source: heimdal/trunk/ChangeLog.2003@ 4

2003-12-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/error_string.c: protect error_string with mutex
        
        * lib/krb5/context.c: allocate and destroy mutex in krb5_context
        
        * lib/krb5/krb5.h (krb5_context_data): add mutex for error_string
        
2003-12-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: make -9 work again
        
2003-12-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c: try handle ts preauth better, still
        not good, but at least it work with older heimdal releases that
        doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was
        sent

2003-12-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer
        used

2003-12-11  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as
        parameters, required by CMS

2003-12-07  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab):
        avoid memory leak that snuck in when krb5_keytab_key_proc was
        exported, pointed out by Panases Inc
        
        * lib/krb5/keytab_file.c: do locking, found to be a problem for
        Panasas Inc

        * lib/krb5/fcache.c: internally export x{,un}lock and thus prefix
        them with _krb5_

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
        KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
        krb-cred

        * lib/krb5/krb5_auth_context.3: some text about
        krb5_auth_con_{add,remove}flags

        * lib/krb5/auth_context.c: add krb5_auth_con_addflags and
        krb5_auth_con_removeflags

2003-12-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to
        avoid memory leak

2003-12-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/crypto.c: require cipher-text to be padded to padsize
        
        * lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is
        deprecated in RFC3493

        * lib/krb5/verify_krb5_conf.c (check_host): don't check for
        EAI_NODATA, because its depricated in RFC3493 Pointed out by
        Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss

2003-12-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS
        
        * lib/krb5/test_crypto.c: add --version,--help
        
        * kuser/kinit.c (main): return the return value from simple_execvp
        
2003-11-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: don't use PKINIT DH per default since its too
        slow

        * lib/krb5/pkinit.c: tweek to make pkinit work with the fact the
        asn1_compile can't generate code for context tagless optionals
        
        * kdc/pkinit.c: add support for KDC side of DH PKINIT
        
        * lib/krb5/pkinit.c: clean up error handling, make enc-type work
        again

2003-11-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: add flag to make it work with pkinit dh
        
        * lib/krb5/pkinit.c: make PKINIT DH support work
        
2003-11-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/Makefile.am (LDADD): link with LIB_dlopen
        
        * kdc/pkinit.c: clean up
        
        * lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field
        
        * lib/krb5/pkinit.c: remove most compile depencies clean up
        
        * kdc/pkinit.c: print an error and turn of pkinit if openssl
        failed to load

        * kdc/config.c: read pkinit (pki-mumble) configuration options
        
        * kdc/kerberos5.c: add pkinit support
        
        * kdc/kdc_locl.h: add prototypes for pkinit
        
        * kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I
        removed the dependency on valicert asn1 parser, remove smartcard
        and globus support (for now). Work to be done on this: DH support,
        Globus support, Smartcard support, windows support (MS implements
        -09 of the draft), make it conform to the new draft
        
        * lib/krb5/pkinit.c: fix bugs, improve error reporting

2003-11-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: add some "struct foo;" glue for pkinit
        structures that isn't used

        * lib/krb5/pkinit.c: clean up, make remove depenency on openssl's
        api

        * lib/krb5/krb5_locl.h: add some glue for pkinit add reference
        counter to _krb5_get_init_creds_opt_private
        
        * lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt
        private component to avoid copy all the data in it
        
        * lib/krb5/crypto.c (AES_string_to_key): fix memory leak

        * lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak
        
        * lib/krb5/heim_threads.h: include pthread.h in the pthread case
        
2003-11-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswdd.c (main): parse kdc.conf
        From: Jeffrey Hutzelman <jhutz@cmu.edu>
        
2003-11-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am (TESTS): add test_crypto
        
        * lib/krb5/test_crypto.c: time crypto operations
        
2003-11-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com>
        
2003-11-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free
        the ticket now, rewrite error handling to handle that
        
        * kpasswd/kpasswdd.c (process): don't free ticket,
        krb5_free_ticket does that now

        * kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket
        does that now

        * lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to
        match mit behavior, pointed out by Derrick Brashear
        
        * lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket
        
2003-11-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/padata.c: add krb5_padata_add
        
        * lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible
        
        * lib/krb5/Makefile.am: add pkinit.c
        
        * kuser/kinit.c: add pkinit support
        
        * lib/krb5/init_creds_pw.c: add support for pkinit
        
        * lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to
        _krb5_get_init_creds_opt_private

        * lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to
        krb5_pk_init_ctx fix win2k error handling
        
        * lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr
        Holub, I removed the dependency on valicert asn1 parser, remove
        smartcard and globus support (for now). Work to be done on this:
        DH support, Globus support, Smartcard support, windows support (MS
        implements -09 of the draft), verify that it conforms the new
        draft

2003-11-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/der_copy.c (copy_oid): copy all components
        
2003-10-27  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/krb5.conf.5: document capaths section

2003-10-22  Johan Danielsson  <joda@pdc.kth.se>

        * kdc/kerberos5.c: make sure that the server realm and the krbtgt
        second component are identical; get rpath from the capaths section

        * kdc/kerberos5.c: change logic for when to check transited policy
        to a tri-state model involving per principal flags (to be
        implemented)

        * kdc/kdc_locl.h: change enforce_transited_policy to a tri-state
        variable

        * kdc/config.c: change enforce_transited_policy to a tri-state
        variable

2003-10-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/transited.c (krb5_domain_x500_encode): always zero out
        encoding to make sure it have a defined value on failure

