/ ChangeLog.2006
ChangeLog.2006
1 2006-12-28 Love Hörnquist Åstrand <lha@it.su.se> 2 3 * kdc/process.c: Handle kx509 requests. 4 5 * kdc/connect.c: Listen to 9878 if kca is turned on. 6 7 * kdc/headers.h: Include <kx509_asn1.h>. 8 9 * kdc/config.c: code to parse [kdc]enable-kx509 10 11 * kdc/kdc.h: add enable_kx509 12 13 * kdc/Makefile.am: add kx509.c 14 15 * kdc/kx509.c: Kx509server (external certificate genration). 16 17 * lib/krb5/ticket.c: add krb5_ticket_get_endtime 18 19 * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime 20 21 * kdc/digest.c: Remove <digest_asn.h>, its already included in 22 headers.h 23 24 * kdc/digest.c: Return session key for the NTLMv2 case too 25 26 * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value 27 is krb5_error_code 28 29 2006-12-27 Love Hörnquist Åstrand <lha@it.su.se> 30 31 * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for 32 des-cbc-md4 and des-cbc-md5. This is for (older) windows that 33 will be unhappy anything else. From Inna Bort-Shatsky 34 35 2006-12-26 Love Hörnquist Åstrand <lha@it.su.se> 36 37 * kdc/digest.c: Prefix internal symbol with _kdc_. 38 39 * kdc/kdc.h: add digests_allowed 40 41 * kdc/digest.c: return NTLM2 targetinfo structure. 42 43 * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo. 44 45 * kdc/config.c: Parse digest acl's 46 47 * kdc/kdc_locl.h: forward decl; 48 49 * kdc/digest.c: Add digest acl's 50 51 2006-12-22 Love Hörnquist Åstrand <lha@it.su.se> 52 53 * fix-export: build ntlm-private.h 54 55 2006-12-20 Love Hörnquist Åstrand <lha@it.su.se> 56 57 * include/make_crypto.c: Include <.../hmac.h>. 58 59 * kdc/digest.c: reorder to show slot here ntlmv2 code will be 60 placed. 61 62 * kdc/digest.c: Announce that we support key exchange and add bits 63 to detect when it wasn't used. 64 65 * kdc/digest.c: Add support for generating NTLM2 session security 66 answer. 67 68 2006-12-19 Love Hörnquist Åstrand <lha@it.su.se> 69 70 * lib/krb5/digest.c: Add sessionkey accessor functions. 71 72 2006-12-18 Love Hörnquist Åstrand <lha@it.su.se> 73 74 * kdc/digest.c: Unwrap the NTLM session key and return it to the 75 server. 76 77 2006-12-17 Love Hörnquist Åstrand <lha@it.su.se> 78 79 * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc 80 failure part, noticed by Arnaud Lacombe in NetBSD coverity scan. 81 82 2006-12-15 Love Hörnquist Åstrand <lha@it.su.se> 83 84 * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning. 85 86 * kdc/digest.c: Support NTLM verification, note that the KDC does 87 no NTLM packet parsing, its all done by the client side, the KDC 88 just calculate and verify the digest and return the result to the 89 service. 90 91 * kuser/kdigest.c: add ntlm-server-init 92 93 * kuser/Makefile.am: kdigest depends on libheimntlm.la 94 95 * kdc/headers.h: Include <heimntlm.h>. 96 97 * kdc/Makefile.am: libkdc needs libheimntlm.la 98 99 * autogen.sh: just run autoreconf -i -f 100 101 * lib/Makefile.am: hook in ntlm 102 103 * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile 104 105 * lib/krb5/digest.c: API to authenticate ntlm requests. 106 107 * lib/krb5/fcache.c: Support "iteration" of file credential caches 108 by giving the user back the default file credential cache and only 109 that. 110 111 * lib/krb5/krb5_locl.h: Expand the default root for some of the cc 112 type names. 113 114 2006-12-14 Love Hörnquist Åstrand <lha@it.su.se> 115 116 * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data 117 structure too. Bug report from Stefan Metzmacher. 118 119 2006-12-12 Love Hörnquist Åstrand <lha@it.su.se> 120 121 * kuser/kinit.c: Read the appdefault configration before we try to 122 use the flags. Bug reported by Ingemar Nilsson. 123 124 * kuser/kdigest.c: prefix digest commands with digest_ 125 126 * kuser/kdigest-commands.in: prefix digest commands with digest- 127 128 2006-12-10 Love Hörnquist Åstrand <lha@it.su.se> 129 130 * kdc/hprop.c: Return error codes on failure, improve error 131 reporting. 132 133 2006-12-08 Love Hörnquist Åstrand <lha@it.su.se> 134 135 * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error 136 137 * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error 138 strings 139 140 2006-12-07 Love Hörnquist Åstrand <lha@it.su.se> 141 142 * include/Makefile.am: CLEANFILES += vis.h 143 144 2006-12-06 Love Hörnquist Åstrand <lha@it.su.se> 145 146 * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the 147 encrypted ticket 148 149 * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds 150 an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients 151 that we vouches for the CA. 152 153 * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function. 154 155 * lib/Makefile.am: Make the directories test automake conditional 156 so automake can include directories in make dist step. 157 158 * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for 159 ExternalPrincipalIdentifiers 160 161 * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers 162 163 * kdc/pkinit.c: Add comment that the anchors in the signed data 164 really should be the trust anchors of the client. 165 166 * kuser/generate-requests.c: Use strcspn to remove \n from 167 string returned by fgets. From Björn Sandell 168 169 * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from 170 string returned by fgets. From Björn Sandell 171 172 2006-12-05 Love Hörnquist Åstrand <lha@it.su.se> 173 174 * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol 175 functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn 176 Sandell. 177 178 * lib/krb5/config_file.c: Use strcspn to remove \n from fgets 179 result. Prompted by change by Ray Lai of OpenBSD via Björn 180 Sandell. 181 182 * kdc/string2key.c: Use strcspn to remove \n from fgets 183 result. Prompted by change by Ray Lai of OpenBSD via Björn 184 Sandell. 185 186 2006-11-30 Love Hörnquist Åstrand <lha@it.su.se> 187 188 * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass 189 in a NULLed plugin list 190 191 2006-11-29 Love Hörnquist Åstrand <lha@it.su.se> 192 193 * lib/krb5/verify_krb5_conf.c: add more pkinit options. 194 195 * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply 196 to expect, this avoids overwriting the real PK-INIT error from 197 just a failed requeat with a Windows PK-INIT error (that always 198 failes). 199 200 * kdc/Makefile.am: Add LIB_pkinit to pacify AIX 201 202 * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX 203 204 2006-11-28 Love Hörnquist Åstrand <lha@it.su.se> 205 206 * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry 207 wrapping. Patch from Andreas Hasenack. 208 209 * kdc/pkinit.c: Need better code in the DH parameter rejection 210 case, add comment to that effect. 211 212 2006-11-27 Love Hörnquist Åstrand <lha@it.su.se> 213 214 * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large 215 packets when using datagram based transports. 216 217 * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep. 218 219 * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes. 220 221 2006-11-26 Love Hörnquist Åstrand <lha@it.su.se> 222 223 * lib/krb5/pkinit.c: Pass down hx509_peer_info. 224 225 * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and 226 pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. 227 228 * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and 229 pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. 230 231 2006-11-24 Love Hörnquist Åstrand <lha@it.su.se> 232 233 * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not 234 fragment packets and avoid stupid linklayers that doesn't allow 235 fragmented packets (unix dgram sockets on Mac OS X) 236 237 2006-11-23 Love Hörnquist Åstrand <lha@it.su.se> 238 239 * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users 240 certs in the pool to make sure a path is returned, without this 241 proxy certificates wont work. 242 243 2006-11-21 Love Hörnquist Åstrand <lha@it.su.se> 244 245 * kdc/config.c: Make all pkinit options prefixed with pkinit_ 246 247 * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from 248 krb5_context 249 250 * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest 251 252 * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE. 253 254 * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate 255 checksum. 256 257 * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate 258 checksum. 