12008-01-24  Love H�rnquist �strand  <lha@it.su.se>
2
3	* Release 1.1
4
52008-01-21  Love H�rnquist �strand  <lha@it.su.se>
6
7	* lib/krb5/get_for_creds.c: Use on variable less.
8
9	* lib/krb5/get_for_creds.c: Try to handle ticket full and
10	ticketless tickets better. Add doxygen comments while here.
11
12	* lib/krb5/test_forward.c: Used for testing
13	krb5_get_forwarded_creds().
14	
15	* lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward
16
17	* lib/krb5/Makefile.am: drop CHECK_SYMBOLS
18
19	* lib/hdb/Makefile.am: drop CHECK_SYMBOLS
20
21	* kdc/Makefile.am: drop CHECK_SYMBOLS
22
232008-01-18  Love H�rnquist �strand  <lha@it.su.se>
24
25	* lib/krb5/version-script.map: Add krb5_digest_probe.
26	
272008-01-13  Love H�rnquist �strand  <lha@it.su.se>
28	
29	* lib/krb5/pkinit.c: Replace hx509_name_to_der_name with
30	hx509_name_binary.
31
322008-01-12  Love H�rnquist �strand  <lha@it.su.se>
33
34	* lib/krb5/Makefile.am: add missing files
35
362007-12-28  Love H�rnquist �strand  <lha@it.su.se>
37
38	* kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the
39	type2 message.
40
412007-12-14  Love H�rnquist �strand  <lha@it.su.se>
42
43	* lib/hdb/dbinfo.c: Add hdb_default_db().
44
45	* Makefile.am: Add some extra cf/*.
46
472007-12-12  Love H�rnquist �strand  <lha@it.su.se>
48	
49	* kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov.
50
512007-12-09  Love H�rnquist �strand  <lha@it.su.se>
52
53	* kdc/log.c: Use hdb_db_dir().
54
55	* kpasswd/kpasswdd.c: Use hdb_db_dir().
56
572007-12-08  Love H�rnquist �strand  <lha@it.su.se>
58	
59	* kdc/config.c: Use hdb_db_dir().
60
61	* kdc/kdc_locl.h: add KDC_LOG_FILE
62
63	* kdc/hpropd.c: Use hdb_default_db().
64
65	* kdc/kstash.c: Use hdb_db_dir().
66
67	* kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir().
68
69	* lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check.
70
71	* lib/krb5/verify_krb5_conf.c: Check check_pac.
72
73	* lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac
74	field in the krb5_rd_req_in_ctx
75
76	* lib/krb5/expand_hostname.c: Adapt to changing
77	dns_canonicalize_hostname into flags field.
78
79	* lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname
80	into flags field, add check-pac as an libdefaults option.
81
82	* lib/krb5/pkinit.c: Adapt to changes in hx509 interface.
83
84	* doc: add doxygen documentation to hcrypto
85
86	* doc/doxytmpl.dxy: generate links
87	
882007-12-07  Love H�rnquist �strand  <lha@it.su.se>
89
90	* lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h
91
92	* lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the
93	hdb database resides.
94
95	* configure.in: Add --with-hdbdir to specify where the database is
96	stored.
97
98	* lib/krb5/crypto.c: revert previous patch, the problem is located
99	in the RAND_file_name() function that will cause recursive nss
100	lookups, can't fix that here.
101
1022007-12-06  Love H�rnquist �strand  <lha@it.su.se>
103
104	* lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the
105	dead-lock in by not holding the lock while running
106	RAND_file_name. Prompted by Hai Zaar.
107
108	* lib/krb5/n-fold.c: spelling
109	
1102007-12-04  Love H�rnquist �strand  <lha@it.su.se>
111
112	* kuser/kdigest.c (digest-probe): implement command.
113
114	* kuser/kdigest-commands.in (digest-probe): new command
115	
116	* kdc/digest.c: Implement supportedMechs request.
117
118	* lib/krb5/error_string.c: Make krb5_get_error_string return an
119	allocated string to make the function indempotent. From
120	Zeqing (Fred) Xia.
121
1222007-12-03  Love H�rnquist �strand  <lha@it.su.se>
123
124	* lib/krb5/krb5_locl.h (krb5_context_data): Flag if
125	default_cc_name was set by the user.
126
127	* lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate.
128
129	* kcm/acquire.c: use krb5_free_cred_contents
130
131	* kuser/kimpersonate.c: use krb5_free_cred_contents
132	
133	* kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the
134	cred cache.
135
136	* lib/krb5/cache.c: Put back code that was needed, move gen_new
137	into new_unique.
138
139	* lib/krb5/mcache.c (mcc_default_name): Remove const
140
141	* lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine
142	KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE
143
144	* lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the
145	default name.
146
147	* lib/krb5/kcm.c: Implement krb5_cc_ops->default_name.
148
149	* lib/krb5/mcache.c: Implement krb5_cc_ops->default_name.
150
151	* lib/krb5/fcache.c: Implement krb5_cc_ops->default_name.
152
153	* lib/krb5/krb5.h: Add krb5_cc_ops->default_name.
154
155	* lib/krb5/acache.c: Free context when done, implement
156	krb5_cc_ops->default_name.
157
158	* lib/krb5/kcm.c: implement dummy kcm_move
159
160	* lib/krb5/mcache.c: Implement the move operation.
161
162	* lib/krb5/version-script.map: export krb5_cc_move
163
164	* lib/krb5/cache.c: New function krb5_cc_move().
165
166	* lib/krb5/fcache.c: Implement the move operation.
167
168	* lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major
169	version bump.
170
171	* lib/krb5/acache.c: Implement the move operation. Avoid using
172	cc_set_principal() since it broken on Mac OS X 10.5.0.