        * lib/krb5/transited.c (krb5_domain_x500_encode): 
        if num_realms ==0, set encoding and return (avoids malloc(0)),
        check return value for malloc

2003-10-21  Johan Danielsson  <joda@pdc.kth.se>

        * kdc/kerberos5.c (fix_transited_encoding): always print
        cross-realm information
        
2003-10-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: spelling, From: Tracy Di Marco White
        
        * kdc/kerberos5.c (fix_transited_encoding): set transited type
        
2003-10-21  Johan Danielsson  <joda@pdc.kth.se>

        * kdc/kdc.8: document enforce-transited-policy

        * kdc/kerberos5.c: always check transited policy if flag set
        either globally or on principal

        * kdc/config.c: add flag to always check transited policy

        * lib/hdb/hdb.asn1: add flag to enforce transited policy

2003-10-21  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms
        to zero not num_realms

        * kuser/kgetcred.1: add --no-transit-check
        
        * kuser/kgetcred.c: add --no-transit-check

        * doc/setup.texi: describe Transit policy
        
2003-10-20  Johan Danielsson  <joda@pdc.kth.se>

        * kdc/kerberos5.c (fix_transited_encoding): also verify with
        policy, unless asked not to

        * lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited
        realms, unless the transited-policy-checked flag is set

        * lib/krb5/transited.c (krb5_domain_x500_decode): handle zero
        length tr data;
        (krb5_check_transited): new function that does more useful stuff

        * lib/krb5/get_cred.c: get capath info from [capaths] section

2003-10-16  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/fcache.c: Sleep forever waiting for lock. Previous
        method doesn't work well with a large number of clients accessing
        the cache at the same time, and there is no simple way to add a
        timeout to the lock.

2003-10-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c: print the error value
        krb5_init_context failed with

        * lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if
        there is binding before a section declaration. Bug found by
        Arkadiusz Miskiewicz <arekm@pld-linux.org>

2003-10-13  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/fcache.c (erase_file): revert a change in previous; if
        the ccache is a symlink, kdestroy should remove it

        * lib/krb5/fcache.c: implement locking

2003-10-12  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred
        returns error other than KRB5_CC_END

2003-10-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c: add some help function that is common
        between ENC_TS and SAM2, free the etype{,2}-infos on failure, move
        the pa counter into krb5_get_init_creds_ctx
        
2003-10-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kaserver.c (do_getticket): if times data is shorter then 8
        byte, request is malformed.

        * kdc/kaserver.c (do_authenticate): if request length is less then
        8 byte, its a bad request and fail. Pointed out by Marco Foglia
        <marco@foglia.org>

        * lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that
        warns for mit syntax is used and just ignore the mit syntax when
        its used

        * lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi]
        
2003-10-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/lex.l: add BOOLEAN
        
        * lib/asn1/parse.y: add BOOLEAN
        
2003-10-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: When running kinit in "fork mode" do pagsh
        independent of krb4, also always do krb4 setup of cc. Always try
        to destroy the v4 cc.
        - add boolean --{,no-}request-pac that will request pac or not

        * kuser/klist.c (check_for_tgt): set client as part of the
        pattern/match cred

        * lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token
        (get_krb4_cc_name): move out from _krb5_krb_tf_setup
        (_krb5_krb_tf_setup): adapt to allocated filename instead of
        static filename

        * lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT
        
        * lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user
        have requested either use PAC or not use PAC, if the option not
        set from the user, leave it up to the kdc to decide.
        (init_creds_loop): clear error string on success

        * lib/krb5/init_creds.c: add
        krb5_get_init_creds_opt_set_paq_request break out common part of
        extended opt functions to require_ext_opt

        * lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and
        use it in struct _krb5_get_init_creds_opt_private
        
        * tools/kdc-log-analyze.pl: handle some more failure lines
        
        * doc/programming.texi: some diffrences between Heimdal and MIT
        Kerberos in the API

        * doc/setup.texi: add Setting up DNS
        
        * lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its
        alway used

        * lib/asn1/Makefile.am: add SAM types and PAC_REQUEST
        
        * lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST
        
        * lib/asn1: add boolean support

2003-10-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/changepw.c (setpw_send_request): free ap_req_data on
        failure

2003-09-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/test/http_client.c (do_connect): use ai_protocol 0
        
        * lib/krb5/init_creds_pw.c (init_cred_loop): handle
        KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting
        LARGE_MSG from send to kdc, and if this is the second time bail
        out; try to free memory

        * lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function,
        and then implement the order krb5_sendto_kdc* function with this
        function.

        * lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it
        and adapt callers
        (krbhst_get_default_proto): new function, returns udp, or in case
        large_msg was requested for the krb5_krbhst_data, use tcp.
        (*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid
        using udp, use krbhst_get_default_proto
        
        * lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and
        krb5_send_to_kdc_flags)

2003-09-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth
        context, use that

        * appl/test/uu_client.c: print authorization data if there are any
        
        * lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String
        
2003-09-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy
        * lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy
        
        * lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen
        
        * kuser/kinit.c: don't get v4 tickets by default
        
2003-09-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswdd.c (process): remove a abort()
        
        * doc/win2k.texi: add some text about netdom.exe and trusts
        
        * TODO-1.0: gssapi rc4 done
        
        * kpasswd/kpasswdd.c: add support for Set password protocol as
        defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change
        Password and Set Password Protocols

2003-09-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/db3.c: improve readability of ->open ifdef, check if
        version >= 4.1

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add
        
        * lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key
        in the auth_context, they way processes that doesn't use the
        keytab can still pass in the key of the service (matches behavior
        of MIT Kerberos).
        
