ae77177087
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
1486 lines
44 KiB
Plaintext
1486 lines
44 KiB
Plaintext
2004-12-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
|
|
now (used in pkinit)
|
|
|
|
2004-12-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: add CHECK_SYMBOLS
|
|
|
|
* lib/hdb/keys.c: make all_etypes static
|
|
|
|
* lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
|
|
-version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops
|
|
|
|
* kdc/kerberos5.c: use private version of principalname
|
|
|
|
* kdc/kerberos4.c: use private version of principalname
|
|
|
|
* kdc/hpropd.c: use private version of principalname
|
|
|
|
* kdc/524.c: use private version of principalname
|
|
|
|
* lib/krb5/rd_req.c: use private version of principalname
|
|
|
|
* lib/krb5/rd_cred.c: use private version of principalname
|
|
|
|
* lib/krb5/init_creds_pw.c: use private version of principalname
|
|
|
|
* lib/krb5/get_in_tkt.c: use private version of principalname
|
|
|
|
* lib/krb5/asn1_glue.c: make principalname functions private
|
|
|
|
* lib/krb5/krb5.h: add key usage for server referrals
|
|
|
|
2004-12-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/principal.c: make default_v4_name_convert static
|
|
|
|
* lib/krb5/crypto.c: make lots of crypto related variables static
|
|
|
|
* lib/krb5/acache.c: make default_acc_name static
|
|
|
|
2004-12-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: add some text about samba, use example.com
|
|
|
|
* lib/hdb/hdb-ldap.c: Add account expiration for samba from James
|
|
F. Hranicky <jfh@cise.ufl.edu>.
|
|
Add LDAP_addmod_integer and use it.
|
|
|
|
2004-12-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
|
|
fixes, from Dave Love
|
|
|
|
2004-12-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
|
|
needs pthread.h, threadlib is dead
|
|
|
|
2004-12-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/config.c (configure): check for deprecated
|
|
enforce-transited-policy is set and fail if it is
|
|
|
|
* lib/asn1/asn1_print.c: don't print garabage for octet strings
|
|
|
|
2004-12-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/main.c (main): catch sigpipe, we don't bother select()ing
|
|
for errors
|
|
|
|
* kdc/connect.c (handle_http_tcp): handle error from write(2)
|
|
|
|
* doc/setup.texi: clarify credentials refreshing stuff
|
|
|
|
* doc/setup.texi: add new node: Providing Kerberos credentials to
|
|
servers and programs
|
|
|
|
* doc/whatis.texi: fix spurious cross-reference makeinfo warning
|
|
|
|
* lib/hdb/hdb-ldap.c (pos): uppercase in character
|
|
|
|
2004-12-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
|
|
nibbels in the other order
|
|
|
|
* lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
|
|
attribute exists before we try to delete it LDAP__bytes2hex
|
|
encodes in strange byte order, is this really right ?
|
|
|
|
2004-12-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
|
|
entries, search for samba accounts too, From: "James F. Hranicky"
|
|
<jfh@cise.ufl.edu>
|
|
|
|
* lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
|
|
too
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
|
|
both krb5PrincipalName and uid, it must be broken, ignore it and
|
|
return it doesn't exists.
|
|
|
|
2004-12-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/hpropd.8: spelling, from OpenBSD
|
|
|
|
* kdc/kdc.8: use keeps for options, From OpenBSD k
|
|
|
|
2004-12-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: document --random-key and the need to do backup
|
|
of the master key
|
|
|
|
* kdc/kstash.8: add --random-key
|
|
|
|
* kdc/kstash.c: add --random-key
|
|
|
|
2004-12-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.8: spelling, from openbsd
|
|
|
|
* lib/krb5/krb5_init_context.3: spelling, from openbsd
|
|
|
|
* lib/krb5/krb5.conf.5: spelling, from openbsd
|
|
|
|
* kuser/kdestroy.1: use keeps around options, spelling, from
|
|
openbsd
|
|
|
|
* kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
|
|
|
|
* kdc/hpropd.8: use keeps around options, from OpenBSD
|
|
|
|
* kdc/hprop.8: use keeps around options, from OpenBSD
|
|
|
|
2004-11-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c (krb5_free_context): clear error string
|
|
before destroying mutex
|
|
(krb5_init_context): don't call krb5_free_context before there is a
|
|
mutex initialized
|
|
|
|
2004-11-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c (get_new_tickets): only complain about ticket
|
|
renewable lifetime when the user asked for a specific renewable
|
|
lifetime
|
|
|
|
2004-11-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (find_keys): log what principal is missing
|
|
enctypes
|
|
|
|
2004-11-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
|
|
freeing data
|
|
|
|
* lib/krb5/init_creds_pw.c (change_password): handle old_options
|
|
being NULL From Guenther Deschner on samba-technical.
