xref: /freebsd-10.2-release/crypto/heimdal/ChangeLog

2004-04-01  Johan Danielsson  <joda@pdc.kth.se>

	* Release 0.6.1

2004-03-30  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos4.c: 1.46: stop the client from renewing tickets
	into the future From: Jeffrey Hutzelman <jhutz@cmu.edu>
	
2004-03-10  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate
	krb5_config_get_bool_default' arglist
	
2004-03-09  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: 1.44: document
	[libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in
	first .Nm, it confuses some locate.updatedb, use FILES section to
	describe where the file is instead.
	
	* lib/krb5/fcache.c (fcc_store_cred): default to use old format
	
	* lib/krb5/fcache.c: 1.42: (fcc_store_cred): use
	[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
	write the fcc in. Default to mit format (aka heimdal 0.7 format)
	1.41: (_krb5_xlock): handle that everything was ok, and don't put
	an error in the error strings then
	
	* lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and
	_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
	that format make krb5_store_creds default to mit format 1.42:
	(krb5_ret_creds): Runtime detect the what is the higher bits of
	the bitfield 1.41: (krb5_store_creds): add disabled code that
	store the ticket flags in reverse order (bitswap32): new function
	1.40: (krb5_ret_creds): if the higher ticket flags are set, its a
	mit cache, reverse the bits, bug pointed out by Sergio Gelato
	<Sergio.Gelato@astro.su.se>
	
	delta modfied to not change the behavior of krb5_store_creds
	
2004-03-07  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2
	
2004-03-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with
	threading code pulled out;
	
	1.18: (mcc_get_principal): also check for primary_principal ==
	NULL now that that isn't used as dead flag 1.17: don't overload
	the primary_principal == NULL as dead since that doesn't always
	work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but
	tweek by me

	* lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not
	modify the original data test case from Ronnie Sahlberg
	<ronnie_sahlberg@ozemail.com.au>

2004-02-13  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't
	check for EAI_NODATA, because its depricated in RFC3493 Pointed
	out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
	
	* lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and
	EAI_NODATA is deprecated in RFC3493

2004-02-09  Love H�rnquist �strand  <lha@it.su.se>

	* lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain
	negative integers, it got the length wrong, fix from Panasas, Inc.
	
	* lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int
	
2004-01-26  Love H�rnquist �strand  <lha@it.su.se>

	* lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up
	the size of all the elements, don't use just the size of the last
	element.

	* lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume
	that it means that the filesystem doesn't support locking 1.39:
	(_krb5_xlock): fix compile error in last commit 1.38: internally
	export x{,un}lock and thus prefix them with _krb5_
	
2004-01-13  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and
	not time specifed, use "1 month"
	1.105: make -9 work again

2004-01-09  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase
	addr->len until in contains interesting data, use right iteration
	counter when clearing the addresses 1.39: krb5_princ_realm ->
	krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use
	KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
	krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are
	address-less, forward address-less tickets.  1.40:
	(krb5_get_forwarded_creds): try to handle errors better for
	previous commit 1.41: (add_addrs): don't add same address multiple
	times
	
	* lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to
	_krb5_get_krbtgt and export it

2003-12-14  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server
	names

2003-12-03  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded
	to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize
	check to avoid memory leak
	
2003-12-01  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/kinit.c: 1.103->1.104: (main): return the return value
	from simple_execvp

2003-10-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode):
	always zero out encoding to make sure it have a defined value on
	failure

	* lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if
	num_realms == 0, set encoding and return (avoids malloc(0)) check
	return value from malloc
	
2003-10-21  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: 1.35->1.36: spelling
	
	* kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited
	policy

	* doc/setup.texi: 1.27->1.35: many changes
	
	* lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths]
	section

	* lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to
	verify transited realms, unless the transited-policy-checked flag
	is set

	* lib/krb5/transited.c:
	1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms
	1.11: (krb5_domain_x500_decode): handle zero length tr data;
	(krb5_check_transited): new function that does more useful stuff

	* kdc/kdc.8: 1.23->1.24: document enforce-transited-policy
	
	* kdc/config.c: 1.47->1.48: add flag to always check transited
	policy

	* kdc/kerberos5.c:
	1.150: (fix_transited_encoding): also verify with policy,
	unless asked not to
	1.151: always check transited policy if flag set either globally
	(on principal part of patch not pulled up)
	1.152: (fix_transited_encoding): set transited type
	1.153: (fix_transited_encoding): always print cross-realm information