259 260 2006-11-20 Love Hörnquist Åstrand <lha@it.su.se> 261 262 * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a 263 context argument. 264 265 * lib/krb5/krb5_get_init_creds.3: Make 266 krb5_get_init_creds_opt_free take a context argument. 267 268 * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take 269 a context argument. 270 271 * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context 272 argument. 273 274 * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a 275 context argument. 276 277 * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free 278 take a context argument. 279 280 * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context 281 argument. 282 283 * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a 284 context argument. 285 286 * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a 287 context argument. 288 289 2006-11-19 Love Hörnquist Åstrand <lha@it.su.se> 290 291 * doc/setup.texi: fix pkinit option (s/-/_/) 292 293 * kdc/config.c: revert the enable-pkinit change, and make it 294 consistant with all other other enable- options 295 296 2006-11-17 Love Hörnquist Åstrand <lha@it.su.se> 297 298 * doc/setup.texi: Make all pkinit options prefixed with pkinit_ 299 300 * kdc/config.c: Make all pkinit options prefixed with pkinit_ 301 302 * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_ 303 304 * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_ 305 306 * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again. 307 308 * lib/krb5/mit_glue.c (krb5_c_keylengths): rename. 309 310 * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api, 311 deal. 312 313 2006-11-13 Love Hörnquist Åstrand <lha@it.su.se> 314 315 * lib/krb5/pac.c (fill_zeros): stop using MIN. 316 317 * kuser/kinit.c: Forward decl 318 319 * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE. 320 321 * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s. 322 323 * lib/krb5/test_plugin.c: Set sin_len if it exists. 324 325 * lib/krb5/krbhst.c: Use plugin for the other realm locate types 326 too. 327 328 2006-11-12 Love Hörnquist Åstrand <lha@it.su.se> 329 330 * lib/krb5/krb5_locl.h: Add plugin api 331 332 * lib/krb5/Makefile.am: Add plugin api. 333 334 * lib/krb5/krbhst.c: Use the resolve plugin interface. 335 336 * lib/krb5/locate_plugin.h: Add plugin interface for resolving 337 that is API compatible with MITs version. 338 339 * lib/krb5/plugin.c: Add first version of the plugin interface. 340 341 * lib/krb5/test_pac.c: Test signing. 342 343 * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now. 344 345 * lib/krb5/krb5.h: Add struct krb5_pac. 346 347 2006-11-09 Love Hörnquist Åstrand <lha@it.su.se> 348 349 * lib/krb5/test_pac.c: PAC testing. 350 351 * lib/krb5/pac.c: Sprinkle error strings. 352 353 * lib/krb5/pac.c: Verify LOGON_NAME. 354 355 * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an 356 argument 357 358 * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from 359 _kdc_pk_check_client since its not valid in canonicalize case 360 361 * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength. 362 363 * lib/krb5/mit_glue.c: Add krb5_c_keylength. 364 365 2006-11-08 Love Hörnquist Åstrand <lha@it.su.se> 366 367 * lib/krb5/pac.c: Almost enough code to do PAC parsing and 368 verification, missing in the unix2NTTIME and ucs2 corner. The 369 later will be adressed by finally adding libwind. 370 371 * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew 372 373 * kdc/hpropd.c: Remove support dumping to a kerberos 4 database. 374 375 2006-11-07 Love Hörnquist Åstrand <lha@it.su.se> 376 377 * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to 378 krb5_[gs]et_max_time_skew 379 380 * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed. 381 Check for id-pKKdcEkuOID and warn if its not there. 382 383 * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions. 384 385 2006-11-06 Love Hörnquist Åstrand <lha@it.su.se> 386 387 * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx. 388 389 * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all 390 dancing version of the krb5_rd_req and implement krb5_rd_req and 391 krb5_rd_req_with_keyblock using it. 392 393 2006-11-04 Love Hörnquist Åstrand <lha@it.su.se> 394 395 * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging. 396 397 2006-11-03 Love Hörnquist Åstrand <lha@it.su.se> 398 399 * lib/krb5/expand_hostname.c: Rename various routines and 400 constants from canonize to canonicalize. From Andrew Bartlett 401 402 * lib/krb5/context.c: Add krb5_[gs]et_time_wrap 403 404 * lib/krb5/krb5_locl.h: Rename various routines and constants from 405 canonize to canonicalize. From Andrew Bartlett 406 407 * appl/gssmask/common.c (add_list): fix alloc statement. 408 From Alex Deiter 409 410 2006-10-25 Love Hörnquist Åstrand <lha@it.su.se> 411 412 * include/Makefile.am: Move version.h and version.h.in to 413 DISTCLEANFILES. 414 415 2006-10-24 Love Hörnquist Åstrand <lha@it.su.se> 416 417 * appl/gssmask/gssmask.c: Only log when there are resources left. 418 419 * appl/gssmask/gssmask.c: make compile 420 421 * appl/gssmask/gssmask.c (AcquireCreds): free 422 krb5_get_init_creds_opt 423 424 2006-10-23 Love Hörnquist Åstrand <lha@it.su.se> 425 426 * configure.in: heimdal 0.8-RC1 427 428 2006-10-22 Love Hörnquist Åstrand <lha@it.su.se> 429 430 * lib/krb5/digest.c: Try to not leak memory. 431 432 * kdc/digest.c: Try to not leak memory. 433 434 * Makefile.am: remove valgrind target, it doesn't belong here. 435 436 * kuser/kinit.c: Try to not leak memory. 437 438 * kuser/kgetcred.c: Try to not leak memory. 439 440 * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on 441 successful completion too, not just the error cases. 442 443 * fix-export: Make make fix-export less verbose. 444 445 * kuser/kgetcred.c: Try to not leak memory. 446 447 * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when 448 done. 449 450 * lib/krb5/crypto.c: Allocate the memory we later use. 451 452 * lib/krb5/test_princ.c: Try to not leak memory. 453 454 * lib/krb5/test_crypto_wrapping.c: Try to not leak memory. 455 456 * lib/krb5/test_cc.c: Try to not leak memory. 457 458 * lib/krb5/addr_families.c (arange_free): Try to not leak memory. 459 460 * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory. 461 462 2006-10-21 Love Hörnquist Åstrand <lha@it.su.se> 463 464 * tools/heimdal-build.sh: Add --test-environment 465 466 * tools/heimdal-build.sh: Add --ccache-dir 467 468 * lib/hdb/Makefile.am: remove dependency on et files covert_db 469 that now is removed 470 471 2006-10-20 Love Hörnquist Åstrand <lha@it.su.se> 472 473 * include/Makefile.am: add gssapi to subdirs 474 475 * lib/hdb/hdb-ldap.c: Make compile. 476 477 * configure.in: add include/gssapi/Makefile. 478 479 * include/Makefile.am: clean more files 480 481 * include/make_crypto.c: Avoid creating a file called --version. 482 483 * include/bits.c: Avoid creating a file called --version. 484 485 * appl/test/Makefile.am: add nt_gss_common.h 486 487 * doc/Makefile.am: Disable TEXI2DVI for now. 488 489 * tools/Makefile.am: more files 490 491 * lib/krb5/context.c (krb5_free_context): free send_to_kdc context 492 493 * doc/heimdal.texi: Put Heimdal in the dircategory Security. 494 495 * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew 496 Bartlet. 497 498 * lib/krb5/krb5_locl.h: Add send_to_kdc hook. 499 500 * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype. 501 502 * kcm/Makefile.am: more files 503 504 * kdc/Makefile.am: more files 505 506 * lib/hdb/Makefile.am: more files 507 508 * lib/krb5/Makefile.am: add more files 509 510 2006-10-19 Love Hörnquist Åstrand <lha@it.su.se> 511 512 * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST. 513 514 * configure.in: Don't check for timegm, libroken provides it for 515 us. 516 517 * lib/krb5/acache.c: Does function typecasts instead of void * 518 type-casts. 519 520 * lib/krb5/krb5.h: Remove bonus , that Love sneeked in. 521 522 * configure.in: make --disable-pk-init help text also negative 523 524 2006-10-18 Love Hörnquist Åstrand <lha@it.su.se> 525 526 * kuser/kgetcred.c: Avoid memory leak. 527 528 * tools/heimdal-build.sh: Add more verbose logging, add version of 529 script and heimdal to the mail. 530 531 * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to 532 avoid macros rewriting open and close. 533 534 * lib/krb5/Makefile.am: Add test_princ. 