|
|
|
|
2004-11-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add more text describing the
|
|
krb5_get_init_creds functions
|
|
|
|
2004-11-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
|
|
again
|
|
|
|
2004-11-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb.asn1: use constrained integers
|
|
|
|
2004-11-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add description for opt_init,
|
|
opt_alloc, opt_free
|
|
|
|
* lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
|
|
|
|
* lib/krb5/init_creds.c: unexport
|
|
krb5_get_init_creds_opt_free_pkinit
|
|
|
|
* lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
|
|
get_init_creds_common
|
|
|
|
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
|
|
options NULL, just make a clean copy
|
|
|
|
2004-11-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
|
|
so we don't leak it on error
|
|
|
|
2004-10-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: unbreak 2b entry
|
|
|
|
* lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
|
|
sockaddr but rather a kerberos address, deal with that. Based on
|
|
bug report from Jakob Schlyter <jakob@rfc.se>.
|
|
|
|
2004-10-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: Make sure argument passed to ctype isn't signed
|
|
char
|
|
|
|
2004-10-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: match new error names
|
|
|
|
* lib/krb5/krb5_err.et: make error messages sane again
|
|
|
|
2004-10-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/keytab.c: use KRB5_KT_BADNAME
|
|
|
|
* lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
|
|
version bump) add KRB5_DELTAT_BADFORMAT
|
|
|
|
* lib/krb5/krb5.conf.5: time defaults to "s"
|
|
|
|
* lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
|
|
MIT's behavior was actually that it failed to parse the number
|
|
(and thus used the default). Even better, ticket_lifetime (that
|
|
was a consumer supposed a of the interface) was documented but
|
|
never implemented, when it was implemented, people configuraiton
|
|
files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a
|
|
failure code.
|
|
|
|
* lib/asn1/k5.asn1: sync enctypes with pkinit branch
|
|
|
|
* lib/asn1/parse.y (readd) support negative numbers
|
|
|
|
* lib/asn1/lex.l: support hex numbers
|
|
|
|
2004-10-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
|
|
|
|
* lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
|
|
for rc2 don't to padding for blocksize 1
|
|
|
|
* lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
|
|
Move keyset parsing and password based keyset generation into hdb.
|
|
Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb
|
|
backend.
|
|
|
|
2004-10-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: adapt to new signature of
|
|
krb5_get_init_creds_opt_set_pkinit
|
|
|
|
* lib/krb5/pkinit.c: free openssl engine deal with
|
|
RecipientIdentifier -> CMSIdentifier and heim_any -> name change
|
|
improve error messages
|
|
|
|
* kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
|
|
-> CMSIdentifier and heim_any -> name change
|
|
|
|
2004-10-04 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/klist.c: use rtbl_set_separator
|
|
|
|
2004-10-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
|
|
user options first
|
|
|
|
* lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
|
|
openssl engine support for private key
|
|
|
|
* lib/krb5/crypto.c: support padding as its done in CMS
|
|
|
|
* kdc/pkinit.c: improve error logging
|
|
|
|
* kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
|
|
|
|
2004-09-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5.conf.5: assume minutes for time
|
|
|
|
* lib/krb5/config_file.c (krb5_config_vget_time_default): use
|
|
krb5_string_to_deltat
|
|
|
|
* lib/krb5/appdefault.c (krb5_appdefault_time): use
|
|
krb5_string_to_deltat
|
|
|
|
* lib/krb5/time.c (krb5_string_to_deltat): set default unit to
|
|
minute for compatibility with MIT Kerberos.
|
|
|
|
|
|
2004-09-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
|
|
message safe" transport if we get back
|
|
KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
|
|
<gd@sernet.de>
|
|
|
|
2004-09-23 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* admin/list.c: use rtbl
|
|
|
|
* admin/ktutil-commands.in: slc source file
|
|
|
|
* lib/krb5/constants.c: check
|
|
/Library/Preferences/edu.mit.Kerberos on OSX
|
|
|
|
2004-09-21 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/time.c (krb5_format_time): check return value from
|
|
localtime and strftime
|
|
|
|
2004-09-14 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/kinit.c: make sure we don't always get renewable creds
|
|
|
|
2004-09-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c: use krb5_ccapi.h
|
|
|
|
* lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
|
|
separate (not installed) file
|
|
|
|
* lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
|
|
since AM_CPPFLAGS overridden by target specific _CPPFLAGS
|
|
|
|
2004-09-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: make variable shorter, make error messages
|
|
from pkinit, make freeing easier
|
|
|
|
2004-09-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
|
|
|
|
* lib/krb5/crypto.c (seed_something): avoid poking at memory that
|
|
is uninitialized, make valgrind unhappy. Pointd out by
|
|
abartlet@samba.org. While where, plug the fd leak.
|
|
|
|
2004-09-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_get.c (decode_*): name all tag-length variables the
|
|
same
|
|
(decode_enumerated): check that the tag-length is not longer the length
|
|
|
|
* lib/asn1/der_get.c (decode_boolean): fail if length of tag is
|
|
larger then len
|
|
|
|
2004-08-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
|
|
set in case of failure too, free unconditionally on exit to avoid
|
|
memory leak
|
|
|
|
2004-08-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
|
|
free
|
|
|
|
2004-08-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c (krb5_get_err_text): if neither of com_right
|
|
nor strerror finds the error-code, return Unknown error.
|
|
|
|
2004-08-19 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/krb5_kuserok.3: update to reality
|
|
|
|
* lib/krb5/kuserok.c: if a .k5login file exist, don't give
|
|
implicit rights to anyone; also check owner/mode of .k5login
|
|
|
|
2004-08-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
|
|
|
|
* lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
|
|
|
|
* lib/krb5/krb5.3: add krb5_getportbyname
|
|
|
|
* lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
|
|
|
|
2004-08-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
|
|
from the client and filter them out.