2003-09-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c: collect all init_creds context into a
        structure so it can easier be passed around, also, while here,
        change nonce for every request

        * lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before
        the loop, add_padata() will handle that itself

        * lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len
        until in contains interesting data, use right iteration counter
        when clearing the addresses

        * lib/krb5/log.c (log_realloc): increase len after realloc returns
        sucessfully

2003-09-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/config_file.c: fix prototypes
        From: Fredrik Ljungberg <flag@pobox.se>
        
2003-09-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/test/http_client.c: close socket when we are done, don't
        allow the server to restart gssapi negotiation
        
        * lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by
        Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
        
        * appl/test/gssapi_client.c (proto): use select_mech
        
        * appl/test/http_client.c: use getarg
        
        * appl/test/gss_common.h: prototype for select_mech
        
        * appl/test/gss_common.c (select_mech): return the gss_OID from a
        mech name

        * appl/test/http_client.c: print both source and target
        
        * appl/test/Makefile.am: build http_client
        
2003-09-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/asn1_print.c: add support for printing Enumerated
        
        * appl/test/gssapi_client.c: allow user to select mech; krb5,
        spnego, and no-oid

        * appl/test/test_locl.h: add mech
        
        * appl/test/common.c: add --mech,-m argument
        
        * appl/test/gssapi_server.c: print the mech that was used
        
        * kdc/kerberos5.c (only_older_enctype_p): check request if the
        client only supports old enctypes, before it used the database
        
2003-09-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * **/*.c: add context argument to krb5_get_init_creds_opt_alloc

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add
        context argument

        * lib/krb5/krb5_get_init_creds.3: spelling
        
2003-09-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c (add_file): make len argument an pointer to
        an integer

        * lib/asn1/k5.asn1: add SAM types

        * lib/krb5/init_creds_pw.c: break out the encrypt timestamp
        preauth to its function break out the pa_data_to_key_plain to its
        own function make more variables const
        
2003-09-04  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt}

2003-09-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: Add key usage for encryption of the
        SAM-NONCE-OR-SAD field.

        * include/make_crypto.c: include <openssl/ui.h> in the openssl
        case

        * kdc/hprop.h: use new DES_ api
        
        * lib/krb5/krb5-v4compat.h: assume session key is a char array of
        length 8

        * lib/krb5/prompter_posix.c:
        s/des_read_pw_string/UI_UTIL_read_pw_string/

        * kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
        
        * kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
        
        * kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
        
        * admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
        
        * lib/krb5/crypto.c: switch from the des_ to the DES_ api
        
        * kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block)
        
        * kuser/kverify.c: use
        krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

        * kpasswd/kpasswd-generator.c: use
        krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

        * kdc/hprop.c: use
        krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare
        a uint32_t with 0xffffffff instead of -1

        * lib/krb5/krb5_425_conv_principal.3: fix [Gt]
        
        * kuser/kinit.c: use
        krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free

        * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle
        password passed in though context

        * lib/krb5/Makefile.am (TESTS): += test_config

        * lib/krb5/aes-test.c: move variable thats used within a #ifdef to
        be defined within that #ifdef

        * lib/krb5/data.c (krb5_data_free): reset whole krb5_data when
        freeing it

        * lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros
        out a keyblock

        * lib/krb5/init_creds_pw.c: rewrite/implement
        krb5_get_init_creds_password with new preauth handing, still it
        can only work with krb5-pa-enc-timestamp for preauth, but now it
        can handle etype-info2

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate
        a opt structure
        (krb5_get_init_creds_opt_free): free a opt structure
        (krb5_get_init_creds_opt_set_pa_password): set preauth info for
        enc-timestamp

        * lib/krb5/krb5_locl.h: add struct
        _krb5_get_init_creds_opt_private

2003-09-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef,
        add a pointer to a private part of krb5_get_init_creds_opt
        
        * kdc/string2key.c (main): avoid const warning by using a extra
        variable

2003-08-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
        reindent

        * lib/krb5/ticket.c (krb5_copy_ticket): free all data when
        failing, copy data to right memory, the later pointed out by Luke
        Howard.

2003-08-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: cfx-01 use diffrent usage numbers
        
2003-08-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/db3.c: try to include more db headers

        * lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss
        From: Luke Howard <lukeh@PADL.COM>
        
2003-08-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56
        
        * appl/test/gssapi_client.c: send both INT and CONF wrapped token
        
        * appl/test/gssapi_server.c: recv both INT and CONF wrapped token
        
        * lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE
        
2003-08-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/test/uu_client.c (proto): fill in client in the match cred
        
2003-08-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers
        
        * lib/krb5/crypto.c (usage2arcfour): simplify, only include
        special cases From: Luke Howard <lukeh@PADL.COM>
        
2003-08-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: code rewrite from Luke Howard
        <lukeh@PADL.COM>

        * lib/krb5/crypto.c (arcfour_checksum_p): return true when is
        arcfour, not when its not pointed out by Luke Howard
        
        * doc/ack.texi: update Luke Howard email address
        
2003-08-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_encrypt.3: document:
        krb5_crypto_getconfoundersize, krb5_crypto_getblocksize
        krb5_crypto_getenctype, krb5_crypto_getpadsize