173	
1742007-12-02  Love H�rnquist �strand  <lha@it.su.se>
175
176	* lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow.
177	
1782007-11-14  Love H�rnquist �strand  <lha@it.su.se>
179
180	* kdc/krb5tgs.c: Should pass different key usage constants
181	depending on whether or not optional sub-session key was passed by
182	the client for the check of authorization data. The constant is
183	used to derive "specific key" and its values are specified in
184	7.5.1 of RFC4120.
185	
186	Patch from Andy Polyakov.
187
188	* kdc/krb5tgs.c: Don't send auth data in referrals, microsoft
189	clients have started to not like that. Thanks to Andy Polyakov for
190	excellent research.
191
1922007-11-11  Love H�rnquist �strand  <lha@it.su.se>
193
194	* lib/krb5/creds.c: use krb5_data_cmp
195
196	* lib/krb5/acache.c: use krb5_free_cred_contents
197
198	* lib/krb5/test_renew.c: use krb5_free_cred_contents
199	
2002007-11-10  Love H�rnquist �strand  <lha@it.su.se>
201
202	* lib/krb5/acl.c: doxygen documentation
203
204	* lib/krb5/addr_families.c: doxygen documentation
205
206	* doc: add doxygen
207
208	* lib/krb5/plugin.c: doxygen documentation
209
210	* lib/krb5/kcm.c: doxygen documentation
211
212	* lib/krb5/fcache.c: doxygen documentation
213
214	* lib/krb5/cache.c: doxygen documentations
215	
216	* lib/krb5/doxygen.c: doxygen introduction
217
218	* lib/krb5/error_string.c: Doxygen documentation.
219
2202007-11-03  Love H�rnquist �strand  <lha@it.su.se>
221
222	* lib/krb5/test_plugin.c: expose krb5_plugin_register
223
224	* lib/krb5/plugin.c: expose krb5_plugin_register
225
226	* lib/krb5/version-script.map: sort, expose krb5_plugin_register
227
2282007-10-24  Love H�rnquist �strand  <lha@it.su.se>
229
230	* kdc/kerberos5.c: Adding same enctype is enough one time. From
231	Andy Polyakov and Bjorn Sandell.
232	
2332007-10-18  Love  <lha@stacken.kth.se>
234
235	* lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value
236	from krb5_cc_start_seq_get. From Zeqing (Fred) Xia
237	
238	* lib/krb5/fcache.c (init_fcc): provide better error codes
239
240	* kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid
241	sending warning about pruned etypes.
242
243	* kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour
244	based) "old", this to support windows 2000 clients (unjoined to a
245	domain). From Andy Polyakov.
246
2472007-10-07  Love H�rnquist �strand  <lha@it.su.se>
248
249	* doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell.
250	
2512007-10-04  Love H�rnquist �strand  <lha@it.su.se>
252
253	* kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA
254	Ken'ichi.
255
256	* lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is
257	NULL on failure.
258
2592007-10-03  Love H�rnquist �strand  <lha@it.su.se>
260
261	* kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from
262	krb5_addr2sockaddr and igore thte test is that case.
263	
2642007-09-29  Love H�rnquist �strand  <lha@it.su.se>
265
266	* lib/krb5/context.c (krb5_free_context): free
267	default_cc_name_env, from Gunther Deschner.
268
2692007-08-27  Love H�rnquist �strand  <lha@it.su.se>
270
271	* lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make
272	work with c++, reported by Hai Zaar
273
274	* lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar
275
2762007-08-20  Love H�rnquist �strand  <lha@it.su.se>
277
278	* lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema
279
2802007-07-31  Love H�rnquist �strand  <lha@it.su.se>
281
282	* check return value of alloc functions, from Charles Longeau
283
284	* lib/krb5/principal.c: spelling.
285
286	* kadmin/kadmin.8: spelling
287
288	* lib/krb5/crypto.c: Check return values from alloc
289	functions. Prompted by patch of Charles Longeau.
290
291	* lib/krb5/n-fold.c: Make _krb5_n_fold return a error
292	code. Prompted by patch of Charles Longeau.
293
2942007-07-27  Love H�rnquist �strand  <lha@it.su.se>
295
296	* lib/krb5/init_creds.c: Always set the ticket options, use
297	KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset
298	tri-state not so useful.
299
3002007-07-24  Love H�rnquist �strand  <lha@it.su.se>
301
302	* tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of
303	libraries.
304
305	* tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in
306	heimdal.
307
308	* tools/Makefile.am: Add heimdal-gssapi.pc and install it into
309	$(libdir)/pkgconfig
310
3112007-07-23  Love H�rnquist �strand  <lha@it.su.se>
312
313	* lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default.
314
3152007-07-22  Love H�rnquist �strand  <lha@it.su.se>
316
317	* lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as
318	key if the entry is a correct entry.
319
320	* lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from
321	Gunther Deschner.
322
323	* lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS.
324
325	* lib/krb5/test_renew.c: Test for krb5_get_renewed_creds.
326
3272007-07-21  Love H�rnquist �strand  <lha@it.su.se>
328
329	* lib/hdb/keys.c: Make parse_key_set handle key set string "v5",
330	from Peter Meinecke.
331
332	* kdc/kaserver.c: Don't ovewrite the error code, from Peter
333	Meinecke.
334
3352007-07-18  Love H�rnquist �strand  <lha@it.su.se>
336
337	* TODO-1.0: remove 
338
339	* Makefile.am: remove TODO-1.0
340
3412007-07-17  Love H�rnquist �strand  <lha@it.su.se>
342
343	* Heimdal 1.0 release branch cut here
344	
345	* doc/hx509.texi: use version.texi
346	
347	* doc/heimdal.texi: use version.texi
348	
349	* doc/version.texi: version.texi
350
351	* lib/hdb/db3.c: avoid type-punned pointer warning.