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document krb5_free_salt
|
|
|
|
2004-08-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_ticket.3: data needs to be freed when using
|
|
krb5_ticket_get_authorization_data_type
|
|
|
|
2004-08-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: test variables in default_cc_name
|
|
|
|
* lib/krb5/krb5.conf.5: explain support for varibles in
|
|
[libdefaults]default_cc_name
|
|
|
|
* lib/krb5/cache.c: drop ${time}, its not very useful
|
|
|
|
* lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
|
|
variables in the default cc name. Supported variables now are:
|
|
${time},${uid} and ${null}
|
|
|
|
* lib/krb5/krb5.conf.5: document default_cc_name
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name):
|
|
s/libdefault/libdefaults/
|
|
|
|
2004-08-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/acache.c: replace magic 3 with ccapi_version_3
|
|
|
|
* lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
|
|
|
|
* lib/krb5/krb5.h: add krb5_acc_ops
|
|
|
|
* lib/krb5/acache.c: CCAPI v3 implementation, the read only
|
|
support was from Magnus Ahltorp and then extended by me to support
|
|
all other operations. Tested with MIT kerberos cc cache
|
|
implementation on MacOS 10.3.3
|
|
|
|
* lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
|
|
default cc name, this is not very useful for general purpose glue
|
|
since its not possible to glue in user information (like uid), but
|
|
for CCAPI it works just fine
|
|
|
|
2004-08-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kgetcred.1: document --cache/-c
|
|
|
|
* kuser/kgetcred.c: allow to specify what credential cache to use
|
|
|
|
2004-08-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
|
|
|
|
* lib/krb5/krb5_eai_to_heim_errno.3: document
|
|
krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
|
|
|
|
* lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
|
|
krb5_h_errno_to_heim_errno
|
|
|
|
2004-07-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
|
|
result should be free with krb5_free_host_realm drop
|
|
krb5_get_host_realm text
|
|
|
|
* lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
|
|
should be free with krb5_free_host_realm
|
|
|
|
* lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
|
|
|
|
* lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
|
|
|
|
* lib/krb5/Makefile.am: man_MANS += krb5_rd_error
|
|
|
|
* lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
|
|
|
|
* lib/krb5/krb5_warn.3: clarify on what string
|
|
krb5_free_error_string should operate on
|
|
|
|
* lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
|
|
|
|
* lib/krb5/Makefile.am: krb5_get_credentials,
|
|
krb5_get_forwarded_creds and friends
|
|
|
|
* lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
|
|
and friends
|
|
|
|
* lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
|
|
friends
|
|
|
|
2004-07-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/klist.c (print_cred_verbose): keytypes are no longer, use
|
|
enctype
|
|
|
|
2004-07-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
|
|
compilers, From metze at samba.org
|
|
|
|
2004-07-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: more cc tests
|
|
|
|
* lib/krb5/krb5_check_transited.3: document krb5_check_transited
|
|
|
|
2004-07-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
|
|
principal in cert work From: Mayur Patel <patelm4@rpi.edu>
|
|
|
|
2004-07-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: add krb5_verify_init_creds.3
|
|
|
|
* lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
|
|
|
|
2004-07-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org
|
|
description for krb5_passwd_result_to_string
|
|
|
|
2004-07-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
|
|
fixes; split sentence in two for better understanding. From
|
|
wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here.
|
|
|
|
* lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
|
|
Stone <jonathan@dsg.stanford.edu>
|
|
|
|
* lib/krb5/changepw.c (process_reply): cast ssize_t to long and
|
|
print that From NetBSD via Havard Eidnes.
|
|
|
|
2004-07-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: fix helpstring for hdb-openldap-module
|
|
|
|
* lib/krb5/test_cc.c: don't use krb5_err on error code 0
|
|
|
|
2004-07-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
|
|
|
|
2004-07-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
|
|
|
|
2004-07-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
|
|
right argument
|
|
|
|
2004-06-27 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
|
|
krbtgt is without addresses, default to not sending our own
|
|
addrport
|
|
|
|
* lib/asn1/lex.l: add support for /* */ and partial line --
|
|
comments
|
|
|
|
* kuser/Makefile.am: don't install copy_cred_cache manpage
|
|
|
|
2004-06-24 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
|
|
copying a static opt, make sure to allocate the "private" field
|
|
|
|
2004-06-24 Love <lha@stacken.kth.se>
|
|
|
|
* kdc/config.c: add enable_pkinit_princ_in_cert
|
|
|
|
* kdc/kdc_locl.h: enable_pkinit_princ_in_cert
|
|
|
|
* kdc/pkinit.c: Check certificate for Kerberos Principal in
|
|
OtherName of subjectAltName Based on patch from Mayur Patel
|
|
<patelm4@rpi.edu>
|
|
|
|
2004-06-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
|
|
session key for authorization-data
|
|
|
|
2004-06-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c (handle_tcp): note who is what that closed the
|
|
connection on us
|
|
|
|
2004-06-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* admin/get.c (kt_get): catch errors from krb5_parse_name
|
|
|
|
2004-06-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: if its the entry just contains the
|
|
structural object (no samba nor heimdal object), add an aux
|
|
heimdal object on to it.