535 536 * lib/krb5/principal.c: More error strings, handle realm-less 537 printing. 538 539 * lib/krb5/test_princ.c: Test principal parsing and unparsing. 540 541 2006-10-17 Love Hörnquist Åstrand <lha@it.su.se> 542 543 * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we 544 don't recurse 545 546 * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components 547 -> no dns. no mapping, try local realm and hope KDC knows better. 548 549 * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags 550 551 * lib/krb5/krb5_principal.3: Document 552 krb5_unparse_name{_fixed,}_flags. 553 554 * lib/krb5/principal.c: Add krb5_unparse_name_flags and 555 krb5_unparse_name_fixed_flags. 556 557 * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags. 558 559 * lib/krb5/principal.c: Add krb5_parse_name_flags. 560 561 * lib/krb5/principal.c: Add krb5_parse_name_flags. 562 563 * lib/krb5/krb5.h: Add krb5_parse_name_flags flags. 564 565 * lib/krb5/krb5_locl.h: Hide krb5_context_data from public 566 exposure. 567 568 * lib/krb5/krb5.h: Hide krb5_context_data from public exposure. 569 570 * kuser/klist.c: Use krb5_get_kdc_sec_offset. 571 572 * lib/krb5/context.c: Document krb5_get_kdc_sec_offset() 573 574 * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset() 575 576 * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname 577 and krb5_get_dns_canonize_hostname 578 579 * lib/krb5/verify_krb5_conf.c: 580 add [libdefaults]dns_canonize_hostname 581 582 * lib/krb5/expand_hostname.c: use dns_canonize_hostname to 583 determin if we should talk to dns to find the canonical name of 584 the host. 585 586 * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname. 587 588 * tools/heimdal-build.sh: Set status. 589 590 * appl/gssmask/gssmask.c: handle more bits 591 592 * kdc/kerberos5.c: Prefix asn1 primitives with der_. 593 594 2006-10-16 Love Hörnquist Åstrand <lha@it.su.se> 595 596 * fix-export: Build lib/asn1/der-protos.h. 597 598 2006-10-14 Love Hörnquist Åstrand <lha@it.su.se> 599 600 * appl/gssmask/Makefile.am: Add explit depenency on libroken. 601 602 * kdc/krb5tgs.c: Prefix der primitives with der_. 603 604 * kdc/pkinit.c: Prefix der primitives with der_. 605 606 * lib/hdb/ext.c: Prefix der primitives with der_. 607 608 * lib/hdb/ext.c: Prefix der primitives with der_. 609 610 * lib/krb5/crypto.c: Remove workaround from when there wasn't 611 always aes. 612 613 * lib/krb5/ticket.c: Prefix der primitives with der_. 614 615 * lib/krb5/digest.c: Prefix der primitives with der_. 616 617 * lib/krb5/crypto.c: Prefix der primitives with der_. 618 619 * lib/krb5/data.c: Prefix der primitives with der_. 620 621 2006-10-12 Love Hörnquist Åstrand <lha@it.su.se> 622 623 * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From 624 Olga Kornievskaia. 625 626 * kdc/kdc.8: document max-kdc-datagram-reply-length 627 628 * include/bits.c: Include Xint64 types. 629 630 2006-10-10 Love Hörnquist Åstrand <lha@it.su.se> 631 632 * tools/heimdal-build.sh: Add socketwrapper and cputime limit. 633 634 * kdc/connect.c (loop): Log that the kdc have started. 635 636 2006-10-09 Love Hörnquist Åstrand <lha@it.su.se> 637 638 * kdc/connect.c (do_request): tell krb5_kdc_process_request if its 639 a datagram reply or not 640 641 * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its 642 a datagram reply and the datagram reply length limit is reached. 643 644 * kdc/process.c: Rename krb5_kdc_process_generic_request to 645 krb5_kdc_process_request Add datagram_reply argument. 646 647 * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length 648 649 * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length. 650 651 * lib/hdb/keytab.c: Change || to |, From metze. 652 653 * lib/hdb/keytab.c: Add back :file to sample format. 654 655 * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out 656 by Andrew Bartlet. 657 658 * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from 659 auth->cusec. 660 661 2006-10-08 Love Hörnquist Åstrand <lha@it.su.se> 662 663 * fix-export: dist_-ify libkadm5clnt_la_SOURCES too 664 665 * doc/heimdal.texi: Update (c) years. 666 667 * appl/gssmask/protocol.h: Clarify protocol. 668 669 * kdc/hpropd.c: Adapt to signature change of 670 _krb5_principalname2krb5_principal. 671 672 * kdc/kerberos4.c: Adapt to signature change of 673 _krb5_principalname2krb5_principal. 674 675 * kdc/connect.c (handle_vanilla_tcp): shorten length when we 676 shorten the buffer, this matter im the PK-INIT encKey case where a 677 checksum is done over the whole packet. Reported by Olga 678 Kornievskaia 679 680 2006-10-07 Love Hörnquist Åstrand <lha@it.su.se> 681 682 * include/Makefile.am: crypto-headers.h is a nodist header 683 684 * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1 685 unsigned char to make OpenSSL happy. 686 687 * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST 688 689 * kuser/Makefile.am: split build files into dist_ and noinst_ 690 SOURCES 691 692 * lib/hdb/Makefile.am: split build files into dist_ and noinst_ 693 SOURCES 694 695 * lib/krb5/Makefile.am: split build files into dist_ and noinst_ 696 SOURCES 697 698 * kdc/kerberos5.c: Adapt to signature change of 699 _krb5_principalname2krb5_principal. 700 701 2006-10-06 Love Hörnquist Åstrand <lha@it.su.se> 702 703 * lib/krb5/krbhst.c (common_init): don't try DNS when there is 704 realm w/o a dot. 705 706 * kdc/524.c: Adapt to signature change of 707 _krb5_principalname2krb5_principal. 708 709 * kdc/krb5tgs.c: Adapt to signature change of 710 _krb5_principalname2krb5_principal. 711 712 * lib/krb5/get_in_tkt.c: Adapt to signature change of 713 _krb5_principalname2krb5_principal. 714 715 * lib/krb5/rd_cred.c: Adapt to signature change of 716 _krb5_principalname2krb5_principal. 717 718 * lib/krb5/rd_req.c: Adapt to signature change of 719 _krb5_principalname2krb5_principal. 720 721 * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add 722 krb5_context to signature. 723 724 * kdc/524.c (_krb5_principalname2krb5_principal): adapt to 725 signature change 726 727 * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database 728 later, the hdb_entry_ex might still contain links to the database 729 that it expects to use. 730 731 * kdc/digest.c: Make digest argument o MD5_final unsigned char to 732 help OpenSSL. 733 734 * kuser/kdigest.c: Make digest argument o MD5_final unsigned char 735 to help OpenSSL. 736 737 * appl/gssmask/common.h: Maybe include <sys/wait.h>. 738 739 2006-10-05 Love Hörnquist Åstrand <lha@it.su.se> 740 741 * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and 742 explain why 743 744 * tools/heimdal-build.sh: Another mail header. 745 746 * tools/heimdal-build.sh: small fixes 747 748 * fix-export: More liberal parsing of AC_INIT 749 750 * tools/heimdal-build.sh: first cut 751 752 2006-10-04 Love Hörnquist Åstrand <lha@it.su.se> 753 754 * configure.in: Call AB_INIT. 755 756 * kuser/kinit.c: Add flag --pk-use-enckey. 757 758 * kdc/pkinit.c: Sign the request in the encKey case. Bug reported 759 by Olga Kornievskaia of Umich. 760 761 * lib/krb5/Makefile.am: man_MANS += krb5_digest.3 762 763 * lib/krb5/krb5_digest.3: Add all protos 764 765 2006-10-03 Love Hörnquist Åstrand <lha@it.su.se> 766 767 * lib/krb5/krb5_digest.3: Basic krb5_digest manpage. 768 769 2006-10-02 Love Hörnquist Åstrand <lha@it.su.se> 770 771 * fix-export: build gssapi mech private files 772 773 * lib/krb5/init_creds_pw.c: minimize layering and remove 774 krb5_kdc_flags 775 776 * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit 777 order. 778 779 * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right 780 bit order. 781 782 * kuser/kdigest.c: Don't require --kerberos-realm. 783 784 * lib/krb5/digest.c (digest_request): if NULL is passed in as 785 realm, use default realm. 786 787 * fix-export: build gssapi mech private files 788 789 2006-09-26 Love Hörnquist Åstrand <lha@it.su.se> 790 791 * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context 792 building, better error handling. 793 794 * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to 795 encrypt/decrypt 796 797 * appl/gssmask/gssmask.c: Don't announce spn if there is none. 798 799 * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is 800 the same as afterward. 801 802 2006-09-25 Love Hörnquist Åstrand <lha@it.su.se> 803 804 * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE. 805 806 * appl/gssmask/gssmaestro.c: Add logsocket support. 