352
353	* kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to
354	please OpenSSL and gcc.
355
356	* kdc/digest.c: Use unsigned char * as argument to MD5_Update to
357	please OpenSSL and gcc.
358
3592007-07-16  Love H�rnquist �strand  <lha@it.su.se>
360
361	* include/Makefile.am: Add krb_err.h.
362
363	* kdc/set_dbinfo.c: Print acl file too.
364
365	* kdc/kerberos4.c: Error codes are just fine, remove XXX now.
366
367	* lib/krb5/krb5-v4compat.h: Drop duplicate error codes.
368
369	* kdc/kerberos4.c: switch to ET errors.
370
371	* lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ.
372
373	* lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the
374	et BASE.
375
3762007-07-15  Love H�rnquist �strand  <lha@it.su.se>
377
378	* lib/krb5/krb5-v4compat.h: Include "krb_err.h".
379
380	* lib/krb5/v4_glue.c: return more interesting error codes.
381
382	* lib/krb5/plugin.c: Prefix enum plugin_type.
383
384	* lib/krb5/krb5_locl.h: Expose plugin structures.
385	
386	* lib/krb5/krb5.h: Add plugin structures.
387
388	* lib/krb5/krb_err.et: V4 errors.
389
390	* lib/krb5/version-script.map: First version of version script.
391
3922007-07-13  Love H�rnquist �strand  <lha@it.su.se>
393
394	* kdc/kerberos5.c: Java 1.6 expects the name to be the same type,
395	lets allow that for uncomplicated name-types.
396
3972007-07-12  Love H�rnquist �strand  <lha@it.su.se>
398
399	* lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains
400	address 0, its ticket less and don't really care about
401	from_addr. return better error codes.
402
403	* kpasswd/kpasswdd.c: Fix pointer vs strict alias rules.
404
4052007-07-11  Love H�rnquist �strand  <lha@it.su.se>
406
407	* lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding
408	more then one enctype 23 to krb5EncryptionType.
409
410	* lib/krb5/cache.c: Spelling.
411
412	* kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO.
413	(get_pa_etype_info2): return the enctypes as sorted in the
414	database
415
4162007-07-10  Love H�rnquist �strand  <lha@it.su.se>
417
418	* kuser/kinit.c: krb5-v4compat.h defines prototypes for
419	v4 (semiprivate functions) in libkrb5, don't include
420	krb5-private.h any longer.
421
422	* lib/krb5/krbhst.c: Set error string when there is no KDC for a
423	realm.
424
425	* lib/krb5/Makefile.am: New library version.
426
427	* kdc/Makefile.am: New library version.
428
429	* lib/krb5/krb5_locl.h: Add default_cc_name_env.
430
431	* lib/krb5/cache.c (enviroment_changed): return non-zero if
432	enviroment that will determine default krb5cc name has changed.
433	(krb5_cc_default_name): also check if cached value is uptodate.
434
435	* lib/krb5/krb5_locl.h: Drop pkinit_flags.
436
4372007-07-05  Love H�rnquist �strand  <lha@it.su.se>
438
439	* configure.in: add tests/java/Makefile
440
441	* lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file.
442
4432007-07-04  Love H�rnquist �strand  <lha@it.su.se>
444
445	* kdc/kerberos5.c: Improve the default salt detection to avoid
446	returning v4 password salting to java that doesn't look at the
447	returning padata for salting.
448
449	* kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett
450
4512007-07-02  Love H�rnquist �strand  <lha@it.su.se>
452
453	* kdc/digest.c: Try harder to provide better error message for
454	digest messages.
455
456	* lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on
457	krb5-pr*.h, make -j finds this.
458	
4592007-06-28  Love H�rnquist �strand  <lha@it.su.se>
460
461	* kdc/digest.c: On success, print username, not ip-adress.
462
4632007-06-26  Love H�rnquist �strand  <lha@it.su.se>
464
465	* lib/krb5/get_cred.c: Add krb5_get_renewed_creds.
466
467	* lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds
468
469	* lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo.
470	
4712007-06-25  Love H�rnquist �strand  <lha@it.su.se>
472
473	* doc/setup.texi: Add example for pkinit_win2k_require_binding
474	in [kdc] section.
475
476	* kdc/default_config.c: Rename require_binding to
477	win2k_require_binding to match client configuration.
478
479	* kdc/default_config.c: Add [kdc]pkinit_require_binding option.
480
481	* kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply
482	if its not required.
483
484	* kdc/default_config.c: rename pkinit_princ_in_cert and add
485	pkinit_require_binding
486
487	* kdc/kdc.h: rename pkinit_princ_in_cert and add
488	pkinit_require_binding
489
490	* kdc/pkinit.c: rename pkinit_princ_in_cert
491
4922007-06-24  Love H�rnquist �strand  <lha@it.su.se>
493
494	* lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change.
495
4962007-06-21  Love H�rnquist �strand  <lha@it.su.se>
497
498	* kdc/krb5tgs.c: Drop unused variable.
499
500	* kdc/krb5tgs.c: disable anonyous tgs requests
501
502	* kdc/krb5tgs.c: Don't check PAC on cross realm for now.
503
504	* kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse
505	nametypes.
506
507	* lib/krb5/krb5_principal.3: Document krb5_parse_nametype.
508
509	* lib/krb5/principal.c (krb5_parse_nametype): parse nametype and
510	return their integer values.
