mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 15:38:06 +01:00
1486 lines
44 KiB
Plaintext
1486 lines
44 KiB
Plaintext
2004-12-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
|
|
now (used in pkinit)
|
|
|
|
2004-12-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: add CHECK_SYMBOLS
|
|
|
|
* lib/hdb/keys.c: make all_etypes static
|
|
|
|
* lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
|
|
-version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops
|
|
|
|
* kdc/kerberos5.c: use private version of principalname
|
|
|
|
* kdc/kerberos4.c: use private version of principalname
|
|
|
|
* kdc/hpropd.c: use private version of principalname
|
|
|
|
* kdc/524.c: use private version of principalname
|
|
|
|
* lib/krb5/rd_req.c: use private version of principalname
|
|
|
|
* lib/krb5/rd_cred.c: use private version of principalname
|
|
|
|
* lib/krb5/init_creds_pw.c: use private version of principalname
|
|
|
|
* lib/krb5/get_in_tkt.c: use private version of principalname
|
|
|
|
* lib/krb5/asn1_glue.c: make principalname functions private
|
|
|
|
* lib/krb5/krb5.h: add key usage for server referrals
|
|
|
|
2004-12-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/principal.c: make default_v4_name_convert static
|
|
|
|
* lib/krb5/crypto.c: make lots of crypto related variables static
|
|
|
|
* lib/krb5/acache.c: make default_acc_name static
|
|
|
|
2004-12-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: add some text about samba, use example.com
|
|
|
|
* lib/hdb/hdb-ldap.c: Add account expiration for samba from James
|
|
F. Hranicky <jfh@cise.ufl.edu>.
|
|
Add LDAP_addmod_integer and use it.
|
|
|
|
2004-12-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
|
|
fixes, from Dave Love
|
|
|
|
2004-12-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
|
|
needs pthread.h, threadlib is dead
|
|
|
|
2004-12-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/config.c (configure): check for deprecated
|
|
enforce-transited-policy is set and fail if it is
|
|
|
|
* lib/asn1/asn1_print.c: don't print garabage for octet strings
|
|
|
|
2004-12-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/main.c (main): catch sigpipe, we don't bother select()ing
|
|
for errors
|
|
|
|
* kdc/connect.c (handle_http_tcp): handle error from write(2)
|
|
|
|
* doc/setup.texi: clarify credentials refreshing stuff
|
|
|
|
* doc/setup.texi: add new node: Providing Kerberos credentials to
|
|
servers and programs
|
|
|
|
* doc/whatis.texi: fix spurious cross-reference makeinfo warning
|
|
|
|
* lib/hdb/hdb-ldap.c (pos): uppercase in character
|
|
|
|
2004-12-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
|
|
nibbels in the other order
|
|
|
|
* lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
|
|
attribute exists before we try to delete it LDAP__bytes2hex
|
|
encodes in strange byte order, is this really right ?
|
|
|
|
2004-12-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
|
|
entries, search for samba accounts too, From: "James F. Hranicky"
|
|
<jfh@cise.ufl.edu>
|
|
|
|
* lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
|
|
too
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
|
|
both krb5PrincipalName and uid, it must be broken, ignore it and
|
|
return it doesn't exists.
|
|
|
|
2004-12-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/hpropd.8: spelling, from OpenBSD
|
|
|
|
* kdc/kdc.8: use keeps for options, From OpenBSD k
|
|
|
|
2004-12-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: document --random-key and the need to do backup
|
|
of the master key
|
|
|
|
* kdc/kstash.8: add --random-key
|
|
|
|
* kdc/kstash.c: add --random-key
|
|
|
|
2004-12-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.8: spelling, from openbsd
|
|
|
|
* lib/krb5/krb5_init_context.3: spelling, from openbsd
|
|
|
|
* lib/krb5/krb5.conf.5: spelling, from openbsd
|
|
|
|
* kuser/kdestroy.1: use keeps around options, spelling, from
|
|
openbsd
|
|
|
|
* kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
|
|
|
|
* kdc/hpropd.8: use keeps around options, from OpenBSD
|
|
|
|
* kdc/hprop.8: use keeps around options, from OpenBSD
|
|
|
|
2004-11-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c (krb5_free_context): clear error string
|
|
before destroying mutex
|
|
(krb5_init_context): don't call krb5_free_context before there is a
|
|
mutex initialized
|
|
|
|
2004-11-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c (get_new_tickets): only complain about ticket
|
|
renewable lifetime when the user asked for a specific renewable
|
|
lifetime
|
|
|
|
2004-11-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (find_keys): log what principal is missing
|
|
enctypes
|
|
|
|
2004-11-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
|
|
freeing data
|
|
|
|
* lib/krb5/init_creds_pw.c (change_password): handle old_options
|
|
being NULL From Guenther Deschner on samba-technical.
