source: heimdal/trunk/ChangeLog.2006@ 4

2006-12-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/process.c: Handle kx509 requests.

        * kdc/connect.c: Listen to 9878 if kca is turned on.

        * kdc/headers.h: Include <kx509_asn1.h>.

        * kdc/config.c: code to parse [kdc]enable-kx509

        * kdc/kdc.h: add enable_kx509

        * kdc/Makefile.am: add kx509.c

        * kdc/kx509.c: Kx509server (external certificate genration).

        * lib/krb5/ticket.c: add krb5_ticket_get_endtime

        * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime

        * kdc/digest.c: Remove <digest_asn.h>, its already included in
        headers.h

        * kdc/digest.c: Return session key for the NTLMv2 case too

        * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value
        is krb5_error_code
        
2006-12-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for
        des-cbc-md4 and des-cbc-md5.  This is for (older) windows that
        will be unhappy anything else.  From Inna Bort-Shatsky
        
2006-12-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/digest.c: Prefix internal symbol with _kdc_.

        * kdc/kdc.h: add digests_allowed

        * kdc/digest.c: return NTLM2 targetinfo structure.

        * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo.

        * kdc/config.c: Parse digest acl's

        * kdc/kdc_locl.h: forward decl;

        * kdc/digest.c: Add digest acl's
        
2006-12-22  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * fix-export: build ntlm-private.h
        
2006-12-20  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * include/make_crypto.c: Include <.../hmac.h>.

        * kdc/digest.c: reorder to show slot here ntlmv2 code will be
        placed.

        * kdc/digest.c: Announce that we support key exchange and add bits
        to detect when it wasn't used.

        * kdc/digest.c: Add support for generating NTLM2 session security
        answer.
        
2006-12-19  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/digest.c: Add sessionkey accessor functions.
        
2006-12-18  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/digest.c: Unwrap the NTLM session key and return it to the
        server.
        
2006-12-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc
        failure part, noticed by Arnaud Lacombe in NetBSD coverity scan.
        
2006-12-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning.

        * kdc/digest.c: Support NTLM verification, note that the KDC does
        no NTLM packet parsing, its all done by the client side, the KDC
        just calculate and verify the digest and return the result to the
        service.

        * kuser/kdigest.c: add ntlm-server-init

        * kuser/Makefile.am: kdigest depends on libheimntlm.la

        * kdc/headers.h: Include <heimntlm.h>.

        * kdc/Makefile.am: libkdc needs libheimntlm.la

        * autogen.sh: just run autoreconf -i -f

        * lib/Makefile.am: hook in ntlm

        * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile

        * lib/krb5/digest.c: API to authenticate ntlm requests.

        * lib/krb5/fcache.c: Support "iteration" of file credential caches
        by giving the user back the default file credential cache and only
        that.

        * lib/krb5/krb5_locl.h: Expand the default root for some of the cc
        type names.
        
2006-12-14  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data
        structure too.  Bug report from Stefan Metzmacher.
        
2006-12-12  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kinit.c: Read the appdefault configration before we try to
        use the flags.  Bug reported by Ingemar Nilsson.

        * kuser/kdigest.c: prefix digest commands with digest_

        * kuser/kdigest-commands.in: prefix digest commands with digest-
        
2006-12-10  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/hprop.c: Return error codes on failure, improve error
        reporting.
        
2006-12-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error

        * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error
        strings
        
2006-12-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/Makefile.am: CLEANFILES += vis.h
        
2006-12-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the
        encrypted ticket

        * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds
        an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients
        that we vouches for the CA.

        * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function.

        * lib/Makefile.am: Make the directories test automake conditional
        so automake can include directories in make dist step.

        * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for
        ExternalPrincipalIdentifiers

        * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers

        * kdc/pkinit.c: Add comment that the anchors in the signed data
        really should be the trust anchors of the client.

        * kuser/generate-requests.c: Use strcspn to remove \n from
        string returned by fgets.  From Björn Sandell
        
        * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from
        string returned by fgets.  From Björn Sandell
        
2006-12-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol
        functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn
        Sandell.

        * lib/krb5/config_file.c: Use strcspn to remove \n from fgets
        result. Prompted by change by Ray Lai of OpenBSD via Björn
        Sandell.