        * lib/krb5/crypto.c (krb5_crypto_getpadsize,
        krb5_crypto_getconfoundersize): added From: Luke Howard
        <lukeh@PADL.COM>

2003-08-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c (handle_tcp): handle recvfrom returning 0
        (connection closed)

        * kdc/connect.c (grow_descr): increment the size after we succeed
        to allocate the space

        * lib/krb5/krb5_create_checksum.3: text about when
        krb5_crypto_get_checksum_type is useful

        * lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format
        string

        * lib/krb5/krb5_create_checksum.3: document
        krb5_crypto_get_checksum_type

        * lib/krb5/crypto.c: add krb5_crypto_get_checksum_type
        From: Luke Howard <lukeh@PADL.COM>
        
        * lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code
        From: Luke Howard <lukeh@PADL.COM>
        
2003-08-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/make_crypto.c: include aes.h inc in the local libdes
        case too

2003-08-20  Johan Danielsson  <joda@pdc.kth.se>

        * lib/asn1/der_free.c: set free'd poiners to NULL
        
        * lib/asn1/gen_free.c: set free'd poiners to NULL
        
2003-08-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/heim_threads.h: XXX don't use "plain" pthread support
        on netbsd

        * lib/krb5/crypto.c: Do the arcfour checksum mapping for
        krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
        <lukeh@PADL.COM>

2003-08-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_config.c: check krb5_prepend_config_files_default
        and krb5_prepend_config_files

        * lib/krb5/context.c: add krb5_prepend_config_files and
        krb5_prepend_config_files_default

2003-08-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t
        as argument

        * lib/krb5/parse-name-test.c: please lint (and me)
        
        * kdc/config.c (configure): remove only set variable 'e'
        
        * kdc/connect.c (init_socket): sockaddr size argument to
        krb5_addr2sockaddr is a krb5_addr2sockaddr *
        
        * kdc/kerberos5.c (as_rep): remove usused variable
        (tgs_rep2): don't use a temporary ret-variable, ret is reset later

        * lib/krb5/krb5_get_in_cred.3: these function will be deprecated
        
        * lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3
        
        * lib/krb5/krb5_get_init_creds.3: begining of documentation of
        krb5_get_init_creds

        * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with
        with the mit implemtation, don't free `creds' argument when done,
        its up the the caller to do that, also allow a NULL ccache.
        
2003-08-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.conf.5: document tgs_require_subkey
        
        * lib/asn1/Makefile.am: remove trance of generate tests files, its
        not really for consumption yet

        * lib/hdb/Makefile.am: split generated source from non generated
        source we make-proto.pl can generate prototypes for non
        generate-source only (make-proto.pl dies on asn1compile's .c
        files)

        * lib/krb5/get_cred.c (init_tgs_req): make generation of subkey
        optional on configuration parameter
        [realms]realm={tgs_require_subkey=bool}
        defaults to off. The RFC1510 weakly defines the correct behavior,
        so old DCE secd apparently required the subkey to be there, and MS
        will use it when its there. But the request isn't encrypted in the
        subkey, so you get to choose if you want to talk to a MS mdc or a
        old DCE secd.

        * kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero
        
2003-08-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/principal.c (unparse_name): len can't be zero, so,
        don't check for that

2003-08-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/principal.c (unparse_name): make sure there are space
        for a NUL, set *name to NULL when there is a failure (so caller
        can't get hold of a freed pointer)

2003-07-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/kerberos.8: remove duplicate manual, from
        cjep@netbsd.org

2003-07-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/cache.c: indent
        
        * lib/krb5/cache.c (krb5_cc_set_default_name): only read
        KRB5CCNAME when not suid

2003-07-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes,
        use a char array instead of des_cblock

2003-07-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2
        
        * lib/krb5/crypto.c (hmac): make it return an error when out of
        memory, update callsites to either return error or use krb5_abortx
        (krb5_hmac): expose hmac

2003-07-22  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype
        of keyblock

        * lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3

        * lib/krb5/krb5_keyblock.3: some information about krb5_keyblock
        and related functions

        * lib/krb5/heim_threads.h: make the non-debug version of the mutex
        macros "use" the "mutex" integer so the compile wont complain
        about defined unused variables

        * lib/krb5/heim_threads.h: make thread local storage macros take a
        "return" argument so no functions need to be created for the
        no-pthread case

        * lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific
        
        * configure.in: use KRB_PTHREADS
        
        * lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and
        sort

        * lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString
        
        * lib/krb5/krb5.3: add ticket access functions
        * lib/krb5/krb5_ticket.3: ditto
        * lib/krb5/ticket.c: ditto
        * lib/krb5/Makefile.am: ditto
        
        * lib/krb5/mit_glue.c: add some more krb5_c functions
        
        * lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions
        
        * lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type
        is a valid one

        * lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented
        error string when there is a context
        (krb5_checksum_is_collision_proof): ditto

2003-07-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data
        argument optional
        (krb5_c_{encrypt,decrypt}): return "better" error codes for
        invalid ivec length

        * lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum
        usage

        * lib/krb5/crypto.c (krb5_crypto_getenctype): new function
        
        * include/make_crypto.c: avoid redefining
        OPENSSL_DES_LIBDES_COMPATIBILITY

        * lib/krb5/krb5.h: add krb5_enc_data
        
2003-07-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.3: add krb5_c_ functions
        
        * lib/krb5/mit_glue.c: support passing in NULL as the
        cipher_state/ivec

        * lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and
        krb5_c_decrypt

        * lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue
        
        * lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when
        calculating the length of the encrypted data, use the keyed
        checksum length if the enctype supports a keyed checksum. This
        only matter for aes, for all other enctypes the key and unkeyed
        checksum have the same length.