|
|
|
|
2004-11-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add more text describing the
|
|
krb5_get_init_creds functions
|
|
|
|
2004-11-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
|
|
again
|
|
|
|
2004-11-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb.asn1: use constrained integers
|
|
|
|
2004-11-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add description for opt_init,
|
|
opt_alloc, opt_free
|
|
|
|
* lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
|
|
|
|
* lib/krb5/init_creds.c: unexport
|
|
krb5_get_init_creds_opt_free_pkinit
|
|
|
|
* lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
|
|
get_init_creds_common
|
|
|
|
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
|
|
options NULL, just make a clean copy
|
|
|
|
2004-11-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
|
|
so we don't leak it on error
|
|
|
|
2004-10-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: unbreak 2b entry
|
|
|
|
* lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
|
|
sockaddr but rather a kerberos address, deal with that. Based on
|
|
bug report from Jakob Schlyter <jakob@rfc.se>.
|
|
|
|
2004-10-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: Make sure argument passed to ctype isn't signed
|
|
char
|
|
|
|
2004-10-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: match new error names
|
|
|
|
* lib/krb5/krb5_err.et: make error messages sane again
|
|
|
|
2004-10-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c: use KRB5_KT_BADNAME
|
|
|
|
* lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
|
|
version bump) add KRB5_DELTAT_BADFORMAT
|
|
|
|
* lib/krb5/krb5.conf.5: time defaults to "s"
|
|
|
|
* lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
|
|
MIT's behavior was actually that it failed to parse the number
|
|
(and thus used the default). Even better, ticket_lifetime (that
|
|
was a consumer supposed a of the interface) was documented but
|
|
never implemented, when it was implemented, people configuraiton
|
|
files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a
|
|
failure code.
|
|
|
|
* lib/asn1/k5.asn1: sync enctypes with pkinit branch
|
|
|
|
* lib/asn1/parse.y (readd) support negative numbers
|
|
|
|
* lib/asn1/lex.l: support hex numbers
|
|
|
|
2004-10-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
|
|
|
|
* lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
|
|
for rc2 don't to padding for blocksize 1
|
|
|
|
* lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
|
|
Move keyset parsing and password based keyset generation into hdb.
|
|
Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb
|
|
backend.
|
|
|
|
2004-10-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: adapt to new signature of
|
|
krb5_get_init_creds_opt_set_pkinit
|
|
|
|
* lib/krb5/pkinit.c: free openssl engine deal with
|
|
RecipientIdentifier -> CMSIdentifier and heim_any -> name change
|
|
improve error messages
|
|
|
|
* kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
|
|
-> CMSIdentifier and heim_any -> name change
|
|
|
|
2004-10-04 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/klist.c: use rtbl_set_separator
|
|
|
|
2004-10-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
|
|
user options first
|
|
|
|
* lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
|
|
openssl engine support for private key
|
|
|
|
* lib/krb5/crypto.c: support padding as its done in CMS
|
|
|
|
* kdc/pkinit.c: improve error logging
|
|
|
|
* kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
|
|
|
|
2004-09-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: assume minutes for time
|
|
|
|
* lib/krb5/config_file.c (krb5_config_vget_time_default): use
|
|
krb5_string_to_deltat
|
|
|
|
* lib/krb5/appdefault.c (krb5_appdefault_time): use
|
|
krb5_string_to_deltat
|
|
|
|
* lib/krb5/time.c (krb5_string_to_deltat): set default unit to
|
|
minute for compatibility with MIT Kerberos.
|
|
|
|
|
|
2004-09-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
|
|
message safe" transport if we get back
|
|
KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
|
|
<gd@sernet.de>
|
|
|
|
2004-09-23 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* admin/list.c: use rtbl
|
|
|
|
* admin/ktutil-commands.in: slc source file
|
|
|
|
* lib/krb5/constants.c: check
|
|
/Library/Preferences/edu.mit.Kerberos on OSX
|
|
|
|
2004-09-21 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/time.c (krb5_format_time): check return value from
|
|
localtime and strftime
|
|
|
|
2004-09-14 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/kinit.c: make sure we don't always get renewable creds
|
|
|
|
2004-09-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c: use krb5_ccapi.h
|
|
|
|
* lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
|
|
separate (not installed) file
|
|
|
|
* lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
|
|
since AM_CPPFLAGS overridden by target specific _CPPFLAGS
|
|
|
|
2004-09-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: make variable shorter, make error messages
|
|
from pkinit, make freeing easier
|
|
|
|
2004-09-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
|
|
|
|
* lib/krb5/crypto.c (seed_something): avoid poking at memory that
|
|
is uninitialized, make valgrind unhappy. Pointd out by
|
|
abartlet@samba.org. While where, plug the fd leak.
|
|
|
|
2004-09-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_get.c (decode_*): name all tag-length variables the
|
|
same
|
|
(decode_enumerated): check that the tag-length is not longer the length
|
|
|
|
* lib/asn1/der_get.c (decode_boolean): fail if length of tag is
|
|
larger then len
|
|
|
|
2004-08-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
|
|
set in case of failure too, free unconditionally on exit to avoid
|
|
memory leak
|
|
|
|
2004-08-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
|
|
free
|
|
|
|
2004-08-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c (krb5_get_err_text): if neither of com_right
|
|
nor strerror finds the error-code, return Unknown error.
|
|
|
|
2004-08-19 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/krb5_kuserok.3: update to reality
|
|
|
|
* lib/krb5/kuserok.c: if a .k5login file exist, don't give
|
|
implicit rights to anyone; also check owner/mode of .k5login
|
|
|
|
2004-08-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
|
|
|
|
* lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
|
|
|
|
* lib/krb5/krb5.3: add krb5_getportbyname
|
|
|
|
* lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
|
|
|
|
2004-08-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
|
|
from the client and filter them out.
