source: heimdal/trunk/ChangeLog.2004@ 3

2004-12-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for
        now (used in pkinit)

2004-12-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/Makefile.am: add CHECK_SYMBOLS

        * lib/hdb/keys.c: make all_etypes static

        * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err
        -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops

        * kdc/kerberos5.c: use private version of principalname

        * kdc/kerberos4.c: use private version of principalname

        * kdc/hpropd.c: use private version of principalname

        * kdc/524.c: use private version of principalname

        * lib/krb5/rd_req.c: use private version of principalname

        * lib/krb5/rd_cred.c: use private version of principalname

        * lib/krb5/init_creds_pw.c: use private version of principalname

        * lib/krb5/get_in_tkt.c: use private version of principalname

        * lib/krb5/asn1_glue.c: make principalname functions private

        * lib/krb5/krb5.h: add key usage for server referrals
        
2004-12-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/principal.c: make default_v4_name_convert static
        
        * lib/krb5/crypto.c: make lots of crypto related variables static
        
        * lib/krb5/acache.c: make default_acc_name static
        
2004-12-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: add some text about samba, use example.com
        
        * lib/hdb/hdb-ldap.c: Add account expiration for samba from James
        F.  Hranicky <jfh@cise.ufl.edu>.
        Add LDAP_addmod_integer and use it.

2004-12-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text
        fixes, from Dave Love

2004-12-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just
        needs pthread.h, threadlib is dead

2004-12-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/config.c (configure): check for deprecated
        enforce-transited-policy is set and fail if it is
        
        * lib/asn1/asn1_print.c: don't print garabage for octet strings
        
2004-12-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/main.c (main): catch sigpipe, we don't bother select()ing
        for errors

        * kdc/connect.c (handle_http_tcp): handle error from write(2)
        
        * doc/setup.texi: clarify credentials refreshing stuff
        
        * doc/setup.texi: add new node: Providing Kerberos credentials to
        servers and programs

        * doc/whatis.texi: fix spurious cross-reference makeinfo warning
        
        * lib/hdb/hdb-ldap.c (pos): uppercase in character

2004-12-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode
        nibbels in the other order

        * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if
        attribute exists before we try to delete it LDAP__bytes2hex
        encodes in strange byte order, is this really right ?
        
2004-12-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all
        entries, search for samba accounts too, From: "James F. Hranicky"
        <jfh@cise.ufl.edu>

        * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid
        too

        * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing
        both krb5PrincipalName and uid, it must be broken, ignore it and
        return it doesn't exists.

2004-12-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/hpropd.8: spelling, from OpenBSD
        
        * kdc/kdc.8: use keeps for options, From OpenBSD k
        
2004-12-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: document --random-key and the need to do backup
        of the master key

        * kdc/kstash.8: add --random-key
        
        * kdc/kstash.c: add --random-key
        
2004-12-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.8: spelling, from openbsd
        
        * lib/krb5/krb5_init_context.3: spelling, from openbsd
        
        * lib/krb5/krb5.conf.5: spelling, from openbsd
        
        * kuser/kdestroy.1: use keeps around options, spelling, from
        openbsd

        * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD
        
        * kdc/hpropd.8: use keeps around options, from OpenBSD
        
        * kdc/hprop.8: use keeps around options, from OpenBSD
        
2004-11-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c (krb5_free_context): clear error string
        before destroying mutex
        (krb5_init_context): don't call krb5_free_context before there is a
        mutex initialized

2004-11-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c (get_new_tickets): only complain about ticket
        renewable lifetime when the user asked for a specific renewable
        lifetime

2004-11-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c (find_keys): log what principal is missing
        enctypes

2004-11-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after
        freeing data

        * lib/krb5/init_creds_pw.c (change_password): handle old_options
        being NULL From Guenther Deschner on samba-technical.
        