2003-07-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mit_glue.c: first version of krb5_c encryption glue

        * doc/install.texi: update pointer to luke ldap documentation
        
        * lib/hdb/hdb.c (hdb_create): check for dynamic backend after
        static to avoid warning from dynamic backend when using a known
        static backend

2003-07-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/cache.c: don't return value in void function
        
2003-07-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/creds.c (krb5_compare_creds): if client is specified in
        the mcreds, check that too

        * lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}:
        prefix libasn1 types with heim_
        
        * lib/asn1: prefix typedefs and structs with heim_

2003-07-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.c: avoid unnecessary setting of variable
        
2003-07-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred
        
        * appl/test/uu_client.c (proto): use krb5_cc_clear_mcred
        
        * lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free
        in the req_body addresses since they where pass in by caller
        (find_cred): use krb5_cc_clear_mcred

        * lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred
        
        * lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a
        krb5_creds to use with krb5_cc_retrieve_cred
        
2003-06-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix,
        don't load anything

2003-06-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke
        Howard <lukeh@PADL.COM>

        * lib/hdb/hdb.h: add struct hdb_so_method and
        HDB_INTERFACE_VERSION

2003-06-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using
        arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since
        Microsoft calculates the keyed checksum with the subkey of the
        authenticator.

        * kuser/kinit.c: write out v4 credential caches with
        _krb5_krb_tf_setup

        * lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup

        * lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4
        credential to a new krb4 ticket file
        
2003-06-27  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since
        it contains more than 9 words; from wiz

2003-06-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from
        stefan sokoll <stefansokoll@yahoo.de>

2003-06-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text
        
        * lib/krb5/time.c: improve comment for krb5_set_real_time
        
2003-06-23  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/kinit.1: document -A

        * kuser/kinit.c: add -A as an alias for --no-addresses

2003-06-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a
        krb5_timestamp to krb5_us_timeofday

        * lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to
        krb5_us_timeofday

        * lib/krb5/time.c (krb5_set_real_time): fix comment and make it
        work

        * lib/krb5/time.c, lib/krb5/krb5_timeofday.3, 
        lib/krb5/Makefile.am lib/krb5/test_time.c:
        
        implement krb5_set_real_time, used by SAMBA, requested by Luke
        Howard <lukeh@PADL.COM>

        * lib/asn1/k5.asn1: make the aes and sha1 checksum types match
        draft-ietf-krb-wg-crypto-05

2003-06-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data
        
        * lib/krb5/crypto.c: clean up AES code to use a structure instead
        of a key array
        (_krb5_AES_string_to_default_iterator): set to 4096 as described in
        aes draft -04
        (derive_key): always remove the key->schedule since its
        will contain the wrong (parent key) info

2003-06-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn
        * doc/setup.texi: add more kdc's to the example
        
2003-06-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto
        Patino <jalbertop@aranea.com.mx>, Luke Howard <lukeh@PADL.COM>
        Pointed out by Andrew Bartlett of Samba
        
        * lib/krb5/heim_threads.h: remove freebsd comment, don't use debug
        pthread stubs by default

        * lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3
        
        * lib/krb5/krb5_free_addresses.3: removed file, functions are
        documented in krb5_address.3
        
        * lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2
        
        * lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add
        krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256
        
2003-06-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: Point out that slave needs /var/heimdal
        directory and masterkey From: Mans Nilsson <mansaxel@sunet.se>,
        Fix spelling while here
        
2003-06-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3:
        add manpage for: krb5_get_in_cred, krb5_get_in_tkt,
        krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password,
        krb5_get_in_tkt_with_skey

2003-05-28  Assar Westerlund  <assar@kth.se>

        * lib/krb5/heim_threads.h: Fix unlock/destroy macros for the
        non-threaded cases to work.  Fix typo.

2003-05-27  Johan Danielsson  <joda@pdc.kth.se>

        * lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of
        "unsigned" integers. If MSB is set, we need to pad with a zero
        byte.

2003-05-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes
        
        * lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap
        connection
        (LDAP_store): remove superfluous argument to asprintf
        
        From Alberto Patino <jalbertop@aranea.com.mx>

2003-05-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/*.[0-9]: pacify mdoclink

        * lib/krb5/krb5_ccache.3: document diffrences between mit and
        heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$//
        
2003-05-21  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * appl/test/gssapi_server.c (proto): start to use
        gss_krb5_copy_ccache

        * appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t
        groveling for now

2003-05-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1:
        - add parser/generate glue for UTF8String and NULL
          (DER primitive encode/decode functions missing)
        - handle parsing of DEFAULT and, ...