2003-10-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/config_file.c: 1.48->1.49:
	(krb5_config_parse_file_debug): punt if there is binding before a
	section declaration.
	Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org>

	* kdc/kaserver.c: 1.21->1.23:
	(do_getticket): if times data is shorter then 8 bytes, request is
	malformed.
	(do_authenticate): if request length is less then 8 bytes, its a
	bad request and fail. Pointed out by Marco Foglia <marco@foglia.org>

2003-09-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within
	#if 0 From: stefan sokoll <stefansokoll@yahoo.de>
	
2003-09-19  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/rd_req.c:
	1.47->1.48: (krb5_rd_req): allow caller to pass in a key
	in the auth_context, they way processes that doesn't use the
	keytab can still pass in the key of the service (matches behavior
	of MIT Kerberos).
	
2003-09-18  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/crypto.c: 
	1.87->1.88: (usage2arcfour): simplify, only
	include special cases From: Luke Howard <lukeh@PADL.COM>
	1.86->1.87: (arcfour_checksum_p): return true when is arcfour,
	not when its not pointed out by Luke Howard
	1.82->1.83: Do the arcfour checksum mapping for
	krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
	<lukeh@PADL.COM>
	1.81->1.82: (hmac): make it return an error
	when out of memory, update callsites to either return error or use
	krb5_abortx
	(krb5_hmac): expose hmac
	* lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal):
	when using arcfour-hmac-md5, use an unkeyed checksum
	(rsa-md5), since Microsoft calculates the keyed checksum with
	the subkey of the authenticator.

	* lib/krb5/get_cred.c:
	1.93->1.94 (init_tgs_req): make generation of subkey
	optional on configuration parameter
	[realms]realm={tgs_require_subkey=bool}
	defaults to off. The RFC1510 weakly defines the correct behavior,
	so old DCE secd apparently required the subkey to be there, and MS
	will use it when its there. But the request isn't encrypted in the
	subkey, so you get to choose if you want to talk to a MS mdc or a
	old DCE secd.

	partly 1.91->1.92: (init_tgs_req): in case of error, don't
	free in	the req_body addresses since they where pass in by caller

	lib/krb5/get_in_tkt.c:
	1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with
	the mit implemtation, don't free `creds' argument when done, its up
	the the caller to do that, also allow a NULL ccache.

	* doc/ack.texi
	1.16->1.17: update Luke Howard email address

	* lib/hdb/hdb-ldap.c:
	1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM>
	1.12->1.13: (LDAP_store): log what principal/dn failed
	1.11->1.12: use int2HDBFlags/HDBFlags2int
	From: Alberto Patino <jalbertop@aranea.com.mx>, 
	Luke Howard <lukeh@PADL.COM>
	Pointed out by Andrew Bartlett of Samba
	1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection
	(LDAP_store): remove superfluous argument to asprintf
	From Alberto Patino <jalbertop@aranea.com.mx>

	* lib/krb5/krb5.h:
	1.214->1.2015: add KEYTYPE_ARCFOUR_56
	
2003-09-12  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg
	<flag@pobox.se>
	
2003-09-11  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX
	noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
	
2003-08-29  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on
	heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try
	to include more db headers
	
2003-08-25  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom
	returning 0 (connection closed) 1.91->1.92: (grow_descr):
	increment the size after we succeed to allocate the space
	
2003-08-15  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be
	zero, so, don't check for that
	(unparse_name): make sure there are space for a NUL, set *name to NULL
	when there is a failure (so caller can't get hold of a freed
	pointer)

2003-05-08  Johan Danielsson  <joda@ratatosk.pdc.kth.se>

	* Release 0.6

2003-05-08  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4
	support

	* kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't
	v4 support

	* kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4
	support

2003-05-06  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/name-45-test.c: need to use empty krb5.conf for some
	tests

	* lib/asn1/check-gen.c: there is no \e escape sequence; replace
	everything with hex-codes, and cast to unsigned char* to make some
	compilers happy

2003-05-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
	argument to krb5_us_timeofday have correct type
	
2003-05-05  Assar Westerlund  <assar@kth.se>

	* include/make_crypto.c (main): include aes.h if ENABLE_AES

2003-05-05  Love H�rnquist �strand  <lha@it.su.se>

	* NEWS: 1.108->1.110: fix text about gssapi compat
	
2003-04-28  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length,
	from openbsd

2003-04-24  Love H�rnquist �strand  <lha@it.su.se>

	* doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc
	<jmc@prioris.mini.pw.edu.pl>