511
512	* lib/krb5/krb5.h (krb5_get_creds): Add
513	KRB5_GC_CONSTRAINED_DELEGATION.
514
515	* lib/krb5/get_cred.c (krb5_get_creds): if
516	KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous
517	and constrained_delegation.
518
5192007-06-20  Love H�rnquist �strand  <lha@it.su.se>
520
521	* kdc/digest.c: Return an error message instead of dropping the
522	packet for more failure cases.
523
524	* lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY.
525
526	* appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more
527	gracefully
528	
5292007-06-18  Love H�rnquist �strand  <lha@it.su.se>
530
531	* lib/krb5/pac.c: make compile.
532	
533	* lib/krb5/pac.c (verify_checksum): memset cksum to avoid using
534	pointer from stack.
535
536	* lib/krb5/plugin.c: Don't expose free pointer.
537
538	* lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first
539	calloc.
540	
541	* lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory
542
543	* lib/krb5/krbhst.c: Host is static memory, don't free.
544
545	* lib/krb5/crypto.c (decrypt_internal_derived): make sure length
546	is longer then confounder + checksum.
547
548	* kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from
549	users. This to allows libkdc users to to specify their own
550	databases
551
552	* lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of
553	content data (and avoid leaking memory).
554
555	* kdc/misc.c (_kdc_db_fetch): set error string for failures.
556	
5572007-06-15  Love H�rnquist �strand  <lha@it.su.se>
558
559	* kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.
560
5612007-06-13  Love H�rnquist �strand  <lha@it.su.se>
562
563	* kdc/pkinit.c: tell user when they got a pk-init request with
564	pkinit disabled.
565
5662007-06-12  Love H�rnquist �strand  <lha@it.su.se>
567	
568	* lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to
569	UNPARSE_DISPLAY.
570
571	* lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY.
572
573	* lib/krb5/principal.c: Make no-quote mean replace strange chars
574	with space.
575
576	* lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
577
578	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE.
579
580	* lib/krb5/test_princ.c: Test quoteing.
581
582	* lib/krb5/pkinit.c: update (c)
583	
584	* lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC.
585
586	* lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole
587	process needs to restart or just skip this KDC.
588
589	* lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to
590	KDC.
591
592	* lib/krb5/krb5.h: Add sendto hooks and opaque structure.
593
594	* lib/krb5/krb5_rd_error.3: Update prototype.
595
596	* lib/krb5/send_to_kdc.c: Add hooks for processing the reply from
597	the server.
598	
5992007-06-11  Love H�rnquist �strand  <lha@it.su.se>
600
601	* lib/krb5/krb5_err.et: Some new error codes from RFC 4120.
602	
6032007-06-09  Love H�rnquist �strand  <lha@it.su.se>
604
605	* kdc/krb5tgs.c: Constify.
606
607	* kdc/kerberos5.c: Constify.
608
609	* kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify.
610
6112007-06-08  Love H�rnquist �strand  <lha@it.su.se>
612
613	* include/Makefile.am: Make krb5-types.h nodist_include_HEADERS.
614
615	* kdc/Makefile.am: EXTRA_DIST += version-script.map.
616	
6172007-06-07  Love H�rnquist �strand  <lha@it.su.se>
618	
619	* Makefile.am (print-distdir): print name of dist
620
621	* kdc/pkinit.c: Break out loading of mappings file to a separate
622	function and remove warning that it can't open the mapping file,
623	there are now mappings in the db, maybe the users uses that
624	instead...
625
626	* lib/krb5/crypto.c: Require the raw key have the correct size and
627	do away with the minsize.  Minsize was a thing that originated
628	from RC2, but since RC2 is done in the x509/cms subsystem now
629	there is no need to keep that around.
630
631	* lib/hdb/dbinfo.c: If there is no default dbname, also check for
632	unset mkey_file and set it default mkey name, make backward compat
633	stuff work.
634
635	* kdc/version-script.map: add new symbols
636
637	* kdc/kdc-replay.c: Also update krb5_context view of what the time
638	is.
639
640	* configure.in: add tests/can/Makefile
641
642	* kdc/kdc-replay.c: Add --[version|help].
643
644	* kdc/pkinit.c: Push down the kdc time into the x509 library.
645
646	* kdc/connect.c: Move up krb5_kdc_save_request so we can catch the
647	reply data too.
648
649	* kdc/kdc-replay.c: verify reply by checking asn1 class, type and
650	tag of the reply if there is one.
651
652	* kdc/process.c: Save asn1 class, type and tag of the reply if
653	there is one. Used to verify the reply in kdc-replay.
654
6552007-06-06  Love H�rnquist �strand  <lha@it.su.se>
656
657	* kdc/kdc_locl.h: extern for request_log.
658
659	* kdc/Makefile.am: Add kdc-replay.
660
661	* kdc/kdc-replay.c: Replay kdc messages to the KDC library.
662
663	* kdc/config.c: Pick up request_log from [kdc]kdc-request-log.
664
665	* kdc/connect.c: Option to save the request to disk.
666
667	* kdc/process.c (krb5_kdc_save_request): save request to file.
668
669	* kdc/process.c (krb5_kdc_process*): dont update _kdc_time
670	automagicly.
671	(krb5_kdc_update_time): set or get current kdc-time.
672
673	* kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and
674	pkauthdata as the signeddata oid
675	
676	* kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong.
677
6782007-06-05  Love H�rnquist �strand  <lha@it.su.se>
679	
680	* kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to
681	match windows DC behavior better.
682	
6832007-06-04  Love H�rnquist �strand  <lha@it.su.se>
684
685	* configure.in: use test for -framework Security
686
687	* appl/test/uu_server.c: Print status to stdout.
688
689	* kdc/digest.c (digest ntlm): provide log entires by setting ret
690	to an error.