807 808 2006-09-22 Love Hörnquist Åstrand <lha@it.su.se> 809 810 * appl/gssmask/gssmaestro.c (build_context): print the step the 811 context exchange. 812 813 2006-09-21 Love Hörnquist Åstrand <lha@it.su.se> 814 815 * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG 816 to all context flags 817 818 * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all 819 elements 820 821 * appl/gssmask/gssmask.c: Add mic tests 822 823 * appl/gssmask/gssmaestro.c: dont exit early then when context 824 is half built. 825 826 * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx 827 seems broken and its not good to upgrade to a broken enctype. 828 829 2006-09-20 Love Hörnquist Åstrand <lha@it.su.se> 830 831 * appl/gssmask/gssmask.c: Add wrap/unwrap ops 832 833 * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags 834 835 * appl/gssmask/common.c: Add permutate_all (and support 836 functions). 837 838 * appl/gssmask/common.h: Add permutate_all 839 840 * appl/gssmask/gssmask.c: use new flags, return moniker 841 842 * appl/gssmask/gssmaestro.c: test self context building and all 843 permutation of clients 844 845 2006-09-19 Love Hörnquist Åstrand <lha@it.su.se> 846 847 * appl/gssmask/gssmask.c: add --logfile option, use htons() on 848 port number 849 850 * appl/gssmask/gssmaestro.c: Log port in connection message. 851 852 * configure.in: Make pk-init turned on by default. 853 854 2006-09-18 Love Hörnquist Åstrand <lha@it.su.se> 855 856 * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}. 857 858 * kuser/Makefile.am: Add tool for printing tickets. 859 860 * kuser/kimpersonate.1: Add tool for printing tickets. 861 862 * kuser/kimpersonate.c: Add tool for printing tickets. 863 864 * kdc/krb5tgs.c: Check the adtkt in the constrained delegation 865 case too. 866 867 2006-09-16 Love Hörnquist Åstrand <lha@it.su.se> 868 869 * kdc/main.c (sigterm): don't _exit, let loop() catch the signal 870 instead. 871 872 * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell. 873 874 * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell. 875 876 2006-09-15 Love Hörnquist Åstrand <lha@it.su.se> 877 878 * tools/krb5-config.in: Add "kafs" option. 879 880 2006-09-12 Love Hörnquist Åstrand <lha@it.su.se> 881 882 * lib/hdb/db.c: By using full function calling conversion (*func) 883 we avoid problem when close(fd) is overridden using a macro. 884 885 * lib/krb5/cache.c: By using full function calling 886 conversion (*func) we avoid problem when close(fd) is overridden 887 using a macro. 888 889 2006-09-11 Love Hörnquist Åstrand <lha@it.su.se> 890 891 * kdc/kerberos5.c: Signing outgoing tickets. 892 893 * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self 894 works securely. 895 896 * lib/krb5/pkinit.c: Adapt to new signature of 897 hx509_cms_unenvelope. 898 899 2006-09-09 Love Hörnquist Åstrand <lha@it.su.se> 900 901 * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a 902 sensable way 903 904 2006-09-08 Love Hörnquist Åstrand <lha@it.su.se> 905 906 * lib/krb5/krb5_init_context.3: Prevent a font generation warning, 907 from Jason McIntyre. 908 909 2006-09-06 Love Hörnquist Åstrand <lha@it.su.se> 910 911 * lib/krb5/context.c (krb5_init_ets): Add the hx errortable 912 913 * lib/krb5/krb5_locl.h: Include hx509_err.h. 914 915 * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string 916 from the hx509 lib 917 918 2006-09-04 Love Hörnquist Åstrand <lha@it.su.se> 919 920 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): 921 fix argument to krb5_get_init_creds_opt_set_addressless. 922 923 * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the 924 error when we actually have an error to catch. 925 926 * lib/krb5/init_creds_pw.c: Remove debug printfs. 927 928 * kuser/kinit.c: Remove debug printf 929 930 * lib/krb5/krb5_get_init_creds.3: Document 931 krb5_get_init_creds_opt_set_addressless. 932 933 * kuser/kinit.c: Use new function 934 krb5_get_init_creds_opt_set_addressless. 935 936 * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option 937 to use the same tri-state option as the new addressless option. 938 939 * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac 940 option to use the same tri-state option as the new addressless 941 option. 942 943 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless): 944 used to control the address-lessness of the initial tickets 945 instead of passing in the empty set of address into 946 krb5_get_init_creds_opt_set_addresses. 947 948 2006-09-01 Love Hörnquist Åstrand <lha@it.su.se> 949 950 * kuser/kinit.c (renew_validate): inherit the proxiable and 951 forwardable from the orignal ticket, pointed out by Bernard 952 Antoine of CERN. 953 954 * doc/setup.texi: More text about the acl_file entry and 955 hdb-ldap-structural-object. From Rüdiger Ranft. 956 957 * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback 958 lookups to 5. Patch from Wesley Craig, umich.edu 959 960 * configure.in: Add special tests for <sys/ucred.h>, include test 961 for sys/param.h and sys/types.h 962 963 * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth 964 Patch from Ingemar Nilsson <init@pdc.kth.se> 965 966 2006-08-28 Love Hörnquist Åstrand <lha@it.su.se> 967 968 * kuser/kdigest.c (help): use sl_slc_help(). 969 970 * kdc/digest.c: Catch more error, add SASL DIGEST MD5. 971 972 * lib/krb5/digest.c: Catch more error. 973 974 2006-08-25 Love Hörnquist Åstrand <lha@it.su.se> 975 976 * doc/setup.texi: language. 977 978 * doc/heimdal.texi: Add last updated text. 979 980 * doc/heimdal.css: make box around heimdal title 981 982 * doc/heimdal.css: Inital Heimdal css for the info manual 983 984 * lib/krb5/digest.c: In the case where we get a DigestError back, 985 save the error string and code. 986 987 2006-08-24 Love Hörnquist Åstrand <lha@it.su.se> 988 989 * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used. 990 991 * kdc/digest.c: Remove local error label and have just one exit 992 label, set error strings properly. 993 994 * kdc/digest.c: Simply the disabled-service case. Check the 995 allow-digest flag in the HDB entry for the client. 996 997 * kdc/process.c (krb5_kdc_process_generic_request): check if we 998 got a digest request and process it. 999 1000 * kdc/main.c: Register hdb keytab operations. 1001 1002 * kdc/kdc.8: document [kdc]enable-digest=boolean 1003 1004 * kdc/Makefile.am: add digest to libkdc 1005 1006 * kdc/digest.c: Make a return a goto to avoid freeing un-inited 1007 memory in cleanup code. 1008 1009 * kdc/default_config.c (krb5_kdc_default_config): default to all 1010 bits set to zero. 1011 1012 * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest 1013 1014 * kdc/headers.h: Include <digest_asn1.h>. 1015 1016 * lib/krb5/context.c (krb5_kerberos_enctypes): new function, 1017 returns the list of Kerberos encryption types sorted in order of 1018 most preferred to least preferred encryption type. 1019 1020 * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order 1021 list of preferred encryption types and sort the available keys and 1022 return the most preferred key. 1023 1024 * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys(). 1025 1026 * kdc/kerberos5.c: Handle session key etype separately from the 1027 tgt etype, now the krbtgt can be a aes-only key without the need 1028 to support not-as-good etypes for the krbtgt. 1029 1030 2006-08-23 Love Hörnquist Åstrand <lha@it.su.se> 1031 1032 * kdc/misc.c: Change _kdc_db_fetch() to return the database 1033 pointer to if needed by the consumer. 1034 1035 * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database 1036 pointer to if needed by the consumer. 1037 1038 * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database 1039 pointer to if needed by the consumer. 1040 1041 * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database 1042 pointer to if needed by the consumer. 1043 1044 * kdc/kaserver.c: Change _kdc_db_fetch() to return the database 1045 pointer to if needed by the consumer. 1046 1047 * kdc/524.c: Change _kdc_db_fetch() to return the database pointer 1048 to if needed by the consumer. 1049 1050 * kuser/kdigest-commands.in: Add --kerberos-realm, add client 1051 request command. 