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document krb5_free_salt
|
|
|
|
2004-08-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_ticket.3: data needs to be freed when using
|
|
krb5_ticket_get_authorization_data_type
|
|
|
|
2004-08-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: test variables in default_cc_name
|
|
|
|
* lib/krb5/krb5.conf.5: explain support for varibles in
|
|
[libdefaults]default_cc_name
|
|
|
|
* lib/krb5/cache.c: drop ${time}, its not very useful
|
|
|
|
* lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
|
|
variables in the default cc name. Supported variables now are:
|
|
${time},${uid} and ${null}
|
|
|
|
* lib/krb5/krb5.conf.5: document default_cc_name
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name):
|
|
s/libdefault/libdefaults/
|
|
|
|
2004-08-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c: replace magic 3 with ccapi_version_3
|
|
|
|
* lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
|
|
|
|
* lib/krb5/krb5.h: add krb5_acc_ops
|
|
|
|
* lib/krb5/acache.c: CCAPI v3 implementation, the read only
|
|
support was from Magnus Ahltorp and then extended by me to support
|
|
all other operations. Tested with MIT kerberos cc cache
|
|
implementation on MacOS 10.3.3
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
|
|
default cc name, this is not very useful for general purpose glue
|
|
since its not possible to glue in user information (like uid), but
|
|
for CCAPI it works just fine
|
|
|
|
2004-08-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kgetcred.1: document --cache/-c
|
|
|
|
* kuser/kgetcred.c: allow to specify what credential cache to use
|
|
|
|
2004-08-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
|
|
|
|
* lib/krb5/krb5_eai_to_heim_errno.3: document
|
|
krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
|
|
|
|
* lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
|
|
krb5_h_errno_to_heim_errno
|
|
|
|
2004-07-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
|
|
result should be free with krb5_free_host_realm drop
|
|
krb5_get_host_realm text
|
|
|
|
* lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
|
|
should be free with krb5_free_host_realm
|
|
|
|
* lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
|
|
|
|
* lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
|
|
|
|
* lib/krb5/Makefile.am: man_MANS += krb5_rd_error
|
|
|
|
* lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
|
|
|
|
* lib/krb5/krb5_warn.3: clarify on what string
|
|
krb5_free_error_string should operate on
|
|
|
|
* lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
|
|
|
|
* lib/krb5/Makefile.am: krb5_get_credentials,
|
|
krb5_get_forwarded_creds and friends
|
|
|
|
* lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
|
|
and friends
|
|
|
|
* lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
|
|
friends
|
|
|
|
2004-07-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c (print_cred_verbose): keytypes are no longer, use
|
|
enctype
|
|
|
|
2004-07-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
|
|
compilers, From metze at samba.org
|
|
|
|
2004-07-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: more cc tests
|
|
|
|
* lib/krb5/krb5_check_transited.3: document krb5_check_transited
|
|
|
|
2004-07-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
|
|
principal in cert work From: Mayur Patel <patelm4@rpi.edu>
|
|
|
|
2004-07-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: add krb5_verify_init_creds.3
|
|
|
|
* lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
|
|
|
|
2004-07-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org
|
|
description for krb5_passwd_result_to_string
|
|
|
|
2004-07-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
|
|
fixes; split sentence in two for better understanding. From
|
|
wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here.
|
|
|
|
* lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
|
|
Stone <jonathan@dsg.stanford.edu>
|
|
|
|
* lib/krb5/changepw.c (process_reply): cast ssize_t to long and
|
|
print that From NetBSD via Havard Eidnes.
|
|
|
|
2004-07-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: fix helpstring for hdb-openldap-module
|
|
|
|
* lib/krb5/test_cc.c: don't use krb5_err on error code 0
|
|
|
|
2004-07-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
|
|
|
|
2004-07-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
|
|
|
|
2004-07-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
|
|
right argument
|
|
|
|
2004-06-27 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
|
|
krbtgt is without addresses, default to not sending our own
|
|
addrport
|
|
|
|
* lib/asn1/lex.l: add support for /* */ and partial line --
|
|
comments
|
|
|
|
* kuser/Makefile.am: don't install copy_cred_cache manpage
|
|
|
|
2004-06-24 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
|
|
copying a static opt, make sure to allocate the "private" field
|
|
|
|
2004-06-24 Love <lha@stacken.kth.se>
|
|
|
|
* kdc/config.c: add enable_pkinit_princ_in_cert
|
|
|
|
* kdc/kdc_locl.h: enable_pkinit_princ_in_cert
|
|
|
|
* kdc/pkinit.c: Check certificate for Kerberos Principal in
|
|
OtherName of subjectAltName Based on patch from Mayur Patel
|
|
<patelm4@rpi.edu>
|
|
|
|
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
|
|
session key for authorization-data
|
|
|
|
2004-06-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c (handle_tcp): note who is what that closed the
|
|
connection on us
|
|
|
|
2004-06-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* admin/get.c (kt_get): catch errors from krb5_parse_name
|
|
|
|
2004-06-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: if its the entry just contains the
|
|
structural object (no samba nor heimdal object), add an aux
|
|
heimdal object on to it.