691	
6922007-06-03  Love H�rnquist �strand  <lha@it.su.se>
693
694	* doc/hx509.texi: Indent crl-sign.
695
696	* doc/hx509.texi: One more crl-sign example.
697
698	* lib/krb5/test_princ.c: plug memory leaks.
699
700	* lib/krb5/pac.c: plug memory leaks.
701
702	* lib/krb5/test_pac.c: plug memory leaks.
703
704	* lib/krb5/test_prf.c: plug memory leak.
705
706	* lib/krb5/test_cc.c: plug memory leaks.
707
708	* doc/hx509.texi: Simple blob about publishing CRLs.
709
710	* doc/win2k.texi: drop text about enctypes.
711	
7122007-06-02  Love H�rnquist �strand  <lha@it.su.se>
713
714	* kdc/pkinit.c: In case of OCSP verification failure, referash
715	every 5 min. In case of success, refreash 2 min before expiring or
716	faster.
717	
7182007-05-31  Love H�rnquist �strand  <lha@it.su.se>
719	
720	* lib/krb5/krb5_err.et: add error 68, WRONG_REALM
721
722	* kdc/pkinit.c: Handle the ms san in a propper way, still cheat
723	with the realm name.
724
725	* kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out
726	directly and hand the error back to the client.
727
728	* lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE
729	and fix error message for CLIENT_NAME_MISMATCH.
730
731	* kdc/pkinit.c: More logging for pk-init client mismatch.
732
733	* kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for
734	windows pk-init (-9) to make MIT clients happy.
735	
7362007-05-30  Love H�rnquist �strand  <lha@it.su.se>
737	
738	* kdc/pkinit.c: Force des3 for win2k.
739
740	* kdc/pkinit.c: Add wrapping to ContentInfo wrapping to
741	COMPAT_WIN2K.
742
743	* lib/krb5/keytab_keyfile.c: Spelling.
744
745	* kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta
746	doesn't deal with case of realm.
747	
7482007-05-16  Love H�rnquist �strand  <lha@it.su.se>
749
750	* lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead
751	of encryption.
752	
7532007-05-10  Dave Love  <fx@gnu.org>
754	
755	* doc/win2k.texi: Update some URLs.
756
7572007-05-13  Love H�rnquist �strand  <lha@it.su.se>
758
759	* kuser/kimpersonate.c: Fix version number of ticket, it should be
760	5 not the kvno.
761	
7622007-05-08  Love H�rnquist �strand  <lha@it.su.se>
763
764	* doc/setup.texi: Salting is really Encryption types and salting.
765	
7662007-05-07  Love H�rnquist �strand  <lha@it.su.se>
767	
768	* doc/setup.texi: spelling, from Ronny Blomme
769
770	* doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny
771	Blomme
772	
7732007-05-02  Love H�rnquist �strand  <lha@it.su.se>
774
775	* lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database
776	specified, create one and let it use the defaults.
777	
7782007-04-27  Love H�rnquist �strand  <lha@it.su.se>
779	
780	* lib/hdb/test_dbinfo.c: test acl file
781
782	* lib/hdb/test_dbinfo.c: test acl file
783
784	* lib/hdb/dbinfo.c: add acl file
785
786	* etc: ignore Makefile.in
787
788	* Makefile.am: SUBDIRS += etc
789
790	* configure.in: Add etc/Makefile.
791
792	* etc/Makefile.am: make sure services.append is distributed
793
7942007-04-24  Love H�rnquist �strand  <lha@it.su.se>
795
796	* kdc: rename windc_init to krb5_kdc_windc_init
797
798	* kdc/version-script.map: version script for libkdc
799	
800	* kdc/Makefile.am: version script for libkdc
801	
8022007-04-23  Love H�rnquist �strand  <lha@it.su.se>
803
804	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error):
805	correct the order of the arguments.
806
807	* lib/hdb/Makefile.am: Add and test dbinfo.
808
809	* lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo;
810
811	* kdc/config.c: Use krb5_kdc_get_config and just fill in what the
812	users wanted differently.
813
814	* kdc/default_config.c: Make the default configuration fetch info
815	from the krb5.conf.
816	
8172007-04-22  Love H�rnquist �strand  <lha@it.su.se>
818
819	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
820	determine if to send the session-key, for the second place in the
821	function.
822
823	* tools/krb5-config.in: rename des to hcrypto
824
825	* kuser/Makefile.am: depend on libheimntlm
826
827	* kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for
828	this domain if the Kerberos password auth worked.
829
830	* kuser/klist.c: add new option --hidden that doesn't display
831	principal that starts with @
832
833	* tools/krb5-config.in: Add heimntlm when we use gssapi.
834
835	* lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to
836	free 'cred' with.
837
838	* lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free
839	'cred' with.
840	
8412007-04-21  Love H�rnquist �strand  <lha@it.su.se>
842
843	* lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to
844	determine if to send the session-key.
845
846	* kcm/client.c (kcm_ccache_new_client): make root be able to pass
847	the name constraints, not the opposite. From Bryan Jacobs.
848	
8492007-04-20  Love H�rnquist �strand  <lha@it.su.se>
850
851	* kcm/acl.c: make compile again.
852
853	* kcm/client.c: fix warning.
854	
855	* kcm: First, it allows root to ignore the naming conventions.
856	Second, it allows root to always perform any operation on any
857	ccache.  Note that root could do this anyway with FILE ccaches.
858	From Bryan Jacobs.
859
860	* Rename libdes to libhcrypto.
861
8622007-04-19  Love H�rnquist �strand  <lha@it.su.se>
863
864	* kinit: remove code that depend on kerberos 4 library
865	
866	* kdc: remove code that depend on kerberos 4 library
867	
868	* configure.in: Drop kerberos 4 support.