2003-04-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org
	via openbsd

2003-04-17  Love H�rnquist �strand  <lha@it.su.se>

	* lib/asn1/der_copy.c (copy_general_string): use strdup
	* lib/asn1/der_put.c: remove sprintf
	* lib/asn1/gen.c: remove strcpy/sprintf
	
	* lib/krb5/name-45-test.c: use a more unique name then ratatosk so
	that other (me) have such hosts in the local domain and the tests
	fails, to take hokkigai.pdc.kth.se instead
	
	* lib/krb5/test_alname.c: add --version and --help
	
2003-04-16  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_warn.3: add krb5_get_err_text
	
	* lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
	* lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
	strlcpy, from openbsd
	* kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
	* appl/kf/kfd.c: use strlcpy, from openbsd
	
2003-04-16  Johan Danielsson  <joda@pdc.kth.se>

	* configure.in: fix for large file support in AIX, _LARGE_FILES
	needs to be defined on the command line, since lex likes to
	include stdio.h before we get to config.h

2003-04-16  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
	from Thomas Klausner <wiz@netbsd.org>
	
	* lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
	<wiz@netbsd.org>

2003-04-15  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c: fix some more memory leaks
	
2003-04-11  Love H�rnquist �strand  <lha@it.su.se>

	* appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
	
2003-04-08  Love H�rnquist �strand  <lha@it.su.se>

	* admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
	
2003-04-06  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_data.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_address.3: s/kerberos/Kerberos/
	* lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
	* lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
	* kuser/kinit.1: s/kerberos/Kerberos/
	* kdc/kdc.8: s/kerberos/Kerberos/
	
2003-04-01  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/test_alname.c: more krb5_aname_to_localname tests
	
	* lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
	converting too root, make sure user is ok according to
	krb5_kuserok before allowing it.

	* lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
	
	* lib/krb5/test_alname.c: add test for krb5_aname_to_localname
	
	* lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
	instead of the "illegal" salt #~, same change as kth-krb did
	1999. Problems occur with crypt() that behaves like AT&T crypt
	(openssl does this). Pointed out by Marcus Watts.

	* admin/change.c (kt_change): collect all principals we are going
	to change, and pick the highest kvno and use that to guess what
	kvno the resulting kvno is going to be. Now two ktutil change in a
	row works. XXX fix the protocol to pass the kvno back.
	
2003-03-31  Love H�rnquist �strand  <lha@it.su.se>

	* appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
	
2003-03-30  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: add description on how to turn on v4, 524 and
	kaserver support

2003-03-29  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
	and afs-use-524

2003-03-28  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kerberos5.c (as_rep): when the second enctype_to_string
	failes, remember to free memory from the first enctype_to_string

	* lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
	from Harald Joerg <harald.joerg@fujitsu-siemens.com>
	(enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc

	* lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
	length when key is longer then expected length, its probably
	longer since the encrypted data was padded, reported by Aidan
	Cully <aidan@kublai.com>

	* lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
	encyption type, inspired by Aidan Cully <aidan@kublai.com>
	
2003-03-27  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
	(wildcard kvno) after principal when the keytab entry isn't found,
	reported by Chris Chiappa <chris@chiappa.net>
	
2003-03-26  Love H�rnquist �strand  <lha@it.su.se>

	* doc/misc.texi: update 2b example to match reality (from
	mattiasa@e.kth.se)

	* doc/misc.texi: spelling and add `Configuring AFS clients'
	subsection

2003-03-25  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.3: add krb5_free_data_contents.3
	
	* lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
	API

	* lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
	with MIT API
	
	* lib/krb5/krb5_verify_user.3: write more about how the ccache
	argument should be inited when used
	
2003-03-25  Johan Danielsson  <joda@pdc.kth.se>

	* lib/krb5/addr_families.c (krb5_print_address): make sure
	print_addr is defined for the given address type; make addrports
	printable

	* kdc/string2key.c: print the used enctype for kerberos 5 keys

2003-03-25  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/aes-test.c: add another arcfour test
	
2003-03-22  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
	
2003-03-20  Love H�rnquist �strand  <lha@it.su.se>
	
	* lib/krb5/krb5_ccache.3: update .Dd

	* lib/krb5/krb5.3: sort in krb5_data functions

	* lib/krb5/Makefile.am (man_MANS): += krb5_data.3

	* lib/krb5/krb5_data.3: document krb5_data

	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
	prompter is NULL, don't try to ask for a password to
	change. reported by Iain Moffat @ ufl.edu via Howard Chu
	<hyc@highlandsun.com>