|
|
|
|
2004-06-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswd.c: use krb5_set_password_using_ccache
|
|
|
|
* lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
|
|
|
|
* lib/krb5/changepw.c: implement krb5_set_password_using_ccache
|
|
|
|
* lib/hdb/hdb-ldap.c: Allow the objectClass to be
|
|
"sambaSamAccount" or structural_object when searching for uid
|
|
entries.
|
|
|
|
* lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
|
|
|
|
* lib/hdb/hdb-ldap.c: add creation base that defaults to the
|
|
search base
|
|
|
|
* lib/hdb/hdb-ldap.c: indent like the rest of the code
|
|
|
|
2004-06-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: check return values from ldap operations and
|
|
close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
|
|
should retry by yourself.
|
|
|
|
* lib/hdb/hdb-ldap.c: require search base to be configured, create
|
|
local context structure
|
|
|
|
2004-05-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: more ldap text, partly from Tarjei Huse
|
|
<tarjei@nu.no>
|
|
|
|
2004-05-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: clean, indent
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
|
|
krb5KeyVersionNumber is added on new entires
|
|
|
|
2004-05-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: minor fixes, partly from Tarjei Huse
|
|
<tarjei@nu.no>
|
|
|
|
* lib/krb5/krb5.conf.5: some text about dbname and realm
|
|
|
|
* lib/krb5/krb5.conf.5: default value for
|
|
hdb-ldap-structural-object is account
|
|
|
|
2004-05-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* tools/Makefile.am: use ! instead of , as sed delimiter
|
|
|
|
2004-05-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions
|
|
|
|
2004-05-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
|
|
|
|
* lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
|
|
option
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
|
|
Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
|
|
check From: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
|
|
case, make sure ent->etypes are allocated, From: Andrew Bartlett
|
|
<abartlet@samba.org>
|
|
|
|
2004-05-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: move "setpag if (argc < 1)" to common path
|
|
|
|
2004-05-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
|
|
|
|
* fix-export: use right argument for -E
|
|
|
|
2004-05-06 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/kinit.c: print some diagnostics if the exec fails
|
|
|
|
2004-04-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
|
|
From: Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
|
|
not just a pointer size of it From: Luke Howard <lukeh@padl.com>
|
|
|
|
2004-04-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* fix-export: add -E flag where needed to make-proto
|
|
|
|
2004-04-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c: add set_param for RC2
|
|
|
|
* lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
|
|
that are no longer needed
|
|
|
|
* kdc/pkinit.c: use krb5_enctype_to_oid
|
|
|
|
* lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
|
|
before we compare with it
|
|
|
|
* lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
|
|
before returning it add aes-oids
|
|
|
|
* lib/krb5/crypto.c: add krb5_enctype_to_oid and
|
|
krb5_oid_to_enctype
|
|
|
|
* kdc/pkinit.c: use krb5_crypto_set_params
|
|
|
|
* lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none
|
|
|
|
* lib/krb5/krb5.h: add KEYTYPE_AES192
|
|
|
|
* lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
|
|
kcrypto RC2 support
|
|
|
|
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
|
|
rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
|
|
broken
|
|
|
|
* lib/krb5/krb5.h: add KEYTYPE_RC2
|
|
|
|
* lib/krb5/crypto.c: add partial CMS parameter handling, this is
|
|
needed for RC2
|
|
|
|
* lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
|
|
|
|
* lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
|
|
|
|
* lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
|
|
|
|
* lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
|
|
|
|
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
|
|
rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken
|
|
|
|
2004-04-26 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/config_file.c: allow parsing directly from strings with
|
|
krb5_config_parse_string_multi
|
|
|
|
* lib/krb5/verify_krb5_conf.c: try to resolve hostnames
|
|
|
|
2004-04-25 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
|
|
descriptor so we don't have to keep track of it in two places
|
|
|
|
* kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
|
|
libkrb5
|
|
|
|
* lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
|
|
own manpage
|
|
|
|
* replace krb5_free_creds_contents by krb5_free_cred_contents
|
|
|
|
* lib/krb5/cache.c: add krb5_cc_next_cred_match() and
|
|
krb5_cc_copy_cred_match()
|
|
|
|
* lib/krb5/creds.c (krb5_compare_creds): add more matching options
|
|
|
|
* lib/krb5/krb5.h: add more creds match flags
|
|
|
|
* kuser/copy_cred_cache: add --valid-for option
|
|
|
|
* lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
|
|
of second ticket is > 0
|
|
|
|
2004-04-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: use the right oid for pkauthdata
|
|
|
|
* lib/krb5/pkinit.c: always send both win2k compat version and the
|
|
ietf draft one, this is possible since microsoft use
|
|
wrong/diffrent PA number. Make the configuration flag boolean
|
|
configuring if NOT to send the win2k compat glue.