2004-11-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_get_init_creds.3: add more text describing the
        krb5_get_init_creds functions

2004-11-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work
        again

2004-11-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.asn1: use constrained integers
        
2004-11-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_get_init_creds.3: add description for opt_init,
        opt_alloc, opt_free

        * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit
        
        * lib/krb5/init_creds.c: unexport
        krb5_get_init_creds_opt_free_pkinit

        * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into
        get_init_creds_common

        * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in
        options NULL, just make a clean copy

2004-11-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier
        so we don't leak it on error

2004-10-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5.conf.5: unbreak 2b entry
        
        * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a
        sockaddr but rather a kerberos address, deal with that.  Based on
        bug report from Jakob Schlyter <jakob@rfc.se>.

2004-10-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c: Make sure argument passed to ctype isn't signed
        char

2004-10-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: match new error names
        
        * lib/krb5/krb5_err.et: make error messages sane again
        
2004-10-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/keytab.c: use KRB5_KT_BADNAME

        * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major
        version bump) add KRB5_DELTAT_BADFORMAT
        
        * lib/krb5/krb5.conf.5: time defaults to "s"
        
        * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again,
        MIT's behavior was actually that it failed to parse the number
        (and thus used the default). Even better, ticket_lifetime (that
        was a consumer supposed a of the interface) was documented but
        never implemented, when it was implemented, people configuraiton
        files started to fail.  Also, use KRB5_DELTAT_BADFORMAT as a
        failure code.

        * lib/asn1/k5.asn1: sync enctypes with pkinit branch
        
        * lib/asn1/parse.y (readd) support negative numbers
        
        * lib/asn1/lex.l: support hex numbers
        
2004-10-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS
        
        * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding
        for rc2 don't to padding for blocksize 1
        
        * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c:
        Move keyset parsing and password based keyset generation into hdb.
        Requested by Andrew Bartlett <abartlet@samba.org> for hdb-ldb
        backend.

2004-10-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: adapt to new signature of
        krb5_get_init_creds_opt_set_pkinit
        
        * lib/krb5/pkinit.c: free openssl engine deal with
        RecipientIdentifier -> CMSIdentifier and heim_any -> name change
        improve error messages
        
        * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier
        -> CMSIdentifier and heim_any -> name change
        
2004-10-04  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/klist.c: use rtbl_set_separator
        
2004-10-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse
        user options first

        * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add
        openssl engine support for private key

        * lib/krb5/crypto.c: support padding as its done in CMS
        
        * kdc/pkinit.c: improve error logging
        
        * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt
        
2004-09-30  Love Hörnquist Å
strand <lha@it.su.se>

        * lib/krb5/krb5.conf.5: assume minutes for time

        * lib/krb5/config_file.c (krb5_config_vget_time_default): use
        krb5_string_to_deltat

        * lib/krb5/appdefault.c (krb5_appdefault_time): use
        krb5_string_to_deltat

        * lib/krb5/time.c (krb5_string_to_deltat): set default unit to
        minute for compatibility with MIT Kerberos.
        

2004-09-28  Love Hörnquist Å
strand <lha@it.su.se>

        * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large
        message safe" transport if we get back
        KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner
        <gd@sernet.de>

2004-09-23 Johan Danielsson <joda@pdc.kth.se>

        * admin/list.c: use rtbl
        
        * admin/ktutil-commands.in: slc source file
        
        * lib/krb5/constants.c: check
        /Library/Preferences/edu.mit.Kerberos on OSX

2004-09-21  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/time.c (krb5_format_time): check return value from
        localtime and strftime

2004-09-14  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/kinit.c: make sure we don't always get renewable creds
        
2004-09-11   Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/acache.c: use krb5_ccapi.h
        
        * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to
        separate (not installed) file

        * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS
        since AM_CPPFLAGS overridden by target specific _CPPFLAGS
        
2004-09-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: make variable shorter, make error messages
        from pkinit, make freeing easier
        
2004-09-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen
        
        * lib/krb5/crypto.c (seed_something): avoid poking at memory that
        is uninitialized, make valgrind unhappy. Pointd out by
        abartlet@samba.org. While where, plug the fd leak.
        
2004-09-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/der_get.c (decode_*): name all tag-length variables the
        same
        (decode_enumerated): check that the tag-length is not longer the length

        * lib/asn1/der_get.c (decode_boolean): fail if length of tag is
        larger then len

2004-08-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be
        set in case of failure too, free unconditionally on exit to avoid
        memory leak

2004-08-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after
        free

2004-08-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c (krb5_get_err_text): if neither of com_right
        nor strerror finds the error-code, return Unknown error.
        