2003-03-19  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5_keytab.3: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

	* lib/krb5/krb5.conf.5: . means new line
	
	* lib/krb5/krb5.conf.5: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

	* lib/krb5/krb5_auth_context.3: spelling, from
	<jmc@prioris.mini.pw.edu.pl>

2003-03-18  Love H�rnquist �strand  <lha@it.su.se>

	* kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
	
	* lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
	
	* lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time

	* kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
	#ifdef KRB4 from enable_v4_cross_realm since 524 needs it
	
	* kdc/config.c: 524 is independent of kerberos 4, so move out
	enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
	
2003-03-17  Assar Westerlund  <assar@kth.se>

	* kdc/kdc.8: document --kerberos4-cross-realm
	* kdc/kerberos4.c: pay attention to enable_v4_cross_realm
	* kdc/kdc_locl.h (enable_v4_cross_realm): add
	* kdc/524.c (encode_524_response): check the enable_v4_cross_realm
	flag before giving out v4 tickets for foreign v5 principals
	* kdc/config.c: add --enable-kerberos4-cross-realm option (default
	to off)

2003-03-17  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
	
	* lib/krb5/krb5_aname_to_localname.3: manpage for
	krb5_aname_to_localname

	* lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
	
2003-03-16  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3

	* lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3

	* lib/krb5/krb5_set_default_realm.3: Manpage for
	krb5_free_host_realm, krb5_get_default_realm,
	krb5_get_default_realms, krb5_get_host_realm, and
	krb5_set_default_realm.

	* admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
	<sobrado@acm.org> via NetBSD

	* lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
	
	* lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
	
	* lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
	
	* lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
	types, add krb5_fcc_ops and krb5_mcc_ops
	
	* lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
	a id

2003-03-15  Love H�rnquist �strand  <lha@it.su.se>

	* doc/intro.texi: add reference to source code, binaries and the
	manual

	* lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
	
2003-03-14  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/kdc.8: better/difrent english

	* kdc/kdc.8: . -> .\n, copyright/license
	
	* kdc/kdc.8: changed configuration file -> restart kdc

	* kdc/kerberos4.c: add krb4 into the most error messages written
	to the logfile

	* lib/krb5/krb5_ccache.3: add missing name of argument
	(krb5_context) to most functions

2003-03-13  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
	function and return FALSE when there isn't a local account for
	`luser'.

	* lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
	describing the function

2003-03-12  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
	returned memory, don't return ENOMEM

2003-03-11  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.3: add krb5_address stuff and sort
	
	* lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
	
	* lib/krb5/Makefile.am (man_MANS): += krb5_address.3
	
	* lib/krb5/krb5_address.3: document types krb5_address and
	krb5_addresses and their helper functions

2003-03-10  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3

	* lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se

	* lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3

	* lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
	
	* lib/krb5/krb5.3: add more functions
	
	* lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
	functions

	* lib/krb5/krb5_kuserok.3: document krb5_kuserok
	
	* lib/krb5/krb5_verify_user.3: document
	krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior

	* lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
	krb5_verify_user_opt

	* lib/krb5/*.[0-9]: add copyright/licenses on more manpages

	* kuser/kdestroy.c (main): handle that krb5_cc_default_name can
	return NULL

	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
	(TESTS): add test_cc

	* lib/krb5/test_cc.c: test some
	krb5_cc_default_name/krb5_cc_set_default_name combinations
	
	* lib/krb5/context.c (init_context_from_config_file): set
	default_cc_name to NULL
	(krb5_free_context): free default_cc_name if set

	* lib/krb5/cache.c (krb5_cc_set_default_name): new function
	(krb5_cc_default_name): use krb5_cc_set_default_name

	* lib/krb5/krb5.h (krb5_context_data): add default_cc_name
	
2003-02-25  Love H�rnquist �strand  <lha@it.su.se>

	* appl/kf/kf.1: s/securly/securely/ from NetBSD
	
2003-02-18  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/connect.c: s/intialize/initialize, from
	<jmc@prioris.mini.pw.edu.pl>

2003-02-17  Love H�rnquist �strand  <lha@it.su.se>

	* configure.in: add AM_MAINTAINER_MODE
	
2003-02-16  Love H�rnquist �strand  <lha@it.su.se>

	* **/*.[0-9]: add copyright/licenses on all manpages

2003-14-16  Jacques Vidrine  <nectar@kth.se>

	* lib/krb5/get_in_tkt.c (init_as_req): Send only a single
	PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
	type specified by the KDC.