869
870	* kdc/hpropd.c (main): free the message when done with it.
871
872	* lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit):
873	remember to free memory too.
874
875	* lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when
876	done.
877
878	* configure.in: test rk_VERSIONSCRIPT
879	
8802007-04-18  Love H�rnquist �strand  <lha@it.su.se>
881
882	* fix-export: remove, all done by make dist now
883
8842007-04-15  Love H�rnquist �strand  <lha@it.su.se>
885
886	* lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre
887
8882007-04-11  Love H�rnquist �strand  <lha@it.su.se>
889
890	* kdc/kstash.8: Spelling, from raga <raga@comcast.net> 
891	via Bjorn Sandell.
892
893	* lib/krb5/store_mem.c: indent.
894
895	* lib/krb5/recvauth.c: Set error string.
896
897	* lib/krb5/rd_req.c: clear error strings.
898
899	* lib/krb5/rd_cred.c: clear error string.
900
901	* lib/krb5/pkinit.c: Set error strings.
902
903	* lib/krb5/get_cred.c: Tell what principal we are not finding for
904	all KRB5_CC_NOTFOUND.
905	
9062007-02-22  Love H�rnquist �strand  <lha@it.su.se>
907	
908	* kdc/kerberos5.c: Return the same error codes as a windows KDC.
909
910	* kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password
911	failed.
912	
913	* kdc/kerberos5.c: Make handling of replying e_data more generic,
914	from metze.
915
916	* kdc/kerberos5.c: Fix (string const and shadow) warnings, from
917	metze.
918
919	* lib/krb5/pac.c: Create the PAC element in the same order as
920	w2k3, maybe there's some broken code in windows which relies on
921	this... From metze.
922
923	* kdc/kerberos5.c: Select a session enctype from the list of the
924	crypto systems supported enctype, is supported by the client and
925	is one of the enctype of the enctype of the krbtgt.
926	
927	The later is used as a hint what enctype all KDC are supporting to
928	make sure a newer version of KDC wont generate a session enctype
929	that and older version of a KDC in the same realm can't decrypt.
930	
931	But if the KDC admin is paranoid and doesn't want to have "no the
932	best" enctypes on the krbtgt, lets save the best pick from the
933	client list and hope that that will work for any other KDCs.
934	
935	Reported by metze.
936
937	* kdc/hprop.c (propagate_database): on any failure, drop the
938	connection to the peer and try next one.
939	
9402007-02-18  Love H�rnquist �strand  <lha@it.su.se>
941
942	* lib/krb5/krb5_get_init_creds.3: document new options.
943
944	* kdc/krb5tgs.c: Only check service key for cross realm PACs.
945
946	* lib/krb5/init_creds.c: use the new merged flags field.
947	(krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k
948	compat flags.
949
950	* lib/krb5/init_creds_pw.c: use the new merged flags field.
951
952	* lib/krb5/krb5_locl.h: merge all flags into one entity
953	
9542007-02-11  Dave Love  <fx@gnu.org>
955	
956	* lib/krb5/krb5_aname_to_localname.3: Small fixes
957	
958	* lib/krb5/krb5_digest.3: Small fixes
959	
960	* kuser/kimpersonate.1: Small fixes
961
9622007-02-17  Love H�rnquist �strand  <lha@it.su.se>
963
964	* lib/krb5/init_creds_pw.c (find_pa_data): if there is no list,
965	there is no entry.
966
967	* kdc/krb5tgs.c: Don't check PACs on cross realm requests.
968
969	* lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES.
970
971	* lib/krb5/init_creds_pw.c: Verify client referral data.
972
973	* kdc/kerberos5.c: switch some "return ret" to "goto out".
974	
975	* kdc/kerberos5.c: Pass down canonicalize request to hdb layer,
976	sign client referrals.
977	
978	* lib/hdb/hdb.h: Add HDB_F_CANON.
979
980	* lib/hdb: add simple alias support to the database backends
981
9822007-02-16  Love H�rnquist �strand  <lha@it.su.se>
983
984	* kuser/kinit.c: Add canonicalize flag.
985
986	* lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support
987	canonicalize.
988
989	* lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize):
990	new function.
991	
992	* lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags.
993
994	* lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags.
995
996	* lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags.
997	
9982007-02-15  Love H�rnquist �strand  <lha@it.su.se>
999
1000	* lib/krb5/test_princ.c: test parsing enterprise-names.
1001
1002	* lib/krb5/principal.c: Add support for parsing enterprise-names.
1003
1004	* lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE.
1005
1006	* lib/hdb/hdb-ldap.c: Make work again.
1007	
10082007-02-11  Dave Love  <fx@gnu.org>
1009
1010	* kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value.
1011	
10122007-02-10  Love H�rnquist �strand  <lha@it.su.se>
1013	
1014	* doc/setup.texi: prune trailing space
1015
1016	* lib/hdb/db.c: Be better at setting and clearing error string.
1017
1018	* lib/hdb/hdb.c: Be better at setting and clearing error string.
1019
10202007-02-09  Love H�rnquist �strand  <lha@it.su.se>
1021
1022	* lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name
1023	to print out the keytab name.
1024
1025	* doc/setup.texi: Spelling, from Guido Guenther
1026	
10272007-02-08  Love H�rnquist �strand  <lha@it.su.se>
1028
1029	* lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen.
1030
10312007-02-06  Love H�rnquist �strand  <lha@it.su.se>
1032
1033	* lib/krb5/test_store.c (test_uint16): unsigned ints can't be
1034	negative
1035	
10362007-02-03  Love H�rnquist �strand  <lha@it.su.se>
1037
1038	* kdc/pkinit.c: pass extra flags for detached signatures.