2004-08-19  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/krb5_kuserok.3: update to reality

        * lib/krb5/kuserok.c: if a .k5login file exist, don't give
        implicit rights to anyone; also check owner/mode of .k5login

2004-08-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3
        
        * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname
        
        * lib/krb5/krb5.3: add krb5_getportbyname
        
        * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid

        * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid
        
2004-08-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes
        from the client and filter them out.
        
        * lib/krb5/krb5_string_to_key.3: document krb5_free_salt
        
2004-08-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_ticket.3: data needs to be freed when using
        krb5_ticket_get_authorization_data_type

2004-08-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_cc.c: test variables in default_cc_name
        
        * lib/krb5/krb5.conf.5: explain support for varibles in
        [libdefaults]default_cc_name
        
        * lib/krb5/cache.c: drop ${time}, its not very useful
        
        * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand
        variables in the default cc name. Supported variables now are:
        ${time},${uid} and ${null}

        * lib/krb5/krb5.conf.5: document default_cc_name
        
        * lib/krb5/cache.c (krb5_cc_set_default_name):
        s/libdefault/libdefaults/

2004-08-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/acache.c: replace magic 3 with ccapi_version_3
        
        * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c
        
        * lib/krb5/krb5.h: add krb5_acc_ops
        
        * lib/krb5/acache.c: CCAPI v3 implementation, the read only
        support was from Magnus Ahltorp and then extended by me to support
        all other operations.  Tested with MIT kerberos cc cache
        implementation on MacOS 10.3.3

        * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the
        default cc name, this is not very useful for general purpose glue
        since its not possible to glue in user information (like uid), but
        for CCAPI it works just fine

2004-08-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kgetcred.1: document --cache/-c
        
        * kuser/kgetcred.c: allow to specify what credential cache to use
        
2004-08-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3
        
        * lib/krb5/krb5_eai_to_heim_errno.3: document
        krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno
        
        * lib/krb5/krb5.3: add krb5_eai_to_heim_errno,
        krb5_h_errno_to_heim_errno

2004-07-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms
        result should be free with krb5_free_host_realm drop
        krb5_get_host_realm text

        * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result
        should be free with krb5_free_host_realm
        
        * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep
        
        * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds
        
        * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator
        
        * lib/krb5/Makefile.am: man_MANS += krb5_rd_error
        
        * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends
        
        * lib/krb5/krb5_warn.3: clarify on what string
        krb5_free_error_string should operate on

        * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred
        
        * lib/krb5/Makefile.am: krb5_get_credentials,
        krb5_get_forwarded_creds and friends

        * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds
        and friends

        * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and
        friends

2004-07-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/klist.c (print_cred_verbose): keytypes are no longer, use
        enctype

2004-07-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99
        compilers, From metze at samba.org

2004-07-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_cc.c: more cc tests
        
        * lib/krb5/krb5_check_transited.3: document krb5_check_transited
        
2004-07-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes
        principal in cert work From: Mayur Patel <patelm4@rpi.edu>
        
2004-07-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: add krb5_verify_init_creds.3

        * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds
        
2004-07-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org
        description for krb5_passwd_result_to_string
        
2004-07-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar
        fixes; split sentence in two for better understanding.  From
        wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here.

        * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan
        Stone <jonathan@dsg.stanford.edu>

        * lib/krb5/changepw.c (process_reply): cast ssize_t to long and
        print that From NetBSD via Havard Eidnes.
        
2004-07-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * configure.in: fix helpstring for hdb-openldap-module
        
        * lib/krb5/test_cc.c: don't use krb5_err on error code 0
        
2004-07-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better
        
2004-07-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const
        
2004-07-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with
        right argument

2004-06-27  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the
        krbtgt is without addresses, default to not sending our own
        addrport

        * lib/asn1/lex.l: add support for /* */ and partial line --
        comments

        * kuser/Makefile.am: don't install copy_cred_cache manpage
        
2004-06-24  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if
        copying a static opt, make sure to allocate the "private" field