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec
|
|
|
|
* kuser/copy_cred_cache.1: pacify mdoclint
|
|
|
|
* kdc/pkinit.c: use IV for envelopeddata encryption, patch
|
|
originally from Luke Howard <lukeh@padl.com>, tweeked by me.
|
|
|
|
* lib/krb5/krb5_storage.3: document
|
|
KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
|
|
|
|
* lib/krb5/krb5_data.3: document that krb5_data_free cleans the
|
|
structure too
|
|
|
|
* lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
|
|
originally from Luke Howard <lukeh@padl.com>, tweeked by me.
|
|
|
|
2004-04-24 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/copy_cred_cache.{c,1}: add cred cache copy tool
|
|
|
|
* configure.in: use rk_SYS_LARGEFILE
|
|
|
|
* lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
|
|
issue with a storage flag instead of a separate function.
|
|
|
|
2004-04-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: move out the oid check from get_reply_key
|
|
|
|
* lib/krb5/pkinit.c: uniquify error messages
|
|
|
|
* lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
|
|
plain nonce for now
|
|
|
|
* lib/krb5/pkinit.c: more w2k compat from Luke Howard
|
|
<lukeh@padl.com> add RC2 support, clean up error messages
|
|
|
|
* lib/krb5/pkinit.c: remove more dependency on
|
|
krb5_config->pkinit_flags
|
|
|
|
* lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
|
|
style answer to IETF, From Luke Howard <lukeh@padl.com>
|
|
(_krb5_pk_create_sign): ms handles NULL in param, so always send it
|
|
(_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }
|
|
|
|
* lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
|
|
digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
|
|
new function _set_digest_alg to set it
|
|
|
|
2004-04-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* include/make_crypto.c: include rc2.h, and when I'm here, make
|
|
aes mandatory
|
|
|
|
* lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
|
|
kerberos
|
|
|
|
* lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
|
|
failure
|
|
|
|
* lib/krb5/crypto.c (DES3_random_to_key): make it produce the
|
|
right result
|
|
(DES3_postproc): use DES3_random_to_key
|
|
(krb5_random_to_key): check the required number of bits (not the size
|
|
of the key)
|
|
|
|
* lib/krb5/aes-test.c: test random to key function
|
|
|
|
* lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
|
|
now
|
|
|
|
2004-04-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document that
|
|
krb5_string_to_key_derived is broken for non 3des enctypes and
|
|
thus deprecated
|
|
|
|
* kdc/pkinit.c (generate_dh_keyblock): use the new function
|
|
krb5_random_to_key
|
|
|
|
* lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
|
|
need special processing
|
|
|
|
* lib/krb5/crypto.c (krb5_random_to_key): new function
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_random_to_key
|
|
|
|
2004-04-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: use the first proposed enable enctype
|
|
|
|
* lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
|
|
return from krb5_enctype_valid
|
|
|
|
* kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
|
|
|
|
2004-04-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
|
|
components being smaller then 127 and allocate one extra element
|
|
since first byte is split to to elements.
|
|
|
|
2004-04-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
|
|
private use, lukeh@padl.com
|
|
|
|
2004-04-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
|
|
DH public key
|
|
|
|
2004-04-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_init_context.3: add krb5_context to so its added
|
|
as manpage-link too
|
|
|
|
2004-04-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
|
|
XXX add locking
|
|
|
|
* kuser/kdestroy.c: add --credential argument that just remove one
|
|
credential entry out of the cache specified
|
|
|
|
* kdc/pkinit.c: replace the krb5.conf configuration option that
|
|
describes the mapping between principals and subject names with a
|
|
file, default /var/heimdal/pki-mapping. XXX this should be pushed
|
|
into HDB. XXX should add issuer too
|
|
|
|
* kdc/config.c: merge certificate/private_key to a user_id
|
|
|
|
2004-04-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kdc_locl.h: update prototype for pk_initialize
|
|
|
|
* kuser/kinit.c: merge certificate/private_key to a user_id
|
|
|
|
* kdc/pkinit.c: adapt to heim_integer changes
|
|
|
|
* lib/krb5/pkinit.c: merge certificate/private_key to a user_id
|
|
|
|
* kdc/pkinit.c: adapt to heim_integer changes,
|
|
merge certificate/private_key to a user_id
|
|
|
|
2004-04-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
|
|
|
|
2004-04-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
|
|
libkrb5.la, add KRB5_LIB_FUNCTION proto
|
|
|
|
* lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
|
|
|
|
* configure.in: export KRB5_LIB_FUNCTION when building with
|
|
BUILD_KRB5_LIB
|
|
|
|
* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
|
|
error strings
|
|
|
|
* lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
|
|
is printed on stderr, fflush it
|
|
|
|
* lib/krb5/krb5_keyblock.3: free functions also zeros out the key