|
|
|
|
2004-06-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswd.c: use krb5_set_password_using_ccache
|
|
|
|
* lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
|
|
|
|
* lib/krb5/changepw.c: implement krb5_set_password_using_ccache
|
|
|
|
* lib/hdb/hdb-ldap.c: Allow the objectClass to be
|
|
"sambaSamAccount" or structural_object when searching for uid
|
|
entries.
|
|
|
|
* lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
|
|
|
|
* lib/hdb/hdb-ldap.c: add creation base that defaults to the
|
|
search base
|
|
|
|
* lib/hdb/hdb-ldap.c: indent like the rest of the code
|
|
|
|
2004-06-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: check return values from ldap operations and
|
|
close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
|
|
should retry by yourself.
|
|
|
|
* lib/hdb/hdb-ldap.c: require search base to be configured, create
|
|
local context structure
|
|
|
|
2004-05-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: more ldap text, partly from Tarjei Huse
|
|
<tarjei@nu.no>
|
|
|
|
2004-05-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: clean, indent
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
|
|
krb5KeyVersionNumber is added on new entires
|
|
|
|
2004-05-27 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: minor fixes, partly from Tarjei Huse
|
|
<tarjei@nu.no>
|
|
|
|
* lib/krb5/krb5.conf.5: some text about dbname and realm
|
|
|
|
* lib/krb5/krb5.conf.5: default value for
|
|
hdb-ldap-structural-object is account
|
|
|
|
2004-05-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* tools/Makefile.am: use ! instead of , as sed delimiter
|
|
|
|
2004-05-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions
|
|
|
|
2004-05-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
|
|
|
|
* lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
|
|
option
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
|
|
Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
|
|
check From: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
|
|
case, make sure ent->etypes are allocated, From: Andrew Bartlett
|
|
<abartlet@samba.org>
|
|
|
|
2004-05-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c: move "setpag if (argc < 1)" to common path
|
|
|
|
2004-05-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
|
|
|
|
* fix-export: use right argument for -E
|
|
|
|
2004-05-06 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/kinit.c: print some diagnostics if the exec fails
|
|
|
|
2004-04-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
|
|
From: Luke Howard <lukeh@padl.com>
|
|
|
|
* lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
|
|
not just a pointer size of it From: Luke Howard <lukeh@padl.com>
|
|
|
|
2004-04-28 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* fix-export: add -E flag where needed to make-proto
|
|
|
|
2004-04-26 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/crypto.c: add set_param for RC2
|
|
|
|
* lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
|
|
that are no longer needed
|
|
|
|
* kdc/pkinit.c: use krb5_enctype_to_oid
|
|
|
|
* lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
|
|
before we compare with it
|
|
|
|
* lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
|
|
before returning it add aes-oids
|
|
|
|
* lib/krb5/crypto.c: add krb5_enctype_to_oid and
|
|
krb5_oid_to_enctype
|
|
|
|
* kdc/pkinit.c: use krb5_crypto_set_params
|
|
|
|
* lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none
|
|
|
|
* lib/krb5/krb5.h: add KEYTYPE_AES192
|
|
|
|
* lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
|
|
kcrypto RC2 support
|
|
|
|
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
|
|
rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
|
|
broken
|
|
|
|
* lib/krb5/krb5.h: add KEYTYPE_RC2
|
|
|
|
* lib/krb5/crypto.c: add partial CMS parameter handling, this is
|
|
needed for RC2
|
|
|
|
* lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
|
|
|
|
* lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
|
|
|
|
* lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
|
|
|
|
* lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
|
|
|
|
* lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
|
|
rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken
|
|
|
|
2004-04-26 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/config_file.c: allow parsing directly from strings with
|
|
krb5_config_parse_string_multi
|
|
|
|
* lib/krb5/verify_krb5_conf.c: try to resolve hostnames
|
|
|
|
2004-04-25 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
|
|
descriptor so we don't have to keep track of it in two places
|
|
|
|
* kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
|
|
libkrb5
|
|
|
|
* lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
|
|
own manpage
|
|
|
|
* replace krb5_free_creds_contents by krb5_free_cred_contents
|
|
|
|
* lib/krb5/cache.c: add krb5_cc_next_cred_match() and
|
|
krb5_cc_copy_cred_match()
|
|
|
|
* lib/krb5/creds.c (krb5_compare_creds): add more matching options
|
|
|
|
* lib/krb5/krb5.h: add more creds match flags
|
|
|
|
* kuser/copy_cred_cache: add --valid-for option
|
|
|
|
* lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
|
|
of second ticket is > 0
|
|
|
|
2004-04-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: use the right oid for pkauthdata
|
|
|
|
* lib/krb5/pkinit.c: always send both win2k compat version and the
|
|
ietf draft one, this is possible since microsoft use
|
|
wrong/diffrent PA number. Make the configuration flag boolean
|
|
configuring if NOT to send the win2k compat glue.