        * kdc/string2key.c: Use strcspn to remove \n from fgets
        result. Prompted by change by Ray Lai of OpenBSD via Björn
        Sandell.
        
2006-11-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass
        in a NULLed plugin list
        
2006-11-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_krb5_conf.c: add more pkinit options.

        * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply
        to expect, this avoids overwriting the real PK-INIT error from
        just a failed requeat with a Windows PK-INIT error (that always
        failes).

        * kdc/Makefile.am: Add LIB_pkinit to pacify AIX

        * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX
        
2006-11-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry
        wrapping. Patch from Andreas Hasenack.

        * kdc/pkinit.c: Need better code in the DH parameter rejection
        case, add comment to that effect.
        
2006-11-27  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large
        packets when using datagram based transports.

        * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep.

        * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes.
        
2006-11-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: Pass down hx509_peer_info.

        * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
        pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.

        * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and
        pass in into hx509_cms_create_signed_1 via hx509_peer_info blob.
        
2006-11-24  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not
        fragment packets and avoid stupid linklayers that doesn't allow
        fragmented packets (unix dgram sockets on Mac OS X)
        
2006-11-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users
        certs in the pool to make sure a path is returned, without this
        proxy certificates wont work.
        
2006-11-21  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/config.c: Make all pkinit options prefixed with pkinit_

        * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from
        krb5_context

        * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest

        * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE.

        * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
        checksum.

        * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate
        checksum.
        
2006-11-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a
        context argument.

        * lib/krb5/krb5_get_init_creds.3: Make
        krb5_get_init_creds_opt_free take a context argument.

        * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take
        a context argument.

        * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context
        argument.

        * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a
        context argument.

        * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free
        take a context argument.

        * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context
        argument.

        * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a
        context argument.

        * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a
        context argument.
        
2006-11-19  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * doc/setup.texi: fix pkinit option (s/-/_/)

        * kdc/config.c: revert the enable-pkinit change, and make it
        consistant with all other other enable- options
        
2006-11-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: Make all pkinit options prefixed with pkinit_

        * kdc/config.c: Make all pkinit options prefixed with pkinit_

        * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_

        * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_

        * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again.

        * lib/krb5/mit_glue.c (krb5_c_keylengths): rename.

        * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api,
        deal.
        
2006-11-13  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/pac.c (fill_zeros): stop using MIN.

        * kuser/kinit.c: Forward decl
        
        * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE.

        * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s.

        * lib/krb5/test_plugin.c: Set sin_len if it exists.

        * lib/krb5/krbhst.c: Use plugin for the other realm locate types
        too.
        
2006-11-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_locl.h: Add plugin api

        * lib/krb5/Makefile.am: Add plugin api.

        * lib/krb5/krbhst.c: Use the resolve plugin interface.

        * lib/krb5/locate_plugin.h: Add plugin interface for resolving
        that is API compatible with MITs version.

        * lib/krb5/plugin.c: Add first version of the plugin interface.

        * lib/krb5/test_pac.c: Test signing.

        * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now.

        * lib/krb5/krb5.h: Add struct krb5_pac.
        
2006-11-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/test_pac.c: PAC testing.

        * lib/krb5/pac.c: Sprinkle error strings.

        * lib/krb5/pac.c: Verify LOGON_NAME.

        * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an
        argument

        * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from
        _kdc_pk_check_client since its not valid in canonicalize case

        * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength.

        * lib/krb5/mit_glue.c: Add krb5_c_keylength.
        
2006-11-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pac.c: Almost enough code to do PAC parsing and
        verification, missing in the unix2NTTIME and ucs2 corner. The
        later will be adressed by finally adding libwind.

        * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew

        * kdc/hpropd.c: Remove support dumping to a kerberos 4 database.
        
2006-11-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to
        krb5_[gs]et_max_time_skew

        * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed.
        Check for id-pKKdcEkuOID and warn if its not there.

        * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions.

2006-11-06  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx.

        * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all
        dancing version of the krb5_rd_req and implement krb5_rd_req and
        krb5_rd_req_with_keyblock using it.

2006-11-04 Love Hörnquist Å
strand <lha@it.su.se>
        
        * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging.
        