2004-06-24  Love  <lha@stacken.kth.se>

        * kdc/config.c: add enable_pkinit_princ_in_cert
        
        * kdc/kdc_locl.h: enable_pkinit_princ_in_cert
        
        * kdc/pkinit.c: Check certificate for Kerberos Principal in
        OtherName of subjectAltName Based on patch from Mayur Patel
        <patelm4@rpi.edu>

2004-06-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use
        session key for authorization-data

2004-06-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c (handle_tcp): note who is what that closed the
        connection on us

2004-06-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * admin/get.c (kt_get): catch errors from krb5_parse_name
        
2004-06-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: if its the entry just contains the
        structural object (no samba nor heimdal object), add an aux
        heimdal object on to it.
        
2004-06-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswd.c: use krb5_set_password_using_ccache
        
        * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache
        
        * lib/krb5/changepw.c: implement krb5_set_password_using_ccache
        
        * lib/hdb/hdb-ldap.c: Allow the objectClass to be
        "sambaSamAccount" or structural_object when searching for uid
        entries.

        * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base
        
        * lib/hdb/hdb-ldap.c: add creation base that defaults to the
        search base

        * lib/hdb/hdb-ldap.c: indent like the rest of the code
        
2004-06-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: check return values from ldap operations and
        close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you
        should retry by yourself.

        * lib/hdb/hdb-ldap.c: require search base to be configured, create
        local context structure
        
2004-05-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: more ldap text, partly from Tarjei Huse
        <tarjei@nu.no>

2004-05-28  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/hdb/hdb-ldap.c: clean, indent
        
        * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure
        krb5KeyVersionNumber is added on new entires

2004-05-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: minor fixes, partly from Tarjei Huse
        <tarjei@nu.no>

        * lib/krb5/krb5.conf.5: some text about dbname and realm
        
        * lib/krb5/krb5.conf.5: default value for
        hdb-ldap-structural-object is account

2004-05-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/Makefile.am: use ! instead of , as sed delimiter
        
2004-05-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions

2004-05-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean
        
        * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure
        option

        * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From:
        Andrew Bartlett <abartlet@samba.org>
        
        * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length
        check From: Andrew Bartlett <abartlet@samba.org>
        
        * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword
        case, make sure ent->etypes are allocated, From: Andrew Bartlett
        <abartlet@samba.org>

2004-05-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: move "setpag if (argc < 1)" to common path
        
2004-05-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers
        
        * fix-export: use right argument for -E

2004-05-06  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/kinit.c: print some diagnostics if the exec fails
        
2004-04-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key
        From: Luke Howard <lukeh@padl.com>
        
        * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket,
        not just a pointer size of it From: Luke Howard <lukeh@padl.com>
        
2004-04-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * fix-export: add -E flag where needed to make-proto
        
2004-04-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/crypto.c: add set_param for RC2
        
        * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids
        that are no longer needed

        * kdc/pkinit.c: use krb5_enctype_to_oid
        
        * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists
        before we compare with it

        * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length
        before returning it add aes-oids
        
        * lib/krb5/crypto.c: add krb5_enctype_to_oid and
        krb5_oid_to_enctype

        * kdc/pkinit.c: use krb5_crypto_set_params
        
        * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none

        * lib/krb5/krb5.h: add KEYTYPE_AES192
        
        * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement
        kcrypto RC2 support

        * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
        rc2-cbc XXX RC2CBCParameter is wrong because the compiler is
        broken

        * lib/krb5/krb5.h: add KEYTYPE_RC2
        
        * lib/krb5/crypto.c: add partial CMS parameter handling, this is
        needed for RC2
        
        * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp
        
        * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c
        
        * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp
        
        * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE
        
        * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype
        rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken

2004-04-26  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/config_file.c: allow parsing directly from strings with
        krb5_config_parse_string_multi
        
        * lib/krb5/verify_krb5_conf.c: try to resolve hostnames
        
2004-04-25  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file
        descriptor so we don't have to keep track of it in two places
        
        * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in
        libkrb5

        * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its
        own manpage
        
        * replace krb5_free_creds_contents by krb5_free_cred_contents
        
        * lib/krb5/cache.c: add krb5_cc_next_cred_match() and
        krb5_cc_copy_cred_match()
        
        * lib/krb5/creds.c (krb5_compare_creds): add more matching options
        
        * lib/krb5/krb5.h: add more creds match flags
        
        * kuser/copy_cred_cache: add --valid-for option
        
        * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length
        of second ticket is > 0

2004-04-25  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/pkinit.c: use the right oid for pkauthdata
        
        * lib/krb5/pkinit.c: always send both win2k compat version and the
        ietf draft one, this is possible since microsoft use
        wrong/diffrent PA number.  Make the configuration flag boolean
        configuring if NOT to send the win2k compat glue.
        
        * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec

        * kuser/copy_cred_cache.1: pacify mdoclint
        
        * kdc/pkinit.c: use IV for envelopeddata encryption, patch
        originally from Luke Howard <lukeh@padl.com>, tweeked by me.
        
        * lib/krb5/krb5_storage.3: document
        KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER

        * lib/krb5/krb5_data.3: document that krb5_data_free cleans the
        structure too

        * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch
        originally from Luke Howard <lukeh@padl.com>, tweeked by me.
        
2004-04-24  Johan Danielsson  <joda@pdc.kth.se>

        * kuser/copy_cred_cache.{c,1}: add cred cache copy tool
        
        * configure.in: use rk_SYS_LARGEFILE
        
        * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder
        issue with a storage flag instead of a separate function.
        
2004-04-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: move out the oid check from get_reply_key

        * lib/krb5/pkinit.c: uniquify error messages
        
        * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the
        plain nonce for now

        * lib/krb5/pkinit.c: more w2k compat from Luke Howard
        <lukeh@padl.com> add RC2 support, clean up error messages
        
        * lib/krb5/pkinit.c: remove more dependency on
        krb5_config->pkinit_flags

        * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft
        style answer to IETF, From Luke Howard <lukeh@padl.com>
        (_krb5_pk_create_sign): ms handles NULL in param, so always send it
        (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool }

        * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the
        digestAlgorithm to sha1 (both for SignerInfo and SignedData, add
        new function _set_digest_alg to set it

2004-04-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/make_crypto.c: include rc2.h, and when I'm here, make
        aes mandatory

        * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT
        kerberos

        * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on
        failure

        * lib/krb5/crypto.c (DES3_random_to_key): make it produce the
        right result
        (DES3_postproc): use DES3_random_to_key
        (krb5_random_to_key): check the required number of bits (not the size
        of the key)

        * lib/krb5/aes-test.c: test random to key function

        * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for
        now

2004-04-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_string_to_key.3: document that
        krb5_string_to_key_derived is broken for non 3des enctypes and
        thus deprecated

        * kdc/pkinit.c (generate_dh_keyblock): use the new function
        krb5_random_to_key

        * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they
        need special processing

        * lib/krb5/crypto.c (krb5_random_to_key): new function
        
        * lib/krb5/krb5_keyblock.3: document krb5_random_to_key
        
2004-04-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: use the first proposed enable enctype
        
        * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the
        return from krb5_enctype_valid

        * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes
        
2004-04-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid
        components being smaller then 127 and allocate one extra element
        since first byte is split to to elements.
        
2004-04-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE:
        private use, lukeh@padl.com

2004-04-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode
        DH public key

2004-04-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_init_context.3: add krb5_context to so its added
        as manpage-link too

2004-04-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation,
        XXX add locking

        * kuser/kdestroy.c: add --credential argument that just remove one
        credential entry out of the cache specified
        
        * kdc/pkinit.c: replace the krb5.conf configuration option that
        describes the mapping between principals and subject names with a
        file, default /var/heimdal/pki-mapping. XXX this should be pushed
        into HDB. XXX should add issuer too
        
        * kdc/config.c: merge certificate/private_key to a user_id
        
2004-04-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kdc_locl.h: update prototype for pk_initialize
        
        * kuser/kinit.c: merge certificate/private_key to a user_id
        
        * kdc/pkinit.c: adapt to heim_integer changes
        
        * lib/krb5/pkinit.c: merge certificate/private_key to a user_id
        
        * kdc/pkinit.c: adapt to heim_integer changes,
        merge certificate/private_key to a user_id
        