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: some text about
|
|
krb5_prompter_posix
|
|
|
|
* lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
|
|
|
|
* lib/krb5/cache.c: add krb5_cc_get_prefix_ops
|
|
|
|
* lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
|
|
|
|
2004-04-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/http_client.c: support GSS_C_DELEG_FLAG and
|
|
GSS_C_MUTUAL_FLAG
|
|
|
|
* appl/test/http_client.c: verbose logging
|
|
|
|
2004-04-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: case size_t to unsigned long for LP64 platforms
|
|
|
|
2004-04-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
|
|
default structural object
|
|
|
|
* tools/Makefile.am: handle sed expression breaking
|
|
|
|
2004-03-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
|
|
|
|
* lib/krb5/changepw.c: add tcp support to the set protocol, should
|
|
be cleaned up to enable sharing code with krb5_sendto
|
|
|
|
* kpasswd/kpasswd.c (change_password): remove extra free
|
|
|
|
* lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
|
|
osf/1
|
|
|
|
2004-03-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
|
|
increase md->len, krb5_padata_add already does that
|
|
|
|
* lib/krb5/init_creds.c: its PAC not PAQ
|
|
|
|
* kuser/kinit.c: its PAC not PAQ
|
|
|
|
* kdc/kerberos4.c: stop the client from renewing tickets into the
|
|
future From: Jeffrey Hutzelman <jhutz@cmu.edu>
|
|
|
|
2004-03-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: try to handle sys/strtty.h needing sys/stream.h
|
|
|
|
2004-03-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no
|
|
longer used
|
|
|
|
* kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/
|
|
|
|
* lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to
|
|
external users by prefixing it with _
|
|
|
|
* lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/
|
|
|
|
* lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external
|
|
users by prefixing it with _
|
|
|
|
2004-03-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: add missing }
|
|
|
|
2004-03-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: adapt to change of signature of
|
|
_krb5_pk_load_openssl_id
|
|
|
|
* lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add
|
|
prompter argument and use it
|
|
|
|
* kuser/kinit.c: adapt to signature change of
|
|
krb5_get_init_creds_opt_set_pkinit
|
|
|
|
* lib/krb5/krb5.3: add more stuff, 105 functions to go
|
|
|
|
* lib/krb5/krb5_rcache.3: add krb5_get_server_rcache
|
|
|
|
* lib/krb5/krb5_rcache.3: framework for replay cache manpage
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document string to key functions
|
|
|
|
* lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3
|
|
krb5_find_padata.3 krb5_generate_random_block.3
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length
|
|
|
|
* lib/krb5/krb5.3: add some more, 137 to go
|
|
|
|
* lib/krb5/krb5_principal.3: document krb5_get_default_principal
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey
|
|
|
|
* lib/krb5/krb5_generate_random_block.3: document
|
|
krb5_generate_random_block
|
|
|
|
* lib/krb5/krb5_find_padata.3: document padata functions
|
|
|
|
* lib/krb5/krb5.3: add some more, 142 to go
|
|
|
|
* lib/krb5/krb5_creds.3: drop .Pp before .Sh
|
|
|
|
* lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm
|
|
|
|
* lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname
|
|
and krb5_expand_hostname_realms
|
|
|
|
* lib/krb5/krb5.3: add more functions, 147 to go
|
|
|
|
* lib/krb5/krb5_creds.3: document krb5_creds
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add more functions, some more
|
|
text
|
|
|
|
* lib/krb5/krb5_ticket.3: document
|
|
krb5_ticket_get_authorization_data_type
|
|
|
|
2004-03-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/aes-test.c: remove #if 0'ed code
|
|
|
|
* lib/krb5/krb5.3: add keyblock functions, 177 functions to go
|
|
|
|
* lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket
|
|
|
|
* lib/krb5/krb5_config.3: document krb5_config_free_strings and
|
|
krb5_config_file_free
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add krb5_hmac
|
|
|
|
* lib/krb5/krb5.3: add keyblock functions, 190 functions to go
|
|
|
|
* lib/krb5/krb5_keyblock.3: update .Dd
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and
|
|
krb5_generate_random_keyblock
|
|
|
|
* lib/krb5/krb5_init_context.3: add krb5_init_ets
|
|
|
|
* lib/krb5/krb5_config.3: add more krb5_config_ functions and
|
|
prototypes
|
|
|
|
* lib/krb5/krb5_init_context.3: document context modifcation
|
|
functions: address list, config file, use admin kdc, fcc version
|
|
|
|
* lib/krb5/krb5_storage.3: document krb5_storage and related
|
|
functions
|
|
|
|
* lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc
|
|
manpages and test_acl test program
|
|
|
|
* lib/krb5/krb5.3: add error string functions and sort
|
|
|
|
* lib/krb5/krb5_warn.3: document krb5_abort and error string
|
|
functions
|
|
|
|
* lib/krb5/krb5.3: add missing functions, only 285 left to
|
|
document
|
|
|
|
* lib/krb5/krb5_crypto_init.3: remove various enctype related
|
|
function
|
|
|
|
* lib/krb5/krb5_encrypt.3: add various enctype related function
|
|
here
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid
|
|