2006-11-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/expand_hostname.c: Rename various routines and
        constants from canonize to canonicalize.  From Andrew Bartlett

        * lib/krb5/context.c: Add krb5_[gs]et_time_wrap

        * lib/krb5/krb5_locl.h: Rename various routines and constants from
        canonize to canonicalize.  From Andrew Bartlett

        * appl/gssmask/common.c (add_list): fix alloc statement.
        From Alex Deiter
        
2006-10-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/Makefile.am: Move version.h and version.h.in to
        DISTCLEANFILES.
        
2006-10-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/gssmask.c: Only log when there are resources left.

        * appl/gssmask/gssmask.c: make compile

        * appl/gssmask/gssmask.c (AcquireCreds): free
        krb5_get_init_creds_opt
        
2006-10-23  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * configure.in: heimdal 0.8-RC1

2006-10-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/digest.c: Try to not leak memory.

        * kdc/digest.c: Try to not leak memory.

        * Makefile.am: remove valgrind target, it doesn't belong here.

        * kuser/kinit.c: Try to not leak memory.

        * kuser/kgetcred.c: Try to not leak memory.

        * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on
        successful completion too, not just the error cases.

        * fix-export: Make make fix-export less verbose.

        * kuser/kgetcred.c: Try to not leak memory.

        * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when
        done.

        * lib/krb5/crypto.c: Allocate the memory we later use.

        * lib/krb5/test_princ.c: Try to not leak memory.

        * lib/krb5/test_crypto_wrapping.c: Try to not leak memory.

        * lib/krb5/test_cc.c: Try to not leak memory.

        * lib/krb5/addr_families.c (arange_free): Try to not leak memory.

        * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory.

2006-10-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/heimdal-build.sh: Add --test-environment

        * tools/heimdal-build.sh: Add --ccache-dir

        * lib/hdb/Makefile.am: remove dependency on et files covert_db
        that now is removed
        
2006-10-20  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * include/Makefile.am: add gssapi to subdirs

        * lib/hdb/hdb-ldap.c: Make compile.

        * configure.in: add include/gssapi/Makefile.

        * include/Makefile.am: clean more files

        * include/make_crypto.c: Avoid creating a file called --version.

        * include/bits.c: Avoid creating a file called --version.

        * appl/test/Makefile.am: add nt_gss_common.h

        * doc/Makefile.am: Disable TEXI2DVI for now.

        * tools/Makefile.am: more files

        * lib/krb5/context.c (krb5_free_context): free send_to_kdc context

        * doc/heimdal.texi: Put Heimdal in the dircategory Security.

        * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew
        Bartlet.

        * lib/krb5/krb5_locl.h: Add send_to_kdc hook.

        * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype.

        * kcm/Makefile.am: more files

        * kdc/Makefile.am: more files

        * lib/hdb/Makefile.am: more files

        * lib/krb5/Makefile.am: add more files
        
2006-10-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST.

        * configure.in: Don't check for timegm, libroken provides it for
        us.

        * lib/krb5/acache.c: Does function typecasts instead of void *
        type-casts.

        * lib/krb5/krb5.h: Remove bonus , that Love sneeked in.

        * configure.in: make --disable-pk-init help text also negative
        
2006-10-18  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kgetcred.c: Avoid memory leak.

        * tools/heimdal-build.sh: Add more verbose logging, add version of
        script and heimdal to the mail.

        * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to
        avoid macros rewriting open and close.

        * lib/krb5/Makefile.am: Add test_princ.

        * lib/krb5/principal.c: More error strings, handle realm-less
        printing.

        * lib/krb5/test_princ.c: Test principal parsing and unparsing.
        
2006-10-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we
        don't recurse

        * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components
        -> no dns. no mapping, try local realm and hope KDC knows better.

        * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags

        * lib/krb5/krb5_principal.3: Document
        krb5_unparse_name{_fixed,}_flags.

        * lib/krb5/principal.c: Add krb5_unparse_name_flags and
        krb5_unparse_name_fixed_flags.

        * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags.

        * lib/krb5/principal.c: Add krb5_parse_name_flags.

        * lib/krb5/principal.c: Add krb5_parse_name_flags.

        * lib/krb5/krb5.h: Add krb5_parse_name_flags flags.