2004-04-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE
        
2004-04-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building
        libkrb5.la, add KRB5_LIB_FUNCTION proto

        * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION
        
        * configure.in: export KRB5_LIB_FUNCTION when building with
        BUILD_KRB5_LIB

        * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add
        error strings

        * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing
        is printed on stderr, fflush it

        * lib/krb5/krb5_keyblock.3: free functions also zeros out the key
        
        * lib/krb5/krb5_get_init_creds.3: some text about
        krb5_prompter_posix

        * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object
        
        * lib/krb5/cache.c: add krb5_cc_get_prefix_ops
        
        * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops
        
2004-04-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/test/http_client.c: support GSS_C_DELEG_FLAG and
        GSS_C_MUTUAL_FLAG

        * appl/test/http_client.c: verbose logging
        
2004-04-02  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c: case size_t to unsigned long for LP64 platforms
        
2004-04-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of
        default structural object

        * tools/Makefile.am: handle sed expression breaking
        
2004-03-31  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr
        
        * lib/krb5/changepw.c: add tcp support to the set protocol, should
        be cleaned up to enable sharing code with krb5_sendto
        
        * kpasswd/kpasswd.c (change_password): remove extra free
        
        * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on
        osf/1

2004-03-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't
        increase md->len, krb5_padata_add already does that
        
        * lib/krb5/init_creds.c: its PAC not PAQ
        
        * kuser/kinit.c: its PAC not PAQ
        
        * kdc/kerberos4.c: stop the client from renewing tickets into the
        future From: Jeffrey Hutzelman <jhutz@cmu.edu>

2004-03-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * configure.in: try to handle sys/strtty.h needing sys/stream.h
        
2004-03-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no
        longer used
        
        * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/
        
        * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to
        external users by prefixing it with _

        * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/
        
        * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external
        users by prefixing it with _

2004-03-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: add missing }
        
2004-03-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: adapt to change of signature of
        _krb5_pk_load_openssl_id

        * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add
        prompter argument and use it

        * kuser/kinit.c: adapt to signature change of
        krb5_get_init_creds_opt_set_pkinit
        
        * lib/krb5/krb5.3: add more stuff, 105 functions to go

        * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache
        
        * lib/krb5/krb5_rcache.3: framework for replay cache manpage
        
        * lib/krb5/krb5_string_to_key.3: document string to key functions
        
        * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3
        krb5_find_padata.3 krb5_generate_random_block.3

        * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length
        
        * lib/krb5/krb5.3: add some more, 137 to go
        
        * lib/krb5/krb5_principal.3: document krb5_get_default_principal
        
        * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey
        
        * lib/krb5/krb5_generate_random_block.3: document
        krb5_generate_random_block
        
        * lib/krb5/krb5_find_padata.3: document padata functions
        
        * lib/krb5/krb5.3: add some more, 142 to go
        
        * lib/krb5/krb5_creds.3: drop .Pp before .Sh
        
        * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm
        
        * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname
        and krb5_expand_hostname_realms

        * lib/krb5/krb5.3: add more functions, 147 to go
        
        * lib/krb5/krb5_creds.3: document krb5_creds
        
        * lib/krb5/krb5_get_init_creds.3: add more functions, some more
        text

        * lib/krb5/krb5_ticket.3: document
        krb5_ticket_get_authorization_data_type

2004-03-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/aes-test.c: remove #if 0'ed code
        
        * lib/krb5/krb5.3: add keyblock functions, 177 functions to go
        
        * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache
        
        * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket
        
        * lib/krb5/krb5_config.3: document krb5_config_free_strings and
        krb5_config_file_free

        * lib/krb5/krb5_create_checksum.3: add krb5_hmac
        
        * lib/krb5/krb5.3: add keyblock functions, 190 functions to go

        * lib/krb5/krb5_keyblock.3: update .Dd
        
        * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and
        krb5_generate_random_keyblock

        * lib/krb5/krb5_init_context.3: add krb5_init_ets
        
        * lib/krb5/krb5_config.3: add more krb5_config_ functions and
        prototypes

        * lib/krb5/krb5_init_context.3: document context modifcation
        functions: address list, config file, use admin kdc, fcc version
        