krb5_cksumtype_valid
|
|
|
|
* lib/krb5/crypto.c: real return values for
|
|
krb5_{enctype,cksumtype}_valid
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add some functions and
|
|
descriptions
|
|
|
|
* lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions
|
|
|
|
* lib/krb5/krb5_auth_context.3: document
|
|
krb5_auth_con_generatelocalsubkey
|
|
|
|
* lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags
|
|
|
|
* lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name
|
|
|
|
* lib/krb5/krb5_init_context.3: document krb5_add_et_list
|
|
|
|
* lib/krb5/krb524_convert_creds_kdc.3: document
|
|
krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache
|
|
|
|
* lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_*
|
|
|
|
* lib/krb5/test_acl.c: test for generic acl code
|
|
|
|
* lib/krb5/acl.c: plug memory leak on file matching,
|
|
make it not fall over when no non matching acl,
|
|
make fnmatch matching useful by switching arguments
|
|
|
|
2004-03-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/config.c: add --builtin-hdb command
|
|
|
|
* lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin
|
|
backends
|
|
|
|
* doc/setup.texi: include Luke Howard of PADL.COM ldap hdb
|
|
documentation
|
|
|
|
* doc/win2k.texi: fix bugs in examples, add more restrictions, use
|
|
example.com as an example. From: Pavel Ferdan
|
|
<xferdan@informatics.muni.cz>
|
|
|
|
2004-03-18 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin]
|
|
password_lifetime; from Henry B. Hotz
|
|
|
|
2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY
|
|
is set send subkey
|
|
(generate if needed)
|
|
|
|
* lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY
|
|
|
|
2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks,
|
|
and free memory in error path, assume realloc(NULL, ...) works,
|
|
factor out common code, indent
|
|
|
|
2004-03-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: understand [password_quality]
|
|
spelling
|
|
|
|
* kuser/kgetcred.1: document --canonicalize
|
|
|
|
* kuser/kgetcred.c: add --canonicalize
|
|
|
|
2004-03-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): NULL terminate
|
|
krb5_config_get_bool_default' arglist
|
|
|
|
2004-03-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply
|
|
|
|
* kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry
|
|
|
|
* kdc/pkinit.c: pass client hdb_entry to pk_check_client
|
|
|
|
* kdc/kdc_locl.h: pass client hdb_entry to pk_check_client
|
|
|
|
* kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its
|
|
more like that language in RFC3280
|
|
|
|
* lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since
|
|
its more like that language in RFC3280
|
|
|
|
* lib/krb5/krb5.conf.5: document
|
|
[libdefaults]fcc-mit-ticketflags=boolean
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): use
|
|
[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
|
|
write the fcc in. Default to mit version (aka heimdal 0.7)
|
|
|
|
* lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and
|
|
_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
|
|
that format make krb5_store_creds default to mit format
|
|
|
|
* lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is
|
|
the higher bits of the bitfield
|
|
|
|
2004-03-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/store.c (krb5_store_creds): add disabled code that
|
|
store the ticket flags in reverse order
|
|
(bitswap32): new function
|
|
|
|
* lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags
|
|
are set, its a mit cache, reverse the bits, bug pointed out by
|
|
Sergio Gelato <Sergio.Gelato@astro.su.se>
|
|
|
|
2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP *
|
|
|
|
* kuser/kinit.c: when running kinit with a subprocess, fetch new
|
|
tickets after half the tickets lifetime
|
|
|
|
* lib/hdb/hdb.c: spelling
|
|
|
|
* lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba
|
|
password database. From: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* kdc/config.c: add --disable-DES
|
|
|
|
* kdc/kdc.8: document --detach and --disable-DES
|
|
|
|
* kdc/kerberos5.c: check if enctype is disabled before using it
|
|
|
|
* lib/krb5/crypto.c: add support for disabling checksum/encryption
|
|
types
|
|
|
|
* tools/kdc-log-analyze.pl: add more cases
|
|
|
|
* kdc/connect.c: on strange tcp error; log local port number and
|
|
socket type
|
|
|
|
* lib/asn1/der.h: fix prototype of encode_utf8string
|
|
|
|
* lib/asn1/gen.c: catch CHOICE and generate dummy placeholder
|
|
|
|
* lib/asn1/lex.l: added dummy parsing of CHOICE
|
|
|
|
* lib/asn1/parse.y: added dummy parsing of CHOICE
|
|
|
|
* lib/asn1/k5.asn1: drop SMTP_NAME
|
|
|
|
2004-03-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: support building ldap backend as module
|
|
sort asn1 hdb files
|
|
|
|
* lib/hdb/hdb.c: when building ldap as a shared module, don't
|
|
include it in the list
|
|
|
|
* configure.in: add --enable-hdb-openldap-module
|
|
|
|
* lib/hdb/hdb-ldap.c: make ldap possible to build as a shared
|
|
module
|
|
|
|
* lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew
|
|
Bartlett <abartlet@samba.org>
|
|
|
|
* lib/krb5/crypto.c (decrypt_internal_special): do not not modify
|
|
the original data test case from Ronnie Sahlberg