2003-05-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/heim_threads.h: add missing argument to mutex_init
        
        * lib/krb5/crypto.c: protect the random initiator with a mutex
        
        * lib/krb5/mcache.c: protect the mcc_head with a mutex
        
        * lib/krb5/krb5_locl.h: include heim_threads.h
        
        * lib/krb5/heim_threads.h: wrapper macros for thread
        synchronization primitives

2003-05-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_principal.3
        lib/krb5/Makefile.am:
        Add all Kerberos principal function to one manpage, add a few more
        principal function to it, remove old now dup manpages
        
        * lib/krb5/krb5_build_principal.3: remove file
        * lib/krb5/krb5_free_principal.3: remove file
        * lib/krb5/krb5_sname_to_principal.3: remove file
        * lib/krb5/krb5_principal_get_realm.3: remove file

2003-05-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.8: sort sections, from netbsd
        
        * lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
        netbsd

        * lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort
        sections, from netbsd

        * lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes,
        from netbsd

        * lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from
        netbsd
        
        * lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD

        * lib/krb5/krb5_build_principal.3: sort sections, from NetBSD
        
        * lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd
        
        * lib/krb5/get_default_realm.c: compatability -> compatibility,
        from netbsd

        * lib/krb5/krb5_warn.3: add copyright/license
        
        * lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY
        
        * lib/krb5/krb5.3: add RCSID
        
        * kdc/hprop.8: fix mdoc problem, from netbsd
        
        * lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner
        <wiz@netbsd.org>

        * kuser/kinit.1: setup -> set up, new sentence, new line from
        Thomas Klausner <wiz@netbsd.org>
        
2003-05-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswd.1: handle setting passwords for multiple
        principals at the same time

        * kpasswd/kpasswd.c: handle setting passwords for multiple
        principals at the same time

        * lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and
        rfc3244 share the response packet sure more constants now that
        they exists

2003-05-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.h: some define for rfc3244
        
        * lib/krb5/krb5.3: add krb5_change_password and krb5_set_password
        
        * kpasswd/kpasswd.1: document --admin-principal
        
        * kpasswd/kpasswd.c: use krb5_set_password
        
        * lib/krb5/krb5_set_password.3: document krb5_change_password and
        krb5_set_password

        * lib/krb5/changepw.c: implement rfc3244, partly from
        shadow@dementia.org

        * lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for
        RFC3244

        * lib/asn1/k5.asn1: add ChangePasswdDataMS, for
        RFC3244

2003-05-08  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kdestroy.c: destroy tokens even if there isn't v4 support

        * kuser/kinit.c: get token even if there isn't v4 support
        
        * kuser/klist.c: print tokens even if there isn't v4 support
        
2003-05-06  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/name-45-test.c: need to use empty krb5.conf for some
        tests

        * lib/asn1/check-gen.c: there is no \e escape sequence; replace
        everything with hex-codes, and cast to unsigned char* to make some
        compilers happy

2003-05-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first
        argument to krb5_us_timeofday have correct type
        
2003-05-05  Assar Westerlund  <assar@kth.se>

        * include/make_crypto.c (main): include aes.h if ENABLE_AES

2003-05-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * make-release: when fixing a valid cvs tag from release name
        replace all number. to number- for all non-overlapping matches
        
2003-05-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and
        asn1_ETYPE_INFO2_ENTRY.x
        (libasn1_la_LDFLAGS): set version to 6:1:1

        * doc/Makefile.am: add apps.texi
        
        * doc/setup.texi: add move forward link to applications
        
        * doc/heimdal.texi: add applications
        
        * doc/misc.texi: move afs stuff to applications add link to
        applications
        
        * doc/apps.texi: text about applications using kerberos
        move afs text here
        
2003-05-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: add cross realm text
        
2003-04-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and
        krb5_string_to_enctype

2003-04-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd
        
2003-04-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2
        * lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2
        
2003-04-25  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/build_auth.c (krb5_build_authenticator): if the local
        sequence number is non-zero, don't generate a new one

        * lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is
        non-zero, don't generate a new one
        
        * lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a
        krb5_timestamp

        * lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c
        lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and
        RET_TIME

        * lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching
        asn1)

2003-04-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/programming.texi: s/managment/management/, from jmc
        <jmc@prioris.mini.pw.edu.pl>

2003-04-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c (default_etypes): also advertise that we
        handle aes encryption types

        * lib/krb5/Makefile.am: add krb5_c_ checksum related functions

        * lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum
        related functions

        * lib/krb5/mit_glue.c: add compat mit krb5_c checksum related
        functions

        * lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY
        
2003-04-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd
        
2003-04-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/der_copy.c (copy_general_string): use strdup
        * lib/asn1/der_put.c: remove sprintf
        * lib/asn1/gen.c: remove strcpy/sprintf
        
        * lib/krb5/name-45-test.c: use a more unique name then ratatosk so
        that other (me) have such hosts in the local domain and the tests
        fails, to take hokkigai.pdc.kth.se instead
        
        * lib/krb5/test_alname.c: add --version and --help
        
2003-04-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_warn.3: add krb5_get_err_text
        
        * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd
        * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd
        * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use
        strlcpy, from openbsd
        * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd
        * appl/kf/kfd.c: use strlcpy, from openbsd
        
2003-04-16  Johan Danielsson  <joda@pdc.kth.se>

        * configure.in: fix for large file support in AIX, _LARGE_FILES
        needs to be defined on the command line, since lex likes to
        include stdio.h before we get to config.h

2003-04-16  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/*.3: Change .Fd #include <header.h> to .In header.h,
        from Thomas Klausner <wiz@netbsd.org>
        
        * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner
        <wiz@netbsd.org>

2003-04-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c: fix some more memory leaks
        
2003-04-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/kf/kf.1: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
        
2003-04-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * admin/ktutil.8: typos, from jmc <jmc@acn.waw.pl>
        
2003-04-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.3: s/kerberos/Kerberos/
        * lib/krb5/krb5_data.3: s/kerberos/Kerberos/
        * lib/krb5/krb5_address.3: s/kerberos/Kerberos/
        * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/
        * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/
        * kuser/kinit.1: s/kerberos/Kerberos/
        * kdc/kdc.8: s/kerberos/Kerberos/
        
2003-04-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_alname.c: more krb5_aname_to_localname tests
        
        * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when
        converting too root, make sure user is ok according to
        krb5_kuserok before allowing it.

        * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname
        
        * lib/krb5/test_alname.c: add test for krb5_aname_to_localname
        
        * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1
        instead of the "illegal" salt #~, same change as kth-krb did
        1999. Problems occur with crypt() that behaves like AT&T crypt
        (openssl does this). Pointed out by Marcus Watts.

        * admin/change.c (kt_change): collect all principals we are going
        to change, and pick the highest kvno and use that to guess what
        kvno the resulting kvno is going to be. Now two ktutil change in a
        row works. XXX fix the protocol to pass the kvno back.
        
2003-03-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/kf/kf.1: afs->AFS, from jmc <jmc@acn.waw.pl>
        
2003-03-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: add description on how to turn on v4, 524 and
        kaserver support

2003-03-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog
        and afs-use-524

2003-03-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c (as_rep): when the second enctype_to_string
        failes, remember to free memory from the first enctype_to_string

        * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2,
        from Harald Joerg <harald.joerg@fujitsu-siemens.com>
        (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc

        * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key
        length when key is longer then expected length, its probably
        longer since the encrypted data was padded, reported by Aidan
        Cully <aidan@kublai.com>

        * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of
        encyption type, inspired by Aidan Cully <aidan@kublai.com>
        
2003-03-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0
        (wildcard kvno) after principal when the keytab entry isn't found,
        reported by Chris Chiappa <chris@chiappa.net>
        
2003-03-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/misc.texi: update 2b example to match reality (from
        mattiasa@e.kth.se)

        * doc/misc.texi: spelling and add `Configuring AFS clients'
        subsection

2003-03-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.3: add krb5_free_data_contents.3
        
        * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT
        API

        * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat
        with MIT API
        
        * lib/krb5/krb5_verify_user.3: write more about how the ccache
        argument should be inited when used
        
2003-03-25  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/addr_families.c (krb5_print_address): make sure
        print_addr is defined for the given address type; make addrports
        printable

        * kdc/string2key.c: print the used enctype for kerberos 5 keys

2003-03-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: add another arcfour test
        
2003-03-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5
        
2003-03-20  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/krb5_ccache.3: update .Dd

        * lib/krb5/krb5.3: sort in krb5_data functions

        * lib/krb5/Makefile.am (man_MANS): += krb5_data.3

        * lib/krb5/krb5_data.3: document krb5_data

        * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if
        prompter is NULL, don't try to ask for a password to
        change. reported by Iain Moffat @ ufl.edu via Howard Chu
        <hyc@highlandsun.com>

2003-03-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_keytab.3: spelling, from
        <jmc@prioris.mini.pw.edu.pl>

        * lib/krb5/krb5.conf.5: . means new line
        
        * lib/krb5/krb5.conf.5: spelling, from
        <jmc@prioris.mini.pw.edu.pl>

        * lib/krb5/krb5_auth_context.3: spelling, from
        <jmc@prioris.mini.pw.edu.pl>

2003-03-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5
        
        * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time
        
        * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time

        * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out
        #ifdef KRB4 from enable_v4_cross_realm since 524 needs it
        
        * kdc/config.c: 524 is independent of kerberos 4, so move out
        enable_v4_cross_realm from #ifdef KRB4 since 524 needs it
        
2003-03-17  Assar Westerlund  <assar@kth.se>

        * kdc/kdc.8: document --kerberos4-cross-realm
        * kdc/kerberos4.c: pay attention to enable_v4_cross_realm
        * kdc/kdc_locl.h (enable_v4_cross_realm): add
        * kdc/524.c (encode_524_response): check the enable_v4_cross_realm
        flag before giving out v4 tickets for foreign v5 principals
        * kdc/config.c: add --enable-kerberos4-cross-realm option (default
        to off)

2003-03-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3
        
        * lib/krb5/krb5_aname_to_localname.3: manpage for
        krb5_aname_to_localname

        * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/
        
2003-03-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3

        * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3

        * lib/krb5/krb5_set_default_realm.3: Manpage for
        krb5_free_host_realm, krb5_get_default_realm,
        krb5_get_default_realms, krb5_get_host_realm, and
        krb5_set_default_realm.

        * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado
        <sobrado@acm.org> via NetBSD

        * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type
        
        * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab
        
        * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix
        
        * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more
        types, add krb5_fcc_ops and krb5_mcc_ops
        
        * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for
        a id

2003-03-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/intro.texi: add reference to source code, binaries and the
        manual

        * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal
        
2003-03-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kdc.8: better/difrent english

        * kdc/kdc.8: . -> .\n, copyright/license
        
        * kdc/kdc.8: changed configuration file -> restart kdc

        * kdc/kerberos4.c: add krb4 into the most error messages written
        to the logfile

        * lib/krb5/krb5_ccache.3: add missing name of argument
        (krb5_context) to most functions

2003-03-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of
        function and return FALSE when there isn't a local account for
        `luser'.

        * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text
        describing the function

2003-03-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name
        returned memory, don't return ENOMEM

2003-03-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.3: add krb5_address stuff and sort
        
        * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description
        
        * lib/krb5/Makefile.am (man_MANS): += krb5_address.3
        
        * lib/krb5/krb5_address.3: document types krb5_address and
        krb5_addresses and their helper functions

2003-03-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3

        * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se

        * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3

        * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se
        
        * lib/krb5/krb5.3: add more functions
        
        * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc
        functions

        * lib/krb5/krb5_kuserok.3: document krb5_kuserok
        
        * lib/krb5/krb5_verify_user.3: document
        krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior

        * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and
        krb5_verify_user_opt

        * lib/krb5/*.[0-9]: add copyright/licenses on more manpages

        * kuser/kdestroy.c (main): handle that krb5_cc_default_name can
        return NULL

        * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor
        (TESTS): add test_cc

        * lib/krb5/test_cc.c: test some
        krb5_cc_default_name/krb5_cc_set_default_name combinations
        
        * lib/krb5/context.c (init_context_from_config_file): set
        default_cc_name to NULL
        (krb5_free_context): free default_cc_name if set

        * lib/krb5/cache.c (krb5_cc_set_default_name): new function
        (krb5_cc_default_name): use krb5_cc_set_default_name

        * lib/krb5/krb5.h (krb5_context_data): add default_cc_name
        
2003-02-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/kf/kf.1: s/securly/securely/ from NetBSD
        
2003-02-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c: s/intialize/initialize, from
        <jmc@prioris.mini.pw.edu.pl>

2003-02-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * configure.in: add AM_MAINTAINER_MODE
        
2003-02-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * **/*.[0-9]: add copyright/licenses on all manpages

2003-14-16  Jacques Vidrine  <nectar@kth.se>

        * lib/krb5/get_in_tkt.c (init_as_req): Send only a single
        PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption
        type specified by the KDC.

2003-02-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * fix-export: some autoconf put their version number in
        autom4te.cache, so remove autom4te*.cache
        
        * fix-export: make sure $1 is a directory
        
2003-02-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswdd.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>

        * kdc/kdc.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl>
        
2003-01-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/hpropd.8: s/databases/a database/ s/Not/not/

        * kdc/hprop.8: add missing .
        
2003-01-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.conf.5: documentation for of boolean, etypes,
        address, write out encryption type in sentences, s/Host/host
        
2003-01-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/check-gen.c: add checks for Authenticator too
        
2003-01-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: in the hprop example, use hprop and the first
        component, not host

        * lib/krb5/get_addrs.c (find_all_addresses): address-less
        point-to-point might not have an address, just ignore
        those. Reported by Harald Barth.

2003-01-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c (check_section): when key isn't
        found, don't print out all known keys

        * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity
        and facility start resp
        (check_log): find_value() returns -1 when key isn't found

        * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a
        'const void *' to avoid AES_KEY being exposed in krb5-private.h
        
        * lib/krb5/krb5.conf.5: add [kdc]use_2b

        * kdc/524.c (encode_524_response): its 2b not b2
        
        * doc/misc.texi: quote @ where missing
        
        * lib/asn1/Makefile.am: add check-gen
        
        * lib/asn1/check-gen.c: add Principal check
        
        * lib/asn1/check-common.h: move generic asn1/der functions from
        check-der.c to here

        * lib/asn1/check-common.c: move generic asn1/der functions from
        check-der.c to here

        * lib/asn1/check-der.c: move out the generic asn1/der functions to
        a common file

2003-01-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/misc.texi: more text about afs, how to get get your KeyFile,
        and how to start use 2b tokens

        * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre
        <jmc@cvs.openbsd.org>
        
2003-01-21  Jacques Vidrine  <nectar@kth.se>

        * kuser/kuser_locl.h: include crypto-headers.h for
        des_read_pw_string prototype

2003-01-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * admin/ktutil.8: document -v, --verbose

        * admin/get.c (kt_get): make getarg usage consistent with other
        other parts of ktutil

        * admin/copy.c (kt_copy): remove adding verbose_flag to args
        struct, since it will overrun the args array (from Sumit Bose)
        
2003-01-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc =
        ... }

        * lib/krb5/aes-test.c: test vectors in aes-draft
        
        * lib/krb5/Makefile.am: add aes-test.c

        * lib/krb5/crypto.c: Add support for AES
        (draft-raeburn-krb-rijndael-krb-02), not enabled by default.
        (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify
        to support checksumtype that are have a shorter wireformat then
        their output block size.
        
        * lib/krb5/crypto.c (struct encryption_type): split the blocksize
        into blocksize and padsize, padsize is the minimum padding
        size. they are the same for now
        (enctype_*): add padsize
        (encrypt_internal): use padsize
        (encrypt_internal_derived): use padsize
        (wrapped_length): use padsize
        (wrapped_length_dervied): use padsize

        * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key
        function for each enctype in preparation enctypes that uses
        `Encryption and Checksum Specifications for Kerberos 5' draft
        
        * lib/asn1/k5.asn1: add checksum and enctype for AES from
        draft-raeburn-krb-rijndael-krb-02.txt

        * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128,
        KEYTYPE_AES256

2003-01-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/common.c (_hdb_fetch): handle error code from
        hdb_value2entry

        * kdc/Makefile.am: always include kerberos4.c and 524.c in
        kdc_SOURCES to support 524

        * kdc/524.c: always compile in support for 524
        
        * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4
        
        * kdc/config.c: always compile in support for 524
        
        * kdc/connect.c: always compile in support for 524
        
        * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key()
        even when we build without kerberos 4, 524 needs them
        
        * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out
        Kerberos 4 help functions/structures so other parts of the source
        tree can use it (like the KDC)