1052 1053 * lib/krb5/Makefile.am: digest.c 1054 1055 * lib/krb5/krb5.h: Add digest glue. 1056 1057 * lib/krb5/digest.c (krb5_digest_set_authentication_user): use 1058 krb5_principal 1059 1060 * lib/krb5/digest.c: Add digest support to the client side. 1061 1062 2006-08-21 Love Hörnquist Åstrand <lha@it.kth.se> 1063 1064 * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on 1065 error and set return pointer to NULL 1066 (krb5_free_ap_rep_enc_part): permit freeing of NULL 1067 1068 2006-08-18 Love Hörnquist Åstrand <lha@it.kth.se> 1069 1070 * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}: 1071 Frontend for remote digest service in KDC 1072 1073 * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl 1074 functions. 1075 1076 * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions, 1077 stores/retrieves a \n terminated string. 1078 1079 * lib/krb5/krb5_locl.h: Default to address-less tickets. 1080 1081 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear 1082 error string on error. 1083 1084 2006-07-20 Love Hörnquist Åstrand <lha@it.su.se> 1085 1086 * lib/krb5/crypto.c: remove aes-192 (CMS) 1087 1088 * lib/krb5/crypto.c: Remove more CMS bits. 1089 1090 * lib/krb5/crypto.c: Remove CMS symmetric encryption support. 1091 1092 2006-07-13 Love Hörnquist Åstrand <lha@it.su.se> 1093 1094 * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when 1095 there are no acl 1096 1097 * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos 1098 database 1099 1100 * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to 1101 HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl. 1102 1103 * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to 1104 asn1_HDB_Ext_PKINIT_hash 1105 1106 * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash(). 1107 1108 2006-07-10 Love Hörnquist Åstrand <lha@it.su.se> 1109 1110 * kuser/kinit.c: If --password-file gets STDIN, read the password 1111 from the standard input. 1112 1113 * kuser/kinit.1: Document --password-file=STDIN. 1114 1115 * lib/krb5/krb5_string_to_key.3: Remove duplicate to. 1116 1117 2006-07-06 Love Hörnquist Åstrand <lha@it.su.se> 1118 1119 * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed 1120 principals, check the second component of the krbtgt, otherwise 1121 cross realm wont work. Prompted by report from Mattias Amnefelt. 1122 1123 2006-07-05 Love Hörnquist Åstrand <lha@it.su.se> 1124 1125 * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for 1126 length 1127 (handle_tcp): if the high bit it set in the unknown case, send 1128 back a KRB_ERR_FIELD_TOOLONG 1129 1130 2006-07-03 Love Hörnquist Åstrand <lha@it.su.se> 1131 1132 * appl/gssmask/gssmaestro.c: Add get_version_capa, cache 1133 target_name. 1134 1135 * appl/gssmask/gssmask.c: use utname() to find the local hostname 1136 and version of operatingsystem 1137 1138 * appl/gssmask/common.h: include <sys/utsname.h> 1139 1140 * appl/gssmask/gssmask.c: break out creation of a client and make 1141 handleServer pthread_create compatible 1142 1143 * appl/gssmask/gssmaestro.c: break out out the build context 1144 function 1145 1146 2006-07-01 Love Hörnquist Åstrand <lha@it.su.se> 1147 1148 * appl/gssmask/gssmaestro.c: externalize slave handling, add 1149 GetTargetName glue 1150 1151 * appl/gssmask/gssmaestro.c: externalize principal/password handling 1152 1153 * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL 1154 the first thing we do, so that on failure its set to a known value 1155 1156 * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to 1157 avoid memory corruption GetTargetName: always send a string, even 1158 though we don't have a targetname 1159 1160 * appl/gssmask: break out common function; add gssmaestro (that 1161 only tests one context for now) 1162 1163 2006-06-30 Love Hörnquist Åstrand <lha@it.su.se> 1164 1165 * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on 1166 malloc failure 1167 1168 * appl/gssmask/gssmask.c: split out fetching of credentials for 1169 easier reuse for pk-init testing 1170 1171 * appl/gssmask: maggot replacement, handles context testing 1172 1173 * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME 1174 as the default prefix 1175 1176 2006-06-28 Love Hörnquist Åstrand <lha@it.su.se> 1177 1178 * doc/heimdal.texi: Add Doug Rabson's license 1179 1180 2006-06-22 Love Hörnquist Åstrand <lha@it.su.se> 1181 1182 * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the 1183 krb5_get_init_creds_opt structure. 1184 1185 * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error. 1186 1187 * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add 1188 KRB-ERROR 1189 1190 2006-06-21 Love Hörnquist Åstrand <lha@it.su.se> 1191 1192 * doc/setup.texi: section about verify_krb5_conf and kadmin check 1193 1194 2006-06-15 Love Hörnquist Åstrand <lha@it.su.se> 1195 1196 * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred 1197 argument, its unused 1198 1199 * lib/krb5/Makefile.am: install krb5_get_creds.3 1200 1201 * lib/krb5/krb5_get_creds.3: new file 1202 1203 2006-06-14 Love Hörnquist Åstrand <lha@it.su.se> 1204 1205 * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is 1206 ARCFOUR key already. Idea from Andreas Hasenack. While here, set 1207 pw change time using sambaPwdLastSet 1208 1209 * kdc/kerberos4.c: Use enable_v4_per_principal and check the new 1210 hdb flag. 1211 1212 * kdc/kdc.h: Add enable_v4_per_principal 1213 1214 2006-06-12 Love Hörnquist Åstrand <lha@it.su.se> 1215 1216 * kdc/kerberos5.c (_kdc_as_rep): if kdc_time + 1217 config->kdc_warn_pwexpire is past pw_end, add expiration 1218 message. From Bernard Antoine. 1219 1220 * kdc/default_config.c (krb5_kdc_default_config): set 1221 kdc_warn_pwexpire to 0 1222 1223 * kdc/kerberos5.c: indent. 1224 1225 2006-06-07 Love Hörnquist Åstrand <lha@it.su.se> 1226 1227 * kdc/kerberos5.c: constify 1228 1229 2006-06-06 Love Hörnquist Åstrand <lha@it.su.se> 1230 1231 * lib/krb5/get_cred.c: Allow setting additional tickets in the 1232 tgs-req 1233 1234 * kuser/kgetcred.c: add --delegation-credential-cache 1235 1236 * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation. 1237 1238 * kdc/krb5tgs.c: Add impersonation. 1239 1240 * kuser/kgetcred.c: use new krb5_get_creds interface, add 1241 impersonation. 1242 1243 * lib/krb5/get_cred.c (krb5_get_creds): add 1244 KRB5_GC_NO_TRANSIT_CHECK 1245 1246 * lib/krb5/misc.c: Add impersonate support functions. 1247 1248 * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface. 1249 1250 * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation 1251 1252 * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more 1253 KRB5_GC flags. 1254 1255 2006-06-01 Love Hörnquist Åstrand <lha@it.su.se> 1256 1257 * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function. 1258 1259 * lib/krb5/pkinit.c: Avoid more shadowing. 1260 1261 * kdc/connect.c (do_request): clean reply with krb5_data_zero 1262 1263 * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local 1264 clien must exists test. 1265 1266 * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's. 1267 1268 * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and 1269 tgs_build_reply. 1270 1271 * kdc/kerberos5.c: split out krb5 tgs req to make it easier to 1272 reorganize the code. 1273 1274 2006-05-29 Love Hörnquist Åstrand <lha@it.su.se> 1275 1276 * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell 1277 1278 * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell 1279 1280 2006-05-13 Love Hörnquist Åstrand <lha@it.su.se> 1281 1282 * kpasswd/kpasswdd.c (change): select the realm based on the 1283 target principal From Gabor Gombas 1284 1285 * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO 1286 1287 * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO 1288 1289 2006-05-12 Love Hörnquist Åstrand <lha@it.su.se> 1290 1291 * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed. 1292 Fix a warning. 1293 1294 * doc/setup.texi: Point to more examples, hint that you have to 1295 use openssl 0.9.8a or later. 1296 1297 * doc/setup.texi: DIR now handles both PEM and DER. 1298 1299 * kuser/kinit.c: Pass down prompter and password to 1300 krb5_get_init_creds_opt_set_pkinit. 1301 1302 * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its 1303 longer then 0 1304 1305 * doc/ack.texi: Add Jason McIntyre. 1306 1307 * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason 1308 McIntyre. 