2003-02-15  Love H�rnquist �strand  <lha@it.su.se>

	* fix-export: some autoconf put their version number in
	autom4te.cache, so remove autom4te*.cache
	
	* fix-export: make sure $1 is a directory
	
2003-02-04  Love H�rnquist �strand  <lha@it.su.se>

	* kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>

	* kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
	
2003-01-31  Love H�rnquist �strand  <lha@it.su.se>

	* kdc/hpropd.8: s/databases/a database/ s/Not/not/

	* kdc/hprop.8: add missing .
	
2003-01-30  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
	address, write out encryption type in sentences, s/Host/host
	
2003-01-26  Love H�rnquist �strand  <lha@it.su.se>

	* lib/asn1/check-gen.c: add checks for Authenticator too
	
2003-01-25  Love H�rnquist �strand  <lha@it.su.se>

	* doc/setup.texi: in the hprop example, use hprop and the first
	component, not host

	* lib/krb5/get_addrs.c (find_all_addresses): address-less
	point-to-point might not have an address, just ignore
	those. Reported by Harald Barth.

2003-01-23  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/verify_krb5_conf.c (check_section): when key isn't
	found, don't print out all known keys

	* lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
	and facility start resp
	(check_log): find_value() returns -1 when key isn't found

	* lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
	'const void *' to avoid AES_KEY being exposed in krb5-private.h
	
	* lib/krb5/krb5.conf.5: add [kdc]use_2b

	* kdc/524.c (encode_524_response): its 2b not b2
	
	* doc/misc.texi: quote @ where missing
	
	* lib/asn1/Makefile.am: add check-gen
	
	* lib/asn1/check-gen.c: add Principal check
	
	* lib/asn1/check-common.h: move generic asn1/der functions from
	check-der.c to here

	* lib/asn1/check-common.c: move generic asn1/der functions from
	check-der.c to here

	* lib/asn1/check-der.c: move out the generic asn1/der functions to
	a common file

2003-01-22  Love H�rnquist �strand  <lha@it.su.se>

	* doc/misc.texi: more text about afs, how to get get your KeyFile,
	and how to start use 2b tokens

	* lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
	<jmc@cvs.openbsd.org>
	
2003-01-21  Jacques Vidrine  <nectar@kth.se>

	* kuser/kuser_locl.h: include crypto-headers.h for
	des_read_pw_string prototype

2003-01-16  Love H�rnquist �strand  <lha@it.su.se>

	* admin/ktutil.8: document -v, --verbose

	* admin/get.c (kt_get): make getarg usage consistent with other
	other parts of ktutil

	* admin/copy.c (kt_copy): remove adding verbose_flag to args
	struct, since it will overrun the args array (from Sumit Bose)
	
2003-01-15  Love H�rnquist �strand  <lha@it.su.se>

	* lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
	... }

	* lib/krb5/aes-test.c: test vectors in aes-draft
	
	* lib/krb5/Makefile.am: add aes-test.c

	* lib/krb5/crypto.c: Add support for AES
	(draft-raeburn-krb-rijndael-krb-02), not enabled by default.
	(HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
	to support checksumtype that are have a shorter wireformat then
	their output block size.
	
	* lib/krb5/crypto.c (struct encryption_type): split the blocksize
	into blocksize and padsize, padsize is the minimum padding
	size. they are the same for now
	(enctype_*): add padsize
	(encrypt_internal): use padsize
	(encrypt_internal_derived): use padsize
	(wrapped_length): use padsize
	(wrapped_length_dervied): use padsize

	* lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
	function for each enctype in preparation enctypes that uses
	`Encryption and Checksum Specifications for Kerberos 5' draft
	
	* lib/asn1/k5.asn1: add checksum and enctype for AES from
	draft-raeburn-krb-rijndael-krb-02.txt

	* lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
	KEYTYPE_AES256

2003-01-14  Love H�rnquist �strand  <lha@it.su.se>

	* lib/hdb/common.c (_hdb_fetch): handle error code from
	hdb_value2entry

	* kdc/Makefile.am: always include kerberos4.c and 524.c in
	kdc_SOURCES to support 524

	* kdc/524.c: always compile in support for 524
	
	* kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
	
	* kdc/config.c: always compile in support for 524
	
	* kdc/connect.c: always compile in support for 524
	
	* kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
	even when we build without kerberos 4, 524 needs them
	
	* lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
	Kerberos 4 help functions/structures so other parts of the source
	tree can use it (like the KDC)