|
|
<ronnie_sahlberg@ozemail.com.au>
|
|
|
|
2004-03-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: more cc tests, mostly related to mcc
|
|
behavior
|
|
|
|
* lib/krb5/mcache.c (mcc_get_principal): also check for
|
|
primary_principal == NULL now that that isn't used as dead flag
|
|
|
|
* lib/krb5/mcache.c: don't overload the primary_principal == NULL
|
|
as dead since that doesn't always work. Based on patch from
|
|
Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me
|
|
|
|
2004-02-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
|
|
|
|
* lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
|
|
|
|
* lib/hdb/db3.c: fix all db >= 4.1 cases
|
|
|
|
* doc/setup.texi: add text about hostname to realm mapping using
|
|
DNS
|
|
|
|
2004-02-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: update error codes
|
|
|
|
* lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_
|
|
|
|
* lib/krb5/pkinit.c: update error codes
|
|
|
|
2004-02-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort()
|
|
|
|
* lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling
|
|
|
|
* lib/krb5/store.c: handle memory allocate errors
|
|
|
|
* lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok,
|
|
and don't put an error in the error strings then
|
|
|
|
2004-02-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: s/heim_big_integer/heim_integer/
|
|
|
|
* lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/
|
|
|
|
* kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors
|
|
|
|
* lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT
|
|
errors
|
|
|
|
* lib/krb5/heim_err.et: add HEIM_PKINIT specific errors
|
|
|
|
2004-02-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: rename AC_WFLAGS to rk_WFLAGS
|
|
|
|
* acinclude.m4: use m4_define, over-quote string
|
|
|
|
2004-02-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (change_password): handle that
|
|
printf("%.*s", 0, (void*)NULL); doesn't work on solaris
|
|
|
|
2004-02-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswd.c (change_password): handle that printf("%.*s",
|
|
0, (void*)NULL); doesn't work on solaris
|
|
|
|
* lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses
|
|
some locate.updatedb, use FILES section to describe where the file
|
|
is instead.
|
|
|
|
2004-02-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned
|
|
for certain negative integers, it got the length wrong" , from
|
|
Panasas, Inc.
|
|
|
|
* lib/asn1/der_length.c: Fix len_unsigned for certain negative
|
|
integers, it got the length wrong, fix from Panasas, Inc.
|
|
|
|
rename len_int and len_unsigned to _heim_\&
|
|
|
|
* lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int
|
|
|
|
2004-02-06 Dave Love <d.love@dl.ac.uk>
|
|
|
|
* configure.in: Check for sys/socket.h, net/if.h. Modify term.h,
|
|
security/pam_appl.h tests.
|
|
|
|
2004-02-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add
|
|
up the size of all the elements, don't use just the size of the
|
|
last element.
|
|
|
|
* lib/krb5/aes-test.c: add "next iv" test for aes128, check
|
|
decryption case too
|
|
|
|
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
|
|
the next to last block, fix decryption case too
|
|
|
|
* lib/krb5/aes-test.c: add "next iv" test for aes128
|
|
|
|
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
|
|
the next to last block
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1
|
|
encode error
|
|
|
|
* lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1
|
|
encode error
|
|
|
|
* lib/krb5/build_auth.c (krb5_build_authenticator): abort on
|
|
internal asn1 encode error
|
|
|
|
* lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal
|
|
asn1 encode error
|
|
|
|
2004-01-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: some text about order of [capaths] realms
|
|
|
|
2004-01-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c: register WRFILE ops
|
|
|
|
* lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE)
|
|
|
|
* lib/krb5/krb5.h: add krb5_wrfkt_ops
|
|
|
|
* kpasswd/kpasswdd.c (change): use the right password when
|
|
changing the password
|
|
|
|
2004-01-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it
|
|
means that the filesystem doesn't support locking
|
|
|
|
* lib/krb5/keytab.c: remove #if 0 out file locking code
|
|
|
|
2004-01-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/gen_length.c (length_type): TSequenceOf: add up the
|
|
size of all the elements, don't use just the size of the last
|
|
element.
|
|
|
|
2004-01-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c (renew_validate): if renewable_flag and not time
|
|
specifed, use "1 month"
|
|
|
|
2004-01-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_keyblock.3: add prototypes, describe
|
|
krb5_keyblock_zero
|
|
|
|
2004-01-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_for_creds.c (add_addrs): don't add same address
|
|
multiple times
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to
|
|
handle errors better for previous commit
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets
|
|
are address-less, forward address-less tickets.
|
|
|
|
* lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and
|
|
export it
|
|
|