        * lib/krb5/krb5_locl.h: Hide krb5_context_data from public
        exposure.

        * lib/krb5/krb5.h: Hide krb5_context_data from public exposure.

        * kuser/klist.c: Use krb5_get_kdc_sec_offset.

        * lib/krb5/context.c: Document krb5_get_kdc_sec_offset()
        
        * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset()
        
        * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname
        and krb5_get_dns_canonize_hostname

        * lib/krb5/verify_krb5_conf.c:
        add [libdefaults]dns_canonize_hostname

        * lib/krb5/expand_hostname.c: use dns_canonize_hostname to
        determin if we should talk to dns to find the canonical name of
        the host.

        * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname.

        * tools/heimdal-build.sh: Set status.

        * appl/gssmask/gssmask.c: handle more bits

        * kdc/kerberos5.c: Prefix asn1 primitives with der_.
        
2006-10-16  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * fix-export: Build lib/asn1/der-protos.h.
        
2006-10-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/Makefile.am: Add explit depenency on libroken.

        * kdc/krb5tgs.c: Prefix der primitives with der_.

        * kdc/pkinit.c: Prefix der primitives with der_.

        * lib/hdb/ext.c: Prefix der primitives with der_.
        
        * lib/hdb/ext.c: Prefix der primitives with der_.

        * lib/krb5/crypto.c: Remove workaround from when there wasn't
        always aes.

        * lib/krb5/ticket.c: Prefix der primitives with der_.
        
        * lib/krb5/digest.c: Prefix der primitives with der_.

        * lib/krb5/crypto.c: Prefix der primitives with der_.

        * lib/krb5/data.c: Prefix der primitives with der_.
        
2006-10-12  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From
        Olga Kornievskaia.

        * kdc/kdc.8: document max-kdc-datagram-reply-length

        * include/bits.c: Include Xint64 types.
        
2006-10-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/heimdal-build.sh: Add socketwrapper and cputime limit.

        * kdc/connect.c (loop): Log that the kdc have started.
        
2006-10-09  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/connect.c (do_request): tell krb5_kdc_process_request if its
        a datagram reply or not

        * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its
        a datagram reply and the datagram reply length limit is reached.

        * kdc/process.c: Rename krb5_kdc_process_generic_request to
        krb5_kdc_process_request Add datagram_reply argument.

        * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length

        * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length.

        * lib/hdb/keytab.c: Change || to |, From metze.

        * lib/hdb/keytab.c: Add back :file to sample format.

        * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out
        by Andrew Bartlet.

        * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from
        auth->cusec.
        
2006-10-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * fix-export: dist_-ify libkadm5clnt_la_SOURCES too

        * doc/heimdal.texi: Update (c) years.

        * appl/gssmask/protocol.h: Clarify protocol.

        * kdc/hpropd.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * kdc/kerberos4.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * kdc/connect.c (handle_vanilla_tcp): shorten length when we
        shorten the buffer, this matter im the PK-INIT encKey case where a
        checksum is done over the whole packet. Reported by Olga
        Kornievskaia
        
2006-10-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/Makefile.am: crypto-headers.h is a nodist header

        * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1
        unsigned char to make OpenSSL happy.

        * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST

        * kuser/Makefile.am: split build files into dist_ and noinst_
        SOURCES

        * lib/hdb/Makefile.am: split build files into dist_ and noinst_
        SOURCES

        * lib/krb5/Makefile.am: split build files into dist_ and noinst_
        SOURCES

        * kdc/kerberos5.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.
        
2006-10-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krbhst.c (common_init): don't try DNS when there is
        realm w/o a dot.

        * kdc/524.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * kdc/krb5tgs.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * lib/krb5/get_in_tkt.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * lib/krb5/rd_cred.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * lib/krb5/rd_req.c: Adapt to signature change of
        _krb5_principalname2krb5_principal.

        * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add
        krb5_context to signature.

        * kdc/524.c (_krb5_principalname2krb5_principal): adapt to
        signature change

        * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database
        later, the hdb_entry_ex might still contain links to the database
        that it expects to use.

        * kdc/digest.c: Make digest argument o MD5_final unsigned char to
        help OpenSSL.