1309 1310 2006-05-11 Love Hörnquist Åstrand <lha@it.su.se> 1311 1312 * kuser/kinit.c: Move parsing of the PK-INIT configuration file to 1313 the library so application doesn't need to deal with it. 1314 1315 * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move 1316 parsing of the configuration file to the library so application 1317 doesn't need to deal with it. 1318 1319 * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to 1320 when trying to read the user certificate. 1321 1322 * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1 1323 on failure. Pointed out by Douglas E. Engert. 1324 1325 2006-05-08 Love Hörnquist Åstrand <lha@it.su.se> 1326 1327 * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto 1328 context cases and doesn't reset the string, and corrects the 1329 grammar. 1330 1331 * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support, 1332 its all containted in libhcrypto and libhx509 now. 1333 1334 2006-05-07 Love Hörnquist Åstrand <lha@it.su.se> 1335 1336 * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use 1337 hx509_get_one_cert. 1338 1339 * lib/krb5/crypto.c (create_checksum): provide a error message 1340 that a key checksum needs a key. From Andew Bartlett. 1341 1342 2006-05-06 Love Hörnquist Åstrand <lha@it.su.se> 1343 1344 * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check 1345 for hx509 null DH. 1346 1347 * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in 1348 older OpenSSL. 1349 1350 * doc/heimdal.texi: Add blob about imath. 1351 1352 * doc/ack.texi: Add blob about imath. 1353 1354 * include/make_crypto.c: Move up evp.h to please OpenSSL, from 1355 Douglas E. Engert. 1356 1357 * kcm/acl.c: Multicache kcm interation isn't done yet, let wait 1358 with this enum. 1359 1360 2006-05-05 Love Hörnquist Åstrand <lha@it.su.se> 1361 1362 * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn 1363 Sandell 1364 1365 * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell 1366 1367 * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell 1368 1369 * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell 1370 1371 * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn 1372 Sandell 1373 1374 * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn 1375 Sandell 1376 1377 * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit 1378 kvno if the reset of the data is longer then 4 bytes in hope to be 1379 forward compatible. Pointed out by Michael B Allen. 1380 1381 * doc/programming.texi: Add fileformats. 1382 1383 * appl/test: Rename u_intXX_t to uintXX_t 1384 1385 * kuser: Rename u_intXX_t to uintXX_t 1386 1387 * kdc: Rename u_intXX_t to uintXX_t 1388 1389 * lib/hdb: Rename u_intXX_t to uintXX_t 1390 1391 * lib/45]: Rename u_intXX_t to uintXX_t 1392 1393 * lib/krb5: Rename u_intXX_t to uintXX_t 1394 1395 * lib/krb5/Makefile.am: Add test_store to TESTS 1396 1397 * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more 1398 useful error message. 1399 1400 * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan. 1401 1402 2006-05-04 Love Hörnquist Åstrand <lha@it.su.se> 1403 1404 * kdc/kerberos4.c: Use the new unsigned integer storage types. 1405 1406 * kdc/kaserver.c: Use the new unsigned integer storage 1407 types. Sprinkle some error handling. 1408 1409 * lib/krb5/krb5_storage.3: Document ret and store function for the 1410 unsigned fixed size integer types. 1411 1412 * lib/krb5/v4_glue.c: Use the new unsigned integer storage 1413 types. Fail that the address doesn't match, not the reverse. 1414 1415 * lib/krb5/store.c: Add ret and store function for the unsigned 1416 fixed size integer types. 1417 1418 * lib/krb5/test_store.c: Test the integer storage types. 1419 1420 2006-05-03 Love Hörnquist Åstrand <lha@it.su.se> 1421 1422 * lib/krb5/store.c (krb5_store_principal): make it take a 1423 krb5_const_principal, indent 1424 1425 * lib/krb5/krb5_storage.3: krb5_store_principal takes a 1426 krb5_const_principal 1427 1428 * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no 1429 longer a pointer. 1430 1431 * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file 1432 1433 * kdc/config.c: read [kdc]pki-kdc-ocsp 1434 1435 2006-05-02 Love Hörnquist Åstrand <lha@it.su.se> 1436 1437 * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if 1438 it seems to be valid, simplfy the pkinit-windows DH case (it 1439 doesn't exists). 1440 1441 2006-05-01 Love Hörnquist Åstrand <lha@it.su.se> 1442 1443 * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell. 1444 1445 * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn 1446 Sandell. 1447 1448 * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from 1449 Björn Sandell. 1450 1451 * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn 1452 Sandell. 1453 1454 * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn 1455 Sandell. 1456 1457 * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn 1458 Sandell. 1459 1460 * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn 1461 Sandell. 1462 1463 * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn 1464 Sandell. 1465 1466 * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn 1467 Sandell. 1468 1469 * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn 1470 Sandell. 1471 1472 * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn 1473 Sandell. 1474 1475 * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from 1476 Björn Sandell. 1477 1478 * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, 1479 from Björn Sandell. 1480 1481 * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, 1482 from Björn Sandell. 1483 1484 * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from 1485 Björn Sandell. 1486 1487 * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from 1488 Björn Sandell. 1489 1490 * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from 1491 Björn Sandell. 1492 1493 * lib/krb5/krb5_address.3: Spelling/mdoc changes, from 1494 Björn Sandell. 1495 1496 * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from 1497 Björn Sandell. 1498 1499 * lib/krb5/krb5.3: Spelling, from Björn Sandell. 1500 1501 * doc/ack.texi: add Björn 1502 1503 2006-04-30 Love Hörnquist Åstrand <lha@it.su.se> 1504 1505 * lib/krb5/pkinit.c (cert2epi): don't include subject if its null 1506 1507 2006-04-29 Love Hörnquist Åstrand <lha@it.su.se> 1508 1509 * lib/krb5/pkinit.c: Send over what trust anchors the client have 1510 configured. 1511 1512 * lib/krb5/pkinit.c (pk_verify_host): set better error string, 1513 only check kdc name/address when we got a hostname/address passed 1514 in the the function. 1515 1516 * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log 1517 when a SAN matches. 1518 1519 2006-04-28 Love Hörnquist Åstrand <lha@it.su.se> 1520 1521 * doc/setup.texi: More options and some text about windows 1522 clients, certificate and KDCs. 1523 1524 * doc/setup.texi: notice about pki-mappings file space sensitive 1525 1526 * doc/setup.texi: Example pki-mapping file. 1527 1528 * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address 1529 1530 * lib/hdb/hdb.h: Bump hdb interface version to 4. 1531 1532 2006-04-27 Love Hörnquist Åstrand <lha@it.su.se> 1533 1534 * kuser/kdestroy.1: Document --credential=principal. 1535 1536 * kdc/kerberos5.c (tgs_rep2): check that the client exists in the 1537 kerberos database if its local request. 1538 1539 * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_ 1540 flags as appropriate 1541 1542 * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though 1543 krb5_425_conv_principal_ext2 1544 1545 * kdc/misc.c (_kdc_db_fetch): Break out the that we request from 1546 principal from the entry and pass it in as a seprate argument. 1547 1548 * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request 1549 from principal from the entry and pass it in as a seprate 1550 argument. 1551 1552 * lib/hdb/common.c: Break out the that we request from principal 1553 from the entry and pass it in as a seprate argument. 1554 1555 * lib/hdb/hdb.h: Break out the that we request from principal from 1556 the entry and pass it in as a seprate argument. Add more flags to 1557 ->hdb_get(). Re-indent. 1558 1559 2006-04-26 Love Hörnquist Åstrand <lha@it.su.se> 1560 1561 * doc/setup.texi: document pki-allow-proxy-certificate 1562 1563 * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool 1564 to allow using proxy certificate. 