        * lib/krb5/krb5_storage.3: document krb5_storage and related
        functions

        * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc
        manpages and test_acl test program

        * lib/krb5/krb5.3: add error string functions and sort
        
        * lib/krb5/krb5_warn.3: document krb5_abort and error string
        functions

        * lib/krb5/krb5.3: add missing functions, only 285 left to
        document

        * lib/krb5/krb5_crypto_init.3: remove various enctype related
        function

        * lib/krb5/krb5_encrypt.3: add various enctype related function
        here

        * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid
        krb5_cksumtype_valid

        * lib/krb5/crypto.c: real return values for
        krb5_{enctype,cksumtype}_valid

        * lib/krb5/krb5_create_checksum.3: add some functions and
        descriptions

        * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions
        
        * lib/krb5/krb5_auth_context.3: document
        krb5_auth_con_generatelocalsubkey

        * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags
        
        * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name
        
        * lib/krb5/krb5_init_context.3: document krb5_add_et_list
        
        * lib/krb5/krb524_convert_creds_kdc.3: document
        krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache

        * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_*
        
        * lib/krb5/test_acl.c: test for generic acl code

        * lib/krb5/acl.c: plug memory leak on file matching, 
        make it not fall over when no non matching acl,
        make fnmatch matching useful by switching arguments
        
2004-03-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/config.c: add --builtin-hdb command
        
        * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin
        backends

        * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb
        documentation

        * doc/win2k.texi: fix bugs in examples, add more restrictions, use
        example.com as an example. From: Pavel Ferdan
        <xferdan@informatics.muni.cz>

2004-03-18  Johan Danielsson  <joda@pdc.kth.se>

        * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin]
        password_lifetime; from Henry B. Hotz

2004-03-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY
        is set send subkey
        (generate if needed)

        * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY
        
2004-03-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks,
        and free memory in error path, assume realloc(NULL, ...) works,
        factor out common code, indent

2004-03-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c: understand [password_quality]
        spelling
        
        * kuser/kgetcred.1: document --canonicalize
        
        * kuser/kgetcred.c: add --canonicalize
        
2004-03-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/fcache.c (fcc_store_cred): NULL terminate
        krb5_config_get_bool_default' arglist
        
2004-03-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply
        
        * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry
        
        * kdc/pkinit.c: pass client hdb_entry to pk_check_client
        
        * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client
        
        * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its
        more like that language in RFC3280
        
        * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since
        its more like that language in RFC3280
        
        * lib/krb5/krb5.conf.5: document
        [libdefaults]fcc-mit-ticketflags=boolean

        * lib/krb5/fcache.c (fcc_store_cred): use
        [libdefaults]fcc-mit-ticketflags=boolean to decide what format to
        write the fcc in. Default to mit version (aka heimdal 0.7)
        
        * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and
        _krb5_store_creds_heimdal_pre_0_7 that store the creds in just
        that format make krb5_store_creds default to mit format
        
        * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is
        the higher bits of the bitfield
        
2004-03-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/store.c (krb5_store_creds): add disabled code that
        store the ticket flags in reverse order
        (bitswap32): new function

        * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags
        are set, its a mit cache, reverse the bits, bug pointed out by
        Sergio Gelato <Sergio.Gelato@astro.su.se>

2004-03-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP *
        
        * kuser/kinit.c: when running kinit with a subprocess, fetch new
        tickets after half the tickets lifetime
        
        * lib/hdb/hdb.c: spelling
        
        * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba
        password database.  From: Andrew Bartlett <abartlet@samba.org>

        * kdc/config.c: add --disable-DES
        
        * kdc/kdc.8: document --detach and --disable-DES
        
        * kdc/kerberos5.c: check if enctype is disabled before using it
        
        * lib/krb5/crypto.c: add support for disabling checksum/encryption
        types

        * tools/kdc-log-analyze.pl: add more cases
        
        * kdc/connect.c: on strange tcp error; log local port number and
        socket type
        