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec
|
|
|
|
* kuser/copy_cred_cache.1: pacify mdoclint
|
|
|
|
* kdc/pkinit.c: use IV for envelopeddata encryption, patch
|
|
originally from Luke Howard <lukeh@padl.com>, tweeked by me.
|
|
|
|
* lib/krb5/krb5_storage.3: document
|
|
KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER
|
|
|
|
* lib/krb5/krb5_data.3: document that krb5_data_free cleans the
|
|
structure too
|
|
|
|
* lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
|
|
originally from Luke Howard <lukeh@padl.com>, tweeked by me.
|
|
|
|
2004-04-24 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* kuser/copy_cred_cache.{c,1}: add cred cache copy tool
|
|
|
|
* configure.in: use rk_SYS_LARGEFILE
|
|
|
|
* lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
|
|
issue with a storage flag instead of a separate function.
|
|
|
|
2004-04-24 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: move out the oid check from get_reply_key
|
|
|
|
* lib/krb5/pkinit.c: uniquify error messages
|
|
|
|
* lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
|
|
plain nonce for now
|
|
|
|
* lib/krb5/pkinit.c: more w2k compat from Luke Howard
|
|
<lukeh@padl.com> add RC2 support, clean up error messages
|
|
|
|
* lib/krb5/pkinit.c: remove more dependency on
|
|
krb5_config->pkinit_flags
|
|
|
|
* lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
|
|
style answer to IETF, From Luke Howard <lukeh@padl.com>
|
|
(_krb5_pk_create_sign): ms handles NULL in param, so always send it
|
|
(_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }
|
|
|
|
* lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
|
|
digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
|
|
new function _set_digest_alg to set it
|
|
|
|
2004-04-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* include/make_crypto.c: include rc2.h, and when I'm here, make
|
|
aes mandatory
|
|
|
|
* lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
|
|
kerberos
|
|
|
|
* lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
|
|
failure
|
|
|
|
* lib/krb5/crypto.c (DES3_random_to_key): make it produce the
|
|
right result
|
|
(DES3_postproc): use DES3_random_to_key
|
|
(krb5_random_to_key): check the required number of bits (not the size
|
|
of the key)
|
|
|
|
* lib/krb5/aes-test.c: test random to key function
|
|
|
|
* lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
|
|
now
|
|
|
|
2004-04-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document that
|
|
krb5_string_to_key_derived is broken for non 3des enctypes and
|
|
thus deprecated
|
|
|
|
* kdc/pkinit.c (generate_dh_keyblock): use the new function
|
|
krb5_random_to_key
|
|
|
|
* lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
|
|
need special processing
|
|
|
|
* lib/krb5/crypto.c (krb5_random_to_key): new function
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_random_to_key
|
|
|
|
2004-04-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: use the first proposed enable enctype
|
|
|
|
* lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
|
|
return from krb5_enctype_valid
|
|
|
|
* kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
|
|
|
|
2004-04-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
|
|
components being smaller then 127 and allocate one extra element
|
|
since first byte is split to to elements.
|
|
|
|
2004-04-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
|
|
private use, lukeh@padl.com
|
|
|
|
2004-04-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
|
|
DH public key
|
|
|
|
2004-04-18 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_init_context.3: add krb5_context to so its added
|
|
as manpage-link too
|
|
|
|
2004-04-17 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
|
|
XXX add locking
|
|
|
|
* kuser/kdestroy.c: add --credential argument that just remove one
|
|
credential entry out of the cache specified
|
|
|
|
* kdc/pkinit.c: replace the krb5.conf configuration option that
|
|
describes the mapping between principals and subject names with a
|
|
file, default /var/heimdal/pki-mapping. XXX this should be pushed
|
|
into HDB. XXX should add issuer too
|
|
|
|
* kdc/config.c: merge certificate/private_key to a user_id
|
|
|
|
2004-04-16 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kdc_locl.h: update prototype for pk_initialize
|
|
|
|
* kuser/kinit.c: merge certificate/private_key to a user_id
|
|
|
|
* kdc/pkinit.c: adapt to heim_integer changes
|
|
|
|
* lib/krb5/pkinit.c: merge certificate/private_key to a user_id
|
|
|
|
* kdc/pkinit.c: adapt to heim_integer changes,
|
|
merge certificate/private_key to a user_id
|
|
|
|
2004-04-15 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
|
|
|
|
2004-04-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
|
|
libkrb5.la, add KRB5_LIB_FUNCTION proto
|
|
|
|
* lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
|
|
|
|
* configure.in: export KRB5_LIB_FUNCTION when building with
|
|
BUILD_KRB5_LIB
|
|
|
|
* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
|
|
error strings
|
|
|
|
* lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
|
|
is printed on stderr, fflush it
|
|
|
|
* lib/krb5/krb5_keyblock.3: free functions also zeros out the key
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: some text about
|
|
krb5_prompter_posix
|
|
|
|
* lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
|
|
|
|
* lib/krb5/cache.c: add krb5_cc_get_prefix_ops
|
|
|
|
* lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
|
|
|
|
2004-04-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* appl/test/http_client.c: support GSS_C_DELEG_FLAG and
|
|
GSS_C_MUTUAL_FLAG
|
|
|
|
* appl/test/http_client.c: verbose logging
|
|
|
|
2004-04-02 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/connect.c: case size_t to unsigned long for LP64 platforms
|
|
|
|
2004-04-01 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
|
|
default structural object
|
|
|
|
* tools/Makefile.am: handle sed expression breaking
|
|
|
|
2004-03-31 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
|
|
|
|
* lib/krb5/changepw.c: add tcp support to the set protocol, should
|
|
be cleaned up to enable sharing code with krb5_sendto
|
|
|
|
* kpasswd/kpasswd.c (change_password): remove extra free
|
|
|
|
* lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
|
|
osf/1
|
|
|
|
2004-03-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
|
|
increase md->len, krb5_padata_add already does that
|
|
|
|
* lib/krb5/init_creds.c: its PAC not PAQ
|
|
|
|
* kuser/kinit.c: its PAC not PAQ
|
|
|
|
* kdc/kerberos4.c: stop the client from renewing tickets into the
|
|
future From: Jeffrey Hutzelman <jhutz@cmu.edu>
|
|
|
|
2004-03-29 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: try to handle sys/strtty.h needing sys/stream.h
|
|
|
|
2004-03-23 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no
|
|
longer used
|
|
|
|
* kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/
|
|
|
|
* lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to
|
|
external users by prefixing it with _
|
|
|
|
* lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/
|
|
|
|
* lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external
|
|
users by prefixing it with _
|
|
|
|
2004-03-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: add missing }
|
|
|
|
2004-03-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: adapt to change of signature of
|
|
_krb5_pk_load_openssl_id
|
|
|
|
* lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add
|
|
prompter argument and use it
|
|
|
|
* kuser/kinit.c: adapt to signature change of
|
|
krb5_get_init_creds_opt_set_pkinit
|
|
|
|
* lib/krb5/krb5.3: add more stuff, 105 functions to go
|
|
|
|
* lib/krb5/krb5_rcache.3: add krb5_get_server_rcache
|
|
|
|
* lib/krb5/krb5_rcache.3: framework for replay cache manpage
|
|
|
|
* lib/krb5/krb5_string_to_key.3: document string to key functions
|
|
|
|
* lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3
|
|
krb5_find_padata.3 krb5_generate_random_block.3
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length
|
|
|
|
* lib/krb5/krb5.3: add some more, 137 to go
|
|
|
|
* lib/krb5/krb5_principal.3: document krb5_get_default_principal
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_generate_subkey
|
|
|
|
* lib/krb5/krb5_generate_random_block.3: document
|
|
krb5_generate_random_block
|
|
|
|
* lib/krb5/krb5_find_padata.3: document padata functions
|
|
|
|
* lib/krb5/krb5.3: add some more, 142 to go
|
|
|
|
* lib/krb5/krb5_creds.3: drop .Pp before .Sh
|
|
|
|
* lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm
|
|
|
|
* lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname
|
|
and krb5_expand_hostname_realms
|
|
|
|
* lib/krb5/krb5.3: add more functions, 147 to go
|
|
|
|
* lib/krb5/krb5_creds.3: document krb5_creds
|
|
|
|
* lib/krb5/krb5_get_init_creds.3: add more functions, some more
|
|
text
|
|
|
|
* lib/krb5/krb5_ticket.3: document
|
|
krb5_ticket_get_authorization_data_type
|
|
|
|
2004-03-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/aes-test.c: remove #if 0'ed code
|
|
|
|
* lib/krb5/krb5.3: add keyblock functions, 177 functions to go
|
|
|
|
* lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache
|
|
|
|
* lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket
|
|
|
|
* lib/krb5/krb5_config.3: document krb5_config_free_strings and
|
|
krb5_config_file_free
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add krb5_hmac
|
|
|
|
* lib/krb5/krb5.3: add keyblock functions, 190 functions to go
|
|
|
|
* lib/krb5/krb5_keyblock.3: update .Dd
|
|
|
|
* lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and
|
|
krb5_generate_random_keyblock
|
|
|
|
* lib/krb5/krb5_init_context.3: add krb5_init_ets
|
|
|
|
* lib/krb5/krb5_config.3: add more krb5_config_ functions and
|
|
prototypes
|
|
|
|
* lib/krb5/krb5_init_context.3: document context modifcation
|
|
functions: address list, config file, use admin kdc, fcc version
|
|
|
|
* lib/krb5/krb5_storage.3: document krb5_storage and related
|
|
functions
|
|
|
|
* lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc
|
|
manpages and test_acl test program
|
|
|
|
* lib/krb5/krb5.3: add error string functions and sort
|
|
|
|
* lib/krb5/krb5_warn.3: document krb5_abort and error string
|
|
functions
|
|
|
|
* lib/krb5/krb5.3: add missing functions, only 285 left to
|
|
document
|
|
|
|
* lib/krb5/krb5_crypto_init.3: remove various enctype related
|
|
function
|
|
|
|
* lib/krb5/krb5_encrypt.3: add various enctype related function
|
|
here
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid
|
|
krb5_cksumtype_valid
|
|
|
|
* lib/krb5/crypto.c: real return values for
|
|
krb5_{enctype,cksumtype}_valid