1565 1566 * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose 1567 hx509_verify_set_proxy_certificate 1568 1569 * kdc/pkinit.c (_kdc_pk_check_client): Use 1570 hx509_cert_get_base_subject to get subject name of the 1571 certificate, needed for proxy certificates. 1572 1573 * kdc/kerberos5.c: Now that find_keys speaks for it self, remove 1574 extra logging. 1575 1576 * kdc/kerberos5.c (find_keys): add client_name and server_name 1577 argument and use them, and adapt callers. 1578 1579 2006-04-25 Love Hörnquist Åstrand <lha@it.su.se> 1580 1581 * kuser/kinit.1: document option password-file 1582 1583 * kuser/kinit.c: Add option password-file, read password from the 1584 first line of a file. 1585 1586 * configure.in: make tests/kdc/Makefile 1587 1588 * kdc/kerberos5.c: Catch the case where the client sends no 1589 encryption types or no pa-types. 1590 1591 * lib/hdb/ext.c (hdb_replace_extension): set error message on 1592 failure, not success. 1593 1594 * lib/hdb/keys.c (parse_key_set): handle error case better 1595 (hdb_generate_key_set): return better error 1596 1597 2006-04-24 Love Hörnquist Åstrand <lha@it.su.se> 1598 1599 * lib/hdb/hdb.c (hdb_create): print out what we don't support 1600 1601 * lib/krb5/principal.c: Remove a double free introduced in 1.93 1602 1603 * lib/krb5/log.c (log_file): reset pointer to freed memory 1604 1605 * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to 1606 make sure its not refereced 1607 1608 * tools/krb5-config.in: libhcrypto might depend on libasn1, switch 1609 order 1610 1611 * lib/krb5/recvauth.c: indent 1612 1613 * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node 1614 Listing. 1615 1616 * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the 1617 function can verify the certificate is from the right realm. 1618 1619 * lib/krb5/init_creds_pw.c: Pass down realm to 1620 _krb5_pk_rd_pa_reply 1621 1622 2006-04-23 Love Hörnquist Åstrand <lha@it.su.se> 1623 1624 * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding 1625 subjectAltName_otherName pk-init-san and verifing it. 1626 1627 * lib/krb5/sendauth.c: reindent 1628 1629 * doc/Makefile.am: use --no-split to make one large file, mostly 1630 for html 1631 1632 * doc/setup.texi: "document" pkinit_require_eku and 1633 pkinit_require_krbtgt_otherName 1634 1635 * lib/krb5/pkinit.c: Add pkinit_require_eku and 1636 pkinit_require_krbtgt_otherName 1637 1638 * doc/setup.texi: Add text about pk-init 1639 1640 * tools/kdc-log-analyze.pl: count v5 cross realms too 1641 1642 2006-04-22 Love Hörnquist Åstrand <lha@it.su.se> 1643 1644 * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1. 1645 1646 * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1. 1647 1648 2006-04-20 Love Hörnquist Åstrand <lha@it.su.se> 1649 1650 * kdc/pkinit.c (_kdc_pk_rd_padata): use 1651 hx509_cms_unwrap_ContentInfo. 1652 1653 * kdc/config.c: unbreak 1654 1655 * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and 1656 libcrypto. 1657 1658 * kdc/config.c: Rename pki-chain to pki-pool to match rest of 1659 code. 1660 1661 2006-04-12 Love Hörnquist Åstrand <lha@it.su.se> 1662 1663 * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero. 1664 1665 * kdc/config.c: Added certificate revoke information from 1666 configuration file. 1667 1668 * kdc/pkinit.c: Added certificate revoke information. 1669 1670 * kuser/kinit.c: Added certificate revoke information from 1671 configuration file. 1672 1673 * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke 1674 information, ie CRL's 1675 1676 2006-04-10 Love Hörnquist Åstrand <lha@it.su.se> 1677 1678 * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again. 1679 1680 * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile 1681 again. 1682 1683 * lib/krb5/transited.c (make_path): make sure we return allocated 1684 memory Coverity, NetBSD CID#1892 1685 1686 * lib/krb5/transited.c (make_path): make sure we return allocated 1687 memory Coverity, NetBSD CID#1892 1688 1689 * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on 1690 protocol failure, avoid leaking memory Coverity, NetBSD CID#1900 1691 1692 * lib/krb5/principal.c (krb5_parse_name): remember to free realm 1693 in case of error Coverity, NetBSD CID#1883 1694 1695 * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove 1696 memory leak in case of weird formated dns replys. 1697 Coverity, NetBSD CID#1885 1698 1699 * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer 1700 to a allocated krb5_rcache in case of error. 1701 1702 * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error 1703 Coverity, NetBSD CID#1882 1704 1705 * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error 1706 handling. Coverity, NetBSD CID#2369 1707 1708 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): 1709 in_creds->client should always be set, assume so. 1710 1711 * lib/krb5/keytab_any.c (any_next_entry): restructure to make it 1712 easier to read Fixes Coverity, NetBSD CID#625 1713 1714 * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL 1715 check. Coverity NetBSD CID#2367 1716 1717 * lib/krb5/build_auth.c (krb5_build_authenticator): use 1718 calloc. removed check that was never really used. Coverity NetBSD 1719 CID#2370 1720 1721 2006-04-09 Love Hörnquist Åstrand <lha@it.su.se> 1722 1723 * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´ 1724 points to NULL in case of error, add error handling, use calloc. 1725 1726 * kpasswd/kpasswdd.c (doit): when done, close all fd in the 1727 sockets array and free it. Coverity NetBSD CID#1916 1728 1729 2006-04-08 Love Hörnquist Åstrand <lha@it.su.se> 1730 1731 * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity, 1732 NetBSD CID#1695 1733 1734 * kdc/524.c (_kdc_do_524): Handle memory allocation failure 1735 Coverity, NetBSD CID#2752 1736 1737 2006-04-07 Love Hörnquist Åstrand <lha@it.su.se> 1738 1739 * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory 1740 leak Coverity NetBSD CID#1890 1741 1742 * kdc/hprop.c (main): make sure type doesn't need to be set 1743 1744 * kdc/mit_dump.c (mit_prop_dump): close fd when done processing 1745 Coverity NetBSD CID#1955 1746 1747 * kdc/string2key.c (tokey): catch warnings, free memory after use. 1748 Based on Coverity NetBSD CID#1894 1749 1750 * kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633 1751 1752 2006-04-04 Love Hörnquist Åstrand <lha@it.su.se> 1753 1754 * kpasswd/kpasswd-generator.c (read_words): catch empty file case, 1755 will cause PBE (division by zero) later. From Tobias Stoeckmann. 1756 1757 2006-04-02 Love Hörnquist Åstrand <lha@it.su.se> 1758 1759 * lib/hdb/keytab.c: Remove a delta from last revision that should 1760 have gone in later. 1761 1762 * lib/krb5/krbhst.c: fix spelling 1763 1764 * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed 1765 pointer, found by IBM checker. 1766 1767 * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer, 1768 found by IBM checker. 1769 1770 * lib/krb5/addr_families.c (krb5_make_addrport): clear return 1771 value on error, found by IBM checker. 1772 1773 * kdc/kerberos5.c (check_addresses): treat netbios as no addresses 1774 1775 * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex 1776 1777 * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to 1778 avoid ?:'s at callers 1779 1780 * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM 1781 checker. 1782 1783 * lib/krb5/transited.c (expand_realm): avoid passing NULL to 1784 strlen, found by IBM checker. 1785 1786 * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc 1787 failure, found by IBM checker. 1788 1789 * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy 1790 with a memcpy 1791 1792 * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory 1793 leak, found by IBM checker. 1794 1795 * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a 1796 dereferencing NULL pointer, found by IBM checker. 1797 1798 * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the 1799 cname must always be given, don't avoid that fact and remove a 1800 cname == NULL case. Plugs a memory leak found by IBM checker. 1801 1802 * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing 1803 free-ed memory on error. Found by IBM checker. 1804 1805 * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use 1806 calloc to avoid uninitialized memory problem. 1807 1808 * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory 1809 on error. Found by IBM checker. 