        * lib/asn1/der.h: fix prototype of encode_utf8string
        
        * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder
        
        * lib/asn1/lex.l: added dummy parsing of CHOICE
        
        * lib/asn1/parse.y: added dummy parsing of CHOICE
        
        * lib/asn1/k5.asn1: drop SMTP_NAME
        
2004-03-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/Makefile.am: support building ldap backend as module
        sort asn1 hdb files
        
        * lib/hdb/hdb.c: when building ldap as a shared module, don't
        include it in the list

        * configure.in: add --enable-hdb-openldap-module
        
        * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared
        module

        * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew
        Bartlett <abartlet@samba.org>

        * lib/krb5/crypto.c (decrypt_internal_special): do not not modify
        the original data test case from Ronnie Sahlberg
        <ronnie_sahlberg@ozemail.com.au>

2004-03-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_cc.c: more cc tests, mostly related to mcc
        behavior

        * lib/krb5/mcache.c (mcc_get_principal): also check for
        primary_principal == NULL now that that isn't used as dead flag
        
        * lib/krb5/mcache.c: don't overload the primary_principal == NULL
        as dead since that doesn't always work. Based on patch from
        Jeffrey Hutzelman <jhutz@cmu.edu>, tweeked by me
        
2004-02-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
        
        * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp
        
        * lib/hdb/db3.c: fix all db >= 4.1 cases
        
        * doc/setup.texi: add text about hostname to realm mapping using
        DNS

2004-02-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: update error codes
        
        * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_

        * lib/krb5/pkinit.c: update error codes
        
2004-02-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort()
        
        * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling
        
        * lib/krb5/store.c: handle memory allocate errors

        * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok,
        and don't put an error in the error strings then
        
2004-02-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: s/heim_big_integer/heim_integer/
        
        * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/
        
        * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors
        
        * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT
        errors
        
        * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors
        
2004-02-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * configure.in: rename AC_WFLAGS to rk_WFLAGS
        
        * acinclude.m4: use m4_define, over-quote string
        
2004-02-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c (change_password): handle that
        printf("%.*s", 0, (void*)NULL); doesn't work on solaris
        
2004-02-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswd.c (change_password): handle that printf("%.*s",
        0, (void*)NULL); doesn't work on solaris
        
        * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses
        some locate.updatedb, use FILES section to describe where the file
        is instead.

2004-02-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned
        for certain negative integers, it got the length wrong" , from
        Panasas, Inc.

        * lib/asn1/der_length.c: Fix len_unsigned for certain negative
        integers, it got the length wrong, fix from Panasas, Inc.
        
        rename len_int and len_unsigned to _heim_\&
        
        * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int
        
2004-02-06  Dave Love  <d.love@dl.ac.uk>

        * configure.in: Check for sys/socket.h, net/if.h.  Modify term.h,
        security/pam_appl.h tests.
        
2004-02-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add
        up the size of all the elements, don't use just the size of the
        last element.

        * lib/krb5/aes-test.c: add "next iv" test for aes128, check
        decryption case too

        * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
        the next to last block, fix decryption case too
        
        * lib/krb5/aes-test.c: add "next iv" test for aes128
        
        * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of
        the next to last block

        * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
        error
        
        * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode
        error

        * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1
        encode error

        * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode
        error

        * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1
        encode error

        * lib/krb5/build_auth.c (krb5_build_authenticator): abort on
        internal asn1 encode error

        * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal
        asn1 encode error

2004-01-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: some text about order of [capaths] realms
        
2004-01-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c: register WRFILE ops
        
        * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE)
        
        * lib/krb5/krb5.h: add krb5_wrfkt_ops
        
        * kpasswd/kpasswdd.c (change): use the right password when
        changing the password

2004-01-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it
        means that the filesystem doesn't support locking
        
        * lib/krb5/keytab.c: remove #if 0 out file locking code
        
2004-01-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the
        size of all the elements, don't use just the size of the last
        element.

2004-01-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c (renew_validate): if renewable_flag and not time
        specifed, use "1 month"

2004-01-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_keyblock.3: add prototypes, describe
        krb5_keyblock_zero

2004-01-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_for_creds.c (add_addrs): don't add same address
        multiple times

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to
        handle errors better for previous commit

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets
        are address-less, forward address-less tickets.
        
        * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and
        export it