|
|
|
|
* lib/krb5/krb5_create_checksum.3: add some functions and
|
|
descriptions
|
|
|
|
* lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions
|
|
|
|
* lib/krb5/krb5_auth_context.3: document
|
|
krb5_auth_con_generatelocalsubkey
|
|
|
|
* lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags
|
|
|
|
* lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name
|
|
|
|
* lib/krb5/krb5_init_context.3: document krb5_add_et_list
|
|
|
|
* lib/krb5/krb524_convert_creds_kdc.3: document
|
|
krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache
|
|
|
|
* lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_*
|
|
|
|
* lib/krb5/test_acl.c: test for generic acl code
|
|
|
|
* lib/krb5/acl.c: plug memory leak on file matching,
|
|
make it not fall over when no non matching acl,
|
|
make fnmatch matching useful by switching arguments
|
|
|
|
2004-03-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/config.c: add --builtin-hdb command
|
|
|
|
* lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin
|
|
backends
|
|
|
|
* doc/setup.texi: include Luke Howard of PADL.COM ldap hdb
|
|
documentation
|
|
|
|
* doc/win2k.texi: fix bugs in examples, add more restrictions, use
|
|
example.com as an example. From: Pavel Ferdan
|
|
<xferdan@informatics.muni.cz>
|
|
|
|
2004-03-18 Johan Danielsson <joda@pdc.kth.se>
|
|
|
|
* lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin]
|
|
password_lifetime; from Henry B. Hotz
|
|
|
|
2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY
|
|
is set send subkey
|
|
(generate if needed)
|
|
|
|
* lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY
|
|
|
|
2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks,
|
|
and free memory in error path, assume realloc(NULL, ...) works,
|
|
factor out common code, indent
|
|
|
|
2004-03-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/verify_krb5_conf.c: understand [password_quality]
|
|
spelling
|
|
|
|
* kuser/kgetcred.1: document --canonicalize
|
|
|
|
* kuser/kgetcred.c: add --canonicalize
|
|
|
|
2004-03-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): NULL terminate
|
|
krb5_config_get_bool_default' arglist
|
|
|
|
2004-03-09 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply
|
|
|
|
* kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry
|
|
|
|
* kdc/pkinit.c: pass client hdb_entry to pk_check_client
|
|
|
|
* kdc/kdc_locl.h: pass client hdb_entry to pk_check_client
|
|
|
|
* kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its
|
|
more like that language in RFC3280
|
|
|
|
* lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since
|
|
its more like that language in RFC3280
|
|
|
|
* lib/krb5/krb5.conf.5: document
|
|
[libdefaults]fcc-mit-ticketflags=boolean
|
|
|
|
* lib/krb5/fcache.c (fcc_store_cred): use
|
|
[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
|
|
write the fcc in. Default to mit version (aka heimdal 0.7)
|
|
|
|
* lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and
|
|
_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
|
|
that format make krb5_store_creds default to mit format
|
|
|
|
* lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is
|
|
the higher bits of the bitfield
|
|
|
|
2004-03-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/store.c (krb5_store_creds): add disabled code that
|
|
store the ticket flags in reverse order
|
|
(bitswap32): new function
|
|
|
|
* lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags
|
|
are set, its a mit cache, reverse the bits, bug pointed out by
|
|
Sergio Gelato <Sergio.Gelato@astro.su.se>
|
|
|
|
2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP *
|
|
|
|
* kuser/kinit.c: when running kinit with a subprocess, fetch new
|
|
tickets after half the tickets lifetime
|
|
|
|
* lib/hdb/hdb.c: spelling
|
|
|
|
* lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba
|
|
password database. From: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
* kdc/config.c: add --disable-DES
|
|
|
|
* kdc/kdc.8: document --detach and --disable-DES
|
|
|
|
* kdc/kerberos5.c: check if enctype is disabled before using it
|
|
|
|
* lib/krb5/crypto.c: add support for disabling checksum/encryption
|
|
types
|
|
|
|
* tools/kdc-log-analyze.pl: add more cases
|
|
|
|
* kdc/connect.c: on strange tcp error; log local port number and
|
|
socket type
|
|
|
|
* lib/asn1/der.h: fix prototype of encode_utf8string
|
|
|
|
* lib/asn1/gen.c: catch CHOICE and generate dummy placeholder
|
|
|
|
* lib/asn1/lex.l: added dummy parsing of CHOICE
|
|
|
|
* lib/asn1/parse.y: added dummy parsing of CHOICE
|
|
|
|
* lib/asn1/k5.asn1: drop SMTP_NAME
|
|
|
|
2004-03-06 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/hdb/Makefile.am: support building ldap backend as module
|
|
sort asn1 hdb files
|
|
|
|
* lib/hdb/hdb.c: when building ldap as a shared module, don't
|
|
include it in the list
|
|
|
|
* configure.in: add --enable-hdb-openldap-module
|
|
|
|
* lib/hdb/hdb-ldap.c: make ldap possible to build as a shared
|
|
module
|
|
|
|
* lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew
|
|
Bartlett <abartlet@samba.org>
|
|
|
|
* lib/krb5/crypto.c (decrypt_internal_special): do not not modify
|
|
the original data test case from Ronnie Sahlberg
|
|
<ronnie_sahlberg@ozemail.com.au>
|
|
|
|
2004-03-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/test_cc.c: more cc tests, mostly related to mcc