1810 1811 * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by 1812 IBM checker. 1813 1814 * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker 1815 thought it found a memory leak, it didn't, but there was another 1816 error in the code, lets fix that instead. 1817 1818 * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory 1819 leak. Found by IBM checker. 1820 1821 * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return 1822 pointer to freed memory in the error case. Found by IBM checker. 1823 1824 * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM 1825 checker. 1826 1827 * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before 1828 going into the error clause and freeing key_set. Found by IBM 1829 checker. Make sure ret == 0 after of parse error, we catch the 1830 "no entries parsed" case later. 1831 1832 * lib/krb5/log.c (krb5_addlog_dest): make string length match 1833 strings in strcasecmp. Found by IBM checker. 1834 1835 2006-03-30 Love Hörnquist Åstrand <lha@it.su.se> 1836 1837 * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set 1838 variable_name as "hdb_entry_ex" 1839 (hdb_ldap_common): change "arg" in condition (if) to "search_base" 1840 (hdb_ldapi_create): change "serach_base" to "search_base" From 1841 Alex V. Labuta. 1842 1843 * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix 1844 prototype 1845 1846 * kuser/kinit.c: Add pool of certificates to help certificate path 1847 building for clients sending incomplete path in the signedData. 1848 1849 2006-03-28 Love Hörnquist Åstrand <lha@it.su.se> 1850 1851 * kdc/pkinit.c: Add pool of certificates to help certificate path 1852 building for clients sending incomplete path in the signedData. 1853 1854 * lib/krb5/pkinit.c: Add pool of certificates to help certificate 1855 path building for clients sending incomplete path in the 1856 signedData. 1857 1858 2006-03-27 Love Hörnquist Åstrand <lha@it.su.se> 1859 1860 * kdc/config.c: Allow passing in related certificates used to 1861 build the chain. 1862 1863 * kdc/pkinit.c: Allow passing in related certificates used to 1864 build the chain. 1865 1866 * kdc/kerberos5.c (log_patype): Add case for 1867 KRB5_PADATA_PA_PK_OCSP_RESPONSE. 1868 1869 * tools/Makefile.am: Spelling 1870 1871 * tools/krb5-config.in: Add hx509 when using PK-INIT. 1872 1873 * tools/Makefile.am: Add hx509 when using PK-INIT. 1874 1875 2006-03-26 Love Hörnquist Åstrand <lha@it.su.se> 1876 1877 * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS 1878 X Kerberos.app problems. 1879 1880 * lib/krb5/krb5_ccapi.h: Add ticket flags definitions 1881 1882 * lib/krb5/pkinit.c: Use less openssl, spell chelling. 1883 1884 * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with 1885 asn1 wrapping 1886 1887 * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile 1888 1889 * lib/Makefile.am: Add hx509. 1890 1891 * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used. 1892 1893 * configure.in: define automake PKINIT variable 1894 1895 * kdc/pkinit.c: Switch to hx509. 1896 1897 * lib/krb5/pkinit.c: Switch to hx509. 1898 1899 2006-03-24 Love Hörnquist Åstrand <lha@it.su.se> 1900 1901 * kdc/kerberos5.c (log_patypes): log the patypes requested by the 1902 client 1903 1904 2006-03-23 Love Hörnquist Åstrand <lha@it.su.se> 1905 1906 * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the 1907 req_buffer in the w2k case too. From Douglas E. Engert. 1908 1909 2006-03-19 Love Hörnquist Åstrand <lha@it.su.se> 1910 1911 * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto 1912 error handling. Fixes Coverity NetBSD CID 2591 by catching a 1913 failing krb5_copy_keyblock() 1914 1915 2006-03-17 Love Hörnquist Åstrand <lha@it.su.se> 1916 1917 * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in 1918 address when free-ing. Fixes Coverity NetBSD bug #2605 1919 (krb5_parse_address): reset val,len before possibly return errors 1920 Fixes Coverity NetBSD bug #2605 1921 1922 2006-03-07 Love Hörnquist Åstrand <lha@it.su.se> 1923 1924 * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but 1925 make sure nbytes > 0 1926 1927 * lib/krb5/get_for_creds.c (add_addrs): handle the case where 1928 addr->len == 0 and n == 0, then realloc might return NULL. 1929 1930 * lib/krb5/crypto.c (decrypt_*): handle the case where the 1931 plaintext is 0 bytes long, realloc might then return NULL. 1932 1933 2006-02-28 Love Hörnquist Åstrand <lha@it.su.se> 1934 1935 * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived. 1936 1937 * lib/krb5/krb5.3: Remove krb5_string_to_key_derived. 1938 1939 * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2 1940 and use PKCS5_PBKDF2_HMAC_SHA1 instead. 1941 1942 * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory 1943 1944 * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1. 1945 1946 2006-02-27 Johan Danielsson <joda@pdc.kth.se> 1947 1948 * doc/setup.texi: remove cartouches - we don't use them anywhere 1949 else, they should be around the example, not inside it, and 1950 probably shouldn't be used in html at all 1951 1952 2006-02-18 Love Hörnquist Åstrand <lha@it.su.se> 1953 1954 * lib/krb5/krb5_warn.3: Document that applications want to use 1955 krb5_get_error_message, add example. 1956 1957 2006-02-16 Love Hörnquist Åstrand <lha@it.su.se> 1958 1959 * lib/krb5/crypto.c (krb5_generate_random_block): check return 1960 value from RAND_bytes 1961 1962 * lib/krb5/error_string.c: Change indentation, update (c) 1963 1964 2006-02-14 Love Hörnquist Åstrand <lha@it.su.se> 1965 1966 * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when 1967 compiling w/o pkinit. 1968 1969 2006-02-13 Love Hörnquist Åstrand <lha@it.su.se> 1970 1971 * lib/krb5/pkinit.c: update to new paChecksum definition, update 1972 the dhgroup handling 1973 1974 * kdc/pkinit.c: update to new paChecksum definition, use 1975 hdb_entry_ex 1976 1977 2006-02-09 Love Hörnquist Åstrand <lha@it.su.se> 1978 1979 * lib/krb5/krb5_locl.h: Move Configurable options to last in the 1980 file. 1981 1982 * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef 1983 1984 2006-02-03 Love Hörnquist Åstrand <lha@it.su.se> 1985 1986 * kpasswd/kpasswdd.c: Send back a better error-message to the 1987 client in case the password change was rejected. 1988 1989 * lib/krb5/krb5_warn.3: Document krb5_get_error_message. 1990 1991 * lib/krb5/error_string.c (krb5_get_error_message): new function, 1992 and combination of krb5_get_error_string and krb5_get_err_text 1993 1994 * lib/krb5/krb5.3: sort, and krb5_get_error_message 1995 1996 * lib/hdb/hdb-ldap.c: Log the filter string to the error message 1997 when doing searches. 1998 1999 * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): 2000 Use KRB5_ADDRESSLESS_DEFAULT when 2001 checking [appdefault]no-addresses. 2002 2003 * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use 2004 KRB5_ADDRESSLESS_DEFAULT when checking 2005 [appdefault]no-addresses. 2006 2007 * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): 2008 Use [appdefault]no-addresses before checking if the krbtgt is 2009 address-less, use KRB5_ADDRESSLESS_DEFAULT. 2010 2011 * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that 2012 controlls all address-less behavior. Defaults to false. 2013 2014 2006-02-01 Love Hörnquist Åstrand <lha@it.su.se> 2015 2016 * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION 2017 2018 * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE 2019 failes to produce the matching lenghts. 2020 2021 2006-01-27 Love Hörnquist Åstrand <lha@it.su.se> 2022 2023 * kcm/protocol.c (kcm_op_retrieve): remove unused variable 2024 2025 2006-01-15 Love Hörnquist Åstrand <lha@it.su.se> 2026 2027 * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to 2028 kadm-server, kerberos library doesn't depend on db-library. 2029 2030 2006-01-13 Love Hörnquist Åstrand <lha@it.su.se> 2031 2032 * include/Makefile.am: Don't clean crypto headers, they now live 2033 in hcrypto/. Add hcrypto to SUBDIRS. 2034 2035 * include/hcrypto/Makefile.am: clean installed headers 2036 2037 * include/make_crypto.c: include crypto headers from hcrypto/ 2038 2039 * include/make_crypto.c: Include more crypto headerfiles. Remove 2040 support for old hash names. 2041 2042 2006-01-02 Love Hörnquist Åstrand <lha@it.su.se> 2043 2044 * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry, 2045 from Andrew Bartlet. 2046 2047 * Happy New Year.