1039
1040	* lib/krb5/pkinit.c: pass extra flags for detached signatures.
1041
1042	* kdc/digest.c: Remove debug output.
1043
1044	* kuser/kdigest.c: Add support for ms-chap-v2 client.
1045	
10462007-02-02  Love H�rnquist �strand  <lha@it.su.se>
1047		
1048	* kdc/digest.c: Fix ms-chap-v2 get_masterkey
1049
1050	* kdc/digest.c: Fix ms-chap-v2 mutual response auth code.
1051
1052	* kuser/kdigest.c: Print session key if there is one.
1053
1054	* lib/krb5/digest.c: rename hash-a1 to session key
1055
1056	* kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2
1057
1058	* kuser/kdigest.c: print rsp if there is one, from Klas.
1059
1060	* kdc/digest.c: Use right size, from Klas Lindfors.
1061
1062	* kuser/kdigest.c: Set client nonce if avaible, from Klas.
1063
1064	* kdc/digest.c: First version from kllin.
1065
1066	* kuser/kdigest.c: Don't restrict the type.
1067	
10682007-02-01  Love H�rnquist �strand  <lha@it.su.se>
1069	
1070	* kuser/kdigest-commands.in: add --client-response
1071
1072	* kuser/kdigest.c: Print status instead of response.
1073
1074	* kdc/digest.c: Better logging and return status = FALSE when
1075	checksum doesn't match.
1076
1077	* kdc/digest.c: Check the digest response in the KDC.
1078
1079	* lib/krb5/digest.c: New functions to send in requestResponse to
1080	KDC and get status of the request.
1081
1082	* kdc/digest.c: Add support for MS-CHAP v2.
1083
1084	* lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap.
1085	
10862007-01-31  Love H�rnquist �strand  <lha@it.su.se>
1087
1088	* fix-export: Make hx509.info too
1089
1090	* kdc/digest.c: don't verify identifier in CHAP, its the client
1091	that chooses it.
1092	
10932007-01-23  Love H�rnquist �strand  <lha@it.su.se>
1094
1095	* lib/krb5/Makefile.am: Basic test of prf.
1096
1097	* lib/krb5/test_prf.c: Basic test of prf.
1098
1099	* lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF
1100	functions.
1101
1102	* lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions.
1103
1104	* lib/krb5/krb5_data.3: Document krb5_data_cmp.
1105
1106	* lib/krb5/data.c: Add krb5_data_cmp.
1107	
11082007-01-20  Love H�rnquist �strand  <lha@it.su.se>
1109
1110	* kdc/kx509.c: Don't use C99 syntax.
1111	
11122007-01-17  Love H�rnquist �strand  <lha@it.su.se>
1113	
1114	* configure.in: its LIBADD_roken (and shouldn't really exist, our
1115	libtool usage it broken)
1116
1117	* configure.in: Add an extra variable for roken, LIBADD, that
1118	should be used for library depencies.
1119
1120	* lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer.
1121
1122	* lib/krb5/krb5_init_context.3: fix mdoc errors
1123
1124	* Heimdal 0.8 branch cut today
1125
1126	* doc/hx509.texi: Spelling and more about proxy certificates.
1127
1128	* configure.in: check for arc4random
1129	
11302007-01-16  Love H�rnquist �strand  <lha@it.su.se>
1131	
1132	* lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data
1133	before starting
1134
1135	* tools/heimdal-build.sh: make cvs keep quiet
1136
1137	* kuser/kverify.c: Use argument as principal if passed an
1138	argument. Bug report from Douglas E. Engert
1139	
11402007-01-15  Love H�rnquist �strand  <lha@it.su.se>
1141	
1142	* lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider
1143	the enc_tkt_in_skey case, from Douglas E. Engert.
1144
1145	* kdc/kx509.c: Issue certificates.
1146
1147	* kdc/config.c: Parse kx509/kca configuration.
1148
1149	* kdc/kdc.h: add kx509 config
1150	
11512007-01-14  Love H�rnquist �strand  <lha@it.su.se>
1152	
1153	* kdc/kerberos5.c (_kdc_find_padata): if there is not padata,
1154	there is nothing find.
1155
1156	* doc/hx509.texi: Examples for pk-init.
1157
1158	* doc/hx509.texi: About extending ca lifetime and sub cas.
1159	
11602007-01-13  Love H�rnquist �strand <lha@it.su.se>
1161	
1162	* doc/hx509.texi: More about certificates.
1163	
11642007-01-12  Love H�rnquist �strand  <lha@it.su.se>
1165
1166	* doc/hx509.texi: add Application requirements and write about
1167	xmpp/jabber.
1168	
11692007-01-11  Love H�rnquist �strand  <lha@it.su.se>
1170
1171	* doc/hx509.texi: More about issuing certificates.
1172
1173	* doc/hx509.texi: Start of a x.509 manual.
1174
1175	* include/Makefile.am: remove install headerfiles
1176
1177	* lib/krb5/test_pac.c: Use more interesting data to cause more
1178	errors.
1179
1180	* include/Makefile.am: remove install headerfiles
1181
1182	* lib/krb5/mcache.c: MCC_CURSOR not used, remove.
1183
1184	* lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used
1185
1186	* lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to
1187	allocate data
1188	
11892007-01-10  Love H�rnquist �strand  <lha@it.su.se>
1190	
1191	* doc/setup.texi: Hint about hxtool validate.
1192
1193	* appl/test/uu_server.c: print both "server" and "client"
1194
1195	* kdc/krb5tgs.c: Rename keys to be more obvious what they do.