        * kuser/kdigest.c: Make digest argument o MD5_final unsigned char
        to help OpenSSL.

        * appl/gssmask/common.h: Maybe include <sys/wait.h>.
        
2006-10-05  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and
        explain why

        * tools/heimdal-build.sh: Another mail header.

        * tools/heimdal-build.sh: small fixes

        * fix-export: More liberal parsing of AC_INIT

        * tools/heimdal-build.sh: first cut
        
2006-10-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * configure.in: Call AB_INIT.

        * kuser/kinit.c: Add flag --pk-use-enckey.

        * kdc/pkinit.c: Sign the request in the encKey case.  Bug reported
        by Olga Kornievskaia of Umich.

        * lib/krb5/Makefile.am: man_MANS += krb5_digest.3

        * lib/krb5/krb5_digest.3: Add all protos
        
2006-10-03  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/krb5_digest.3: Basic krb5_digest manpage.
        
2006-10-02  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * fix-export: build gssapi mech private files
        
        * lib/krb5/init_creds_pw.c: minimize layering and remove
        krb5_kdc_flags

        * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit
        order.

        * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right
        bit order.

        * kuser/kdigest.c: Don't require --kerberos-realm.

        * lib/krb5/digest.c (digest_request): if NULL is passed in as
        realm, use default realm.

        * fix-export: build gssapi mech private files
        
2006-09-26  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context
        building, better error handling.

        * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to
        encrypt/decrypt
        
        * appl/gssmask/gssmask.c: Don't announce spn if there is none.

        * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is
        the same as afterward.
        
2006-09-25  Love Hörnquist Å
strand <lha@it.su.se>
        
        * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE.

        * appl/gssmask/gssmaestro.c: Add logsocket support.
        
2006-09-22  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * appl/gssmask/gssmaestro.c (build_context): print the step the
        context exchange.
        
2006-09-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG
        to all context flags
        
        * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all
        elements

        * appl/gssmask/gssmask.c: Add mic tests

        * appl/gssmask/gssmaestro.c: dont exit early then when context
        is half built.
        
        * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx
        seems broken and its not good to upgrade to a broken enctype.
        
2006-09-20  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * appl/gssmask/gssmask.c: Add wrap/unwrap ops

        * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags

        * appl/gssmask/common.c: Add permutate_all (and support
        functions).

        * appl/gssmask/common.h: Add permutate_all

        * appl/gssmask/gssmask.c: use new flags, return moniker

        * appl/gssmask/gssmaestro.c: test self context building and all
        permutation of clients
        
2006-09-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/gssmask.c: add --logfile option, use htons() on
        port number

        * appl/gssmask/gssmaestro.c: Log port in connection message.

        * configure.in: Make pk-init turned on by default.
        
2006-09-18  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}.

        * kuser/Makefile.am: Add tool for printing tickets.

        * kuser/kimpersonate.1: Add tool for printing tickets.
        
        * kuser/kimpersonate.c: Add tool for printing tickets.

        * kdc/krb5tgs.c: Check the adtkt in the constrained delegation
        case too.
        
2006-09-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/main.c (sigterm): don't _exit, let loop() catch the signal
        instead.

        * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell.

        * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell.
        
2006-09-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/krb5-config.in: Add "kafs" option.
        
2006-09-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/db.c: By using full function calling conversion (*func)
        we avoid problem when close(fd) is overridden using a macro.

        * lib/krb5/cache.c: By using full function calling
        conversion (*func) we avoid problem when close(fd) is overridden
        using a macro.
        
2006-09-11  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/kerberos5.c: Signing outgoing tickets.

        * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self
        works securely.

        * lib/krb5/pkinit.c: Adapt to new signature of
        hx509_cms_unenvelope.
        
2006-09-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a
        sensable way
        
2006-09-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_init_context.3: Prevent a font generation warning,
        from Jason McIntyre.
        
2006-09-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/context.c (krb5_init_ets): Add the hx errortable

        * lib/krb5/krb5_locl.h: Include hx509_err.h.

        * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string
        from the hx509 lib
        
2006-09-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
        fix argument to krb5_get_init_creds_opt_set_addressless.

        * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the
        error when we actually have an error to catch.

        * lib/krb5/init_creds_pw.c: Remove debug printfs.

