lib/krb5/test_cc.c: don't use krb5_err on error code 0
2004-07-08 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
2004-07-02 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
2004-07-01 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
right argument
2004-06-27 Johan Danielsson <[email protected]>
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
krbtgt is without addresses, default to not sending our own
addrport
* lib/asn1/lex.l: add support for /* */ and partial line --
comments
* kuser/Makefile.am: don't install copy_cred_cache manpage
2004-06-24 Johan Danielsson <[email protected]>
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
copying a static opt, make sure to allocate the "private" field
2004-06-24 Love <[email protected]>
* kdc/config.c: add enable_pkinit_princ_in_cert
* kdc/kdc_locl.h: enable_pkinit_princ_in_cert
* kdc/pkinit.c: Check certificate for Kerberos Principal in
OtherName of subjectAltName Based on patch from Mayur Patel
2004-06-21 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
session key for authorization-data
2004-06-15 Love Hörnquist Åstrand <[email protected]>
* kdc/connect.c (handle_tcp): note who is what that closed the
connection on us
2004-06-09 Love Hörnquist Åstrand <[email protected]>
* admin/get.c (kt_get): catch errors from krb5_parse_name
2004-06-05 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c: if its the entry just contains the
structural object (no samba nor heimdal object), add an aux
heimdal object on to it.
2004-06-02 Love Hörnquist Åstrand <[email protected]>
* kpasswd/kpasswd.c: use krb5_set_password_using_ccache
* lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
* lib/krb5/changepw.c: implement krb5_set_password_using_ccache
* lib/hdb/hdb-ldap.c: Allow the objectClass to be
"sambaSamAccount" or structural_object when searching for uid
entries.
* lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
* lib/hdb/hdb-ldap.c: add creation base that defaults to the
search base
* lib/hdb/hdb-ldap.c: indent like the rest of the code
2004-06-01 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c: check return values from ldap operations and
close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
should retry by yourself.
* lib/hdb/hdb-ldap.c: require search base to be configured, create
local context structure
2004-05-31 Love Hörnquist Åstrand <[email protected]>
* doc/setup.texi: more ldap text, partly from Tarjei Huse
2004-05-28 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c: clean, indent
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
krb5KeyVersionNumber is added on new entires
2004-05-27 Love Hörnquist Åstrand <[email protected]>
* doc/setup.texi: minor fixes, partly from Tarjei Huse
* lib/krb5/krb5.conf.5: some text about dbname and realm
* lib/krb5/krb5.conf.5: default value for
hdb-ldap-structural-object is account
2004-05-26 Love Hörnquist Åstrand <[email protected]>
* tools/Makefile.am: use ! instead of , as sed delimiter
2004-05-25 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions
2004-05-23 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
* lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
option
* lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
Andrew Bartlett <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
check From: Andrew Bartlett <[email protected]>
* lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
case, make sure ent->etypes are allocated, From: Andrew Bartlett
2004-05-14 Love Hörnquist Åstrand <[email protected]>
* kuser/kinit.c: move "setpag if (argc < 1)" to common path
2004-05-12 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
* fix-export: use right argument for -E
2004-05-06 Johan Danielsson <[email protected]>
* kuser/kinit.c: print some diagnostics if the exec fails
2004-04-29 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
From: Luke Howard <[email protected]>
* lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
not just a pointer size of it From: Luke Howard <[email protected]>
2004-04-28 Love Hörnquist Åstrand <[email protected]>
* fix-export: add -E flag where needed to make-proto
2004-04-26 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/crypto.c: add set_param for RC2
* lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
that are no longer needed
* kdc/pkinit.c: use krb5_enctype_to_oid
* lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
before we compare with it
* lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
before returning it add aes-oids
* lib/krb5/crypto.c: add krb5_enctype_to_oid and
krb5_oid_to_enctype
* kdc/pkinit.c: use krb5_crypto_set_params
* lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none
* lib/krb5/krb5.h: add KEYTYPE_AES192
* lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
kcrypto RC2 support
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
broken
* lib/krb5/krb5.h: add KEYTYPE_RC2
* lib/krb5/crypto.c: add partial CMS parameter handling, this is
needed for RC2
* lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
* lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
* lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
* lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken
2004-04-26 Johan Danielsson <[email protected]>
* lib/krb5/config_file.c: allow parsing directly from strings with
krb5_config_parse_string_multi
* lib/krb5/verify_krb5_conf.c: try to resolve hostnames
2004-04-25 Johan Danielsson <[email protected]>
* lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
descriptor so we don't have to keep track of it in two places
* kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
libkrb5
* lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
own manpage
* replace krb5_free_creds_contents by krb5_free_cred_contents
* lib/krb5/cache.c: add krb5_cc_next_cred_match() and
krb5_cc_copy_cred_match()
* lib/krb5/creds.c (krb5_compare_creds): add more matching options
* lib/krb5/krb5.h: add more creds match flags
* kuser/copy_cred_cache: add --valid-for option
* lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
of second ticket is > 0
2004-04-25 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: use the right oid for pkauthdata
* lib/krb5/pkinit.c: always send both win2k compat version and the
ietf draft one, this is possible since microsoft use
wrong/diffrent PA number. Make the configuration flag boolean
configuring if NOT to send the win2k compat glue.
* lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec
* kuser/copy_cred_cache.1: pacify mdoclint
* kdc/pkinit.c: use IV for envelopeddata encryption, patch
originally from Luke Howard <[email protected]>, tweeked by me.
* lib/krb5/krb5_storage.3: document
KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
* lib/krb5/krb5_data.3: document that krb5_data_free cleans the
structure too
* lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
originally from Luke Howard <[email protected]>, tweeked by me.
2004-04-24 Johan Danielsson <[email protected]>
* kuser/copy_cred_cache.{c,1}: add cred cache copy tool
* configure.in: use rk_SYS_LARGEFILE
* lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
issue with a storage flag instead of a separate function.
2004-04-24 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: move out the oid check from get_reply_key
* lib/krb5/pkinit.c: uniquify error messages
* lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
plain nonce for now
* lib/krb5/pkinit.c: more w2k compat from Luke Howard
<[email protected]> add RC2 support, clean up error messages
* lib/krb5/pkinit.c: remove more dependency on
krb5_config->pkinit_flags
* lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
style answer to IETF, From Luke Howard <[email protected]>
(_krb5_pk_create_sign): ms handles NULL in param, so always send it
(_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }
* lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
new function _set_digest_alg to set it
2004-04-23 Love Hörnquist Åstrand <[email protected]>
* include/make_crypto.c: include rc2.h, and when I'm here, make
aes mandatory
* lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
kerberos
* lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
failure
* lib/krb5/crypto.c (DES3_random_to_key): make it produce the
right result
(DES3_postproc): use DES3_random_to_key
(krb5_random_to_key): check the required number of bits (not the size
of the key)
* lib/krb5/aes-test.c: test random to key function
* lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
now
2004-04-22 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_string_to_key.3: document that
krb5_string_to_key_derived is broken for non 3des enctypes and
thus deprecated
* kdc/pkinit.c (generate_dh_keyblock): use the new function
krb5_random_to_key
* lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
need special processing
* lib/krb5/crypto.c (krb5_random_to_key): new function
* lib/krb5/krb5_keyblock.3: document krb5_random_to_key
2004-04-21 Love Hörnquist Åstrand <[email protected]>
* kdc/pkinit.c: use the first proposed enable enctype
* lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
return from krb5_enctype_valid
* kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
2004-04-21 Love Hörnquist Åstrand <[email protected]>
* lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
components being smaller then 127 and allocate one extra element
since first byte is split to to elements.
2004-04-20 Love Hörnquist Åstrand <[email protected]>
* lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
private use, [email protected]
2004-04-19 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
DH public key
2004-04-18 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krb5_init_context.3: add krb5_context to so its added
as manpage-link too
2004-04-17 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
XXX add locking
* kuser/kdestroy.c: add --credential argument that just remove one
credential entry out of the cache specified
* kdc/pkinit.c: replace the krb5.conf configuration option that
describes the mapping between principals and subject names with a
file, default /var/heimdal/pki-mapping. XXX this should be pushed
into HDB. XXX should add issuer too
* kdc/config.c: merge certificate/private_key to a user_id
2004-04-16 Love Hörnquist Åstrand <[email protected]>
* kdc/kdc_locl.h: update prototype for pk_initialize
* kuser/kinit.c: merge certificate/private_key to a user_id
* kdc/pkinit.c: adapt to heim_integer changes
* lib/krb5/pkinit.c: merge certificate/private_key to a user_id
* kdc/pkinit.c: adapt to heim_integer changes,
merge certificate/private_key to a user_id
2004-04-15 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
2004-04-13 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
libkrb5.la, add KRB5_LIB_FUNCTION proto
* lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
* configure.in: export KRB5_LIB_FUNCTION when building with
BUILD_KRB5_LIB
* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
error strings
* lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
is printed on stderr, fflush it
* lib/krb5/krb5_keyblock.3: free functions also zeros out the key
* lib/krb5/krb5_get_init_creds.3: some text about
krb5_prompter_posix
* lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
* lib/krb5/cache.c: add krb5_cc_get_prefix_ops
* lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
2004-04-05 Love Hörnquist Åstrand <[email protected]>
* appl/test/http_client.c: support GSS_C_DELEG_FLAG and
GSS_C_MUTUAL_FLAG
* appl/test/http_client.c: verbose logging
2004-04-02 Love Hörnquist Åstrand <[email protected]>
* kdc/connect.c: case size_t to unsigned long for LP64 platforms
2004-04-01 Love Hörnquist Åstrand <[email protected]>
* lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
default structural object
* tools/Makefile.am: handle sed expression breaking
2004-03-31 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
* lib/krb5/changepw.c: add tcp support to the set protocol, should
be cleaned up to enable sharing code with krb5_sendto
* kpasswd/kpasswd.c (change_password): remove extra free
* lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
osf/1
2004-03-30 Love Hörnquist Åstrand <[email protected]>
* lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
increase md->len, krb5_padata_add already does that
* lib/krb5/init_creds.c: its PAC not PAQ
* kuser/kinit.c: its PAC not PAQ
* kdc/kerberos4.c: stop the client from renewing tickets into the
future From: Jeffrey Hutzelman <[email protected]>