|
|
behavior
|
|
|
|
* lib/krb5/mcache.c (mcc_get_principal): also check for
|
|
primary_principal == NULL now that that isn't used as dead flag
|
|
|
|
* lib/krb5/mcache.c: don't overload the primary_principal == NULL
|
|
as dead since that doesn't always work. Based on patch from
|
|
Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me
|
|
|
|
2004-02-22 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
|
|
|
|
* lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
|
|
|
|
* lib/hdb/db3.c: fix all db >= 4.1 cases
|
|
|
|
* doc/setup.texi: add text about hostname to realm mapping using
|
|
DNS
|
|
|
|
2004-02-20 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: update error codes
|
|
|
|
* lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_
|
|
|
|
* lib/krb5/pkinit.c: update error codes
|
|
|
|
2004-02-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort()
|
|
|
|
* lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling
|
|
|
|
* lib/krb5/store.c: handle memory allocate errors
|
|
|
|
* lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok,
|
|
and don't put an error in the error strings then
|
|
|
|
2004-02-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kdc/pkinit.c: s/heim_big_integer/heim_integer/
|
|
|
|
* lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/
|
|
|
|
* kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors
|
|
|
|
* lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT
|
|
errors
|
|
|
|
* lib/krb5/heim_err.et: add HEIM_PKINIT specific errors
|
|
|
|
2004-02-12 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* configure.in: rename AC_WFLAGS to rk_WFLAGS
|
|
|
|
* acinclude.m4: use m4_define, over-quote string
|
|
|
|
2004-02-11 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/init_creds_pw.c (change_password): handle that
|
|
printf("%.*s", 0, (void*)NULL); doesn't work on solaris
|
|
|
|
2004-02-10 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kpasswd/kpasswd.c (change_password): handle that printf("%.*s",
|
|
0, (void*)NULL); doesn't work on solaris
|
|
|
|
* lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses
|
|
some locate.updatedb, use FILES section to describe where the file
|
|
is instead.
|
|
|
|
2004-02-07 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned
|
|
for certain negative integers, it got the length wrong" , from
|
|
Panasas, Inc.
|
|
|
|
* lib/asn1/der_length.c: Fix len_unsigned for certain negative
|
|
integers, it got the length wrong, fix from Panasas, Inc.
|
|
|
|
rename len_int and len_unsigned to _heim_\&
|
|
|
|
* lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int
|
|
|
|
2004-02-06 Dave Love <d.love@dl.ac.uk>
|
|
|
|
* configure.in: Check for sys/socket.h, net/if.h. Modify term.h,
|
|
security/pam_appl.h tests.
|
|
|
|
2004-02-03 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add
|
|
up the size of all the elements, don't use just the size of the
|
|
last element.
|
|
|
|
* lib/krb5/aes-test.c: add "next iv" test for aes128, check
|
|
decryption case too
|
|
|
|
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
|
|
the next to last block, fix decryption case too
|
|
|
|
* lib/krb5/aes-test.c: add "next iv" test for aes128
|
|
|
|
* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
|
|
the next to last block
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1
|
|
encode error
|
|
|
|
* lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode
|
|
error
|
|
|
|
* lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1
|
|
encode error
|
|
|
|
* lib/krb5/build_auth.c (krb5_build_authenticator): abort on
|
|
internal asn1 encode error
|
|
|
|
* lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal
|
|
asn1 encode error
|
|
|
|
2004-01-30 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* doc/setup.texi: some text about order of [capaths] realms
|
|
|
|
2004-01-25 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/context.c: register WRFILE ops
|
|
|
|
* lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE)
|
|
|
|
* lib/krb5/krb5.h: add krb5_wrfkt_ops
|
|
|
|
* kpasswd/kpasswdd.c (change): use the right password when
|
|
changing the password
|
|
|
|
2004-01-21 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it
|
|
means that the filesystem doesn't support locking
|
|
|
|
* lib/krb5/keytab.c: remove #if 0 out file locking code
|
|
|
|
2004-01-19 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/asn1/gen_length.c (length_type): TSequenceOf: add up the
|
|
size of all the elements, don't use just the size of the last
|
|
element.
|
|
|
|
2004-01-13 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* kuser/kinit.c (renew_validate): if renewable_flag and not time
|
|
specifed, use "1 month"
|
|
|
|
2004-01-08 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/krb5_keyblock.3: add prototypes, describe
|
|
krb5_keyblock_zero
|
|
|
|
2004-01-05 Love Hörnquist Åstrand <lha@it.su.se>
|
|
|
|
* lib/krb5/get_for_creds.c (add_addrs): don't add same address
|
|
multiple times
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to
|
|
handle errors better for previous commit
|
|
|
|
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets
|
|
are address-less, forward address-less tickets.
|
|
|
|
* lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and
|
|
export it
|
|
|