1196
1197	* kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew
1198	Bartlett
1199	
1200	* kdc/windc.c: ident, spelling.
1201
1202	* kdc/windc_plugin.h: indent.
1203
1204	* kdc/krb5tgs.c: Pass down server entry to verify_pac function.
1205	from Andrew Bartlett
1206
1207	* kdc/windc.c: pass down server entry to verify_pac function, from
1208	Andrew Bartlett
1209
1210	* kdc/windc_plugin.h: pass down server entry to verify_pac
1211	function, from Andrew Bartlett
1212
1213	* configure.in: Provide a automake symbol ENABLE_SHARED if shared
1214	libraries are built.
1215
1216	* lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock
1217	when verifying the PAC.  From Andrew Bartlett.
1218	
12192007-01-09  Love H�rnquist �strand  <lha@it.su.se>
1220
1221	* lib/krb5/test_pac.c: move around to code test on real PAC.
1222
1223	* lib/krb5/pac.c: A tiny 2 char diffrence that make the code work
1224	for real.
1225
1226	* lib/krb5/test_pac.c: Test more PAC (note that the values used in
1227	this test is wrong, they have to be fixed when the pac code is
1228	fixed).
1229
1230	* doc/setup.texi: Update to new hxtool issue-certificate usage
1231
1232	* lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS
1233	and PK-INIT pa data, no need to expose our password protecting our
1234	PKCS12 key.
1235
1236	* kuser/klist.c (print_cred_verbose): include ticket length in the
1237	verbose output
1238	
12392007-01-08  Love H�rnquist �strand  <lha@it.su.se>
1240	
1241	* lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without
1242	it linux is unhappy.
1243
1244	* lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without
1245	it linux is unhappy.
1246
1247	* lib/krb5/name-45-test.c: One of the hosts I sometimes uses is
1248	named "bar.domain", this make one of the tests pass when it
1249	shouldn't.
1250
12512007-01-05  Love H�rnquist �strand  <lha@it.su.se>
1252
1253	* doc/setup.texi: Change --key argument to --out-key.
1254
1255	* kuser/kimpersonate.1: mangle my name
1256	
12572007-01-04  Love H�rnquist �strand  <lha@it.su.se>
1258	
1259	* doc/setup.texi: describe how to use hx509 to create
1260	certificates.
1261
1262	* tools/heimdal-build.sh: Add --distcheck.
1263
1264	* kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check
1265	if we should include the PAC in the krbtgt.
1266
1267	* kdc/pkinit.c (_kdc_as_rep): check if
1268	krb5_generate_random_keyblock failes.
1269
1270	* kdc/kerberos5.c (_kdc_as_rep): check if
1271	krb5_generate_random_keyblock failes.
1272
1273	* kdc/krb5tgs.c (tgs_build_reply): check if
1274	krb5_generate_random_keyblock failes.
1275
1276	* kdc/krb5tgs.c: Scope etype.
1277
1278	* lib/krb5/rd_req.c: Make it possible to turn off PAC check, its
1279	default on.
1280
1281	* lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify
1282	its server signature.
1283
1284	* kdc/kerberos5.c (_kdc_as_rep): call windc client access hook.
1285	(_kdc_tkt_add_if_relevant_ad): constify in data argument.
1286
1287	* kdc/windc_plugin.h: More comments add a client_access hook.
1288
1289	* kdc/windc.c: Add _kdc_windc_client_access.
1290
1291	* kdc/krb5tgs.c: rename functions after export some more pac
1292	functions.
1293
1294	* lib/krb5/test_pac.c: export some more pac functions.
1295
1296	* lib/krb5/pac.c: export some more pac functions.
1297
1298	* kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC.
1299
1300	* configure.in: add tests/plugin/Makefile
1301	
13022007-01-03  Love H�rnquist �strand  <lha@it.su.se>
1303
1304	* kdc/krb5tgs.c: Get right key for PAC krbtgt verification.
1305
1306	* kdc/config.c: spelling
1307
1308	* lib/krb5/krb5.h: typedef for krb5_pac.
1309
1310	* kdc/headers.h: Include <windc_plugin.h>.
1311
1312	* kdc/Makefile.am: Include windc.c and use windc_plugin.h
1313
1314	* kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain
1315	Controller.
1316
1317	* kdc/kerberos5.c: Call callbacks for emulating a Windows Domain
1318	Controller.  Move the some of the log related stuff to its own
1319	function.
1320
1321	* kdc/config.c: Init callbacks for emulating a Windows Domain
1322	Controller.
1323
1324	* kdc/windc.c: Rename the init function to windc instead of pac.
1325
1326	* kdc/windc.c: Callbacks specific to emulating a Windows Domain
1327	Controller.
1328
1329	* kdc/windc_plugin.h: Callbacks specific to emulating a Windows
1330	Domain Controller.
1331
1332	* lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ
1333
1334	* lib/krb5/pac.c: Support all keyed checksum types.
1335	
13362007-01-02  Love H�rnquist �strand  <lha@it.su.se>
1337	
1338	* lib/krb5/pac.c (krb5_pac_get_types): Return list of types.
1339	
1340	* lib/krb5/test_pac.c: test krb5_pac_get_types
1341
1342	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
1343
1344	* lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA.
1345
1346	* lib/krb5/krb5.h: Add KRB5_KRBHST_KCA.
1347
1348	* lib/krb5/test_pac.c: test Add/remove pac buffer functions.
1349
1350	* lib/krb5/pac.c: Add/remove pac buffer functions.
1351
1352	* lib/krb5/pac.c: sprinkle const
1353
1354	* lib/krb5/pac.c: rename DCHECK to CHECK
1355	
1356	* Happy New Year.
1357