        * kuser/kinit.c: Remove debug printf

        * lib/krb5/krb5_get_init_creds.3: Document
        krb5_get_init_creds_opt_set_addressless.

        * kuser/kinit.c: Use new function
        krb5_get_init_creds_opt_set_addressless.

        * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option
        to use the same tri-state option as the new addressless option.

        * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac
        option to use the same tri-state option as the new addressless
        option.

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless):
        used to control the address-lessness of the initial tickets
        instead of passing in the empty set of address into
        krb5_get_init_creds_opt_set_addresses.
        
2006-09-01  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kinit.c (renew_validate): inherit the proxiable and
        forwardable from the orignal ticket, pointed out by Bernard
        Antoine of CERN.
        
        * doc/setup.texi: More text about the acl_file entry and
        hdb-ldap-structural-object.  From RÃŒdiger Ranft.

        * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback
        lookups to 5.  Patch from Wesley Craig, umich.edu

        * configure.in: Add special tests for <sys/ucred.h>, include test
        for sys/param.h and sys/types.h

        * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth
        Patch from Ingemar Nilsson <init@pdc.kth.se>
        
2006-08-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kdigest.c (help): use sl_slc_help().

        * kdc/digest.c: Catch more error, add SASL DIGEST MD5.

        * lib/krb5/digest.c: Catch more error.

2006-08-25  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: language.

        * doc/heimdal.texi: Add last updated text.
        
        * doc/heimdal.css: make box around heimdal title
        
        * doc/heimdal.css: Inital Heimdal css for the info manual
        
        * lib/krb5/digest.c: In the case where we get a DigestError back,
        save the error string and code.
        
2006-08-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used.

        * kdc/digest.c: Remove local error label and have just one exit
        label, set error strings properly.

        * kdc/digest.c: Simply the disabled-service case.  Check the
        allow-digest flag in the HDB entry for the client.

        * kdc/process.c (krb5_kdc_process_generic_request): check if we
        got a digest request and process it.

        * kdc/main.c: Register hdb keytab operations.

        * kdc/kdc.8: document [kdc]enable-digest=boolean

        * kdc/Makefile.am: add digest to libkdc

        * kdc/digest.c: Make a return a goto to avoid freeing un-inited
        memory in cleanup code.

        * kdc/default_config.c (krb5_kdc_default_config): default to all
        bits set to zero.

        * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest

        * kdc/headers.h: Include <digest_asn1.h>.

        * lib/krb5/context.c (krb5_kerberos_enctypes): new function,
        returns the list of Kerberos encryption types sorted in order of
        most preferred to least preferred encryption type.

        * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order
        list of preferred encryption types and sort the available keys and
        return the most preferred key.

        * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys().

        * kdc/kerberos5.c: Handle session key etype separately from the
        tgt etype, now the krbtgt can be a aes-only key without the need
        to support not-as-good etypes for the krbtgt.
        
2006-08-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/misc.c: Change _kdc_db_fetch() to return the database
        pointer to if needed by the consumer.

        * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database
        pointer to if needed by the consumer.

        * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database
        pointer to if needed by the consumer.
        
        * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database
        pointer to if needed by the consumer.
        
        * kdc/kaserver.c: Change _kdc_db_fetch() to return the database
        pointer to if needed by the consumer.

        * kdc/524.c: Change _kdc_db_fetch() to return the database pointer
        to if needed by the consumer.

        * kuser/kdigest-commands.in: Add --kerberos-realm, add client
        request command.

        * lib/krb5/Makefile.am: digest.c
        
        * lib/krb5/krb5.h: Add digest glue.

        * lib/krb5/digest.c (krb5_digest_set_authentication_user): use
        krb5_principal
        
        * lib/krb5/digest.c: Add digest support to the client side.
        
2006-08-21  Love Hörnquist Å
strand  <lha@it.kth.se>

        * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on
        error and set return pointer to NULL
        (krb5_free_ap_rep_enc_part): permit freeing of NULL
        
2006-08-18  Love Hörnquist Å
strand  <lha@it.kth.se>

        * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}:
        Frontend for remote digest service in KDC

        * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl
        functions.

        * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions,
        stores/retrieves a \n terminated string.

        * lib/krb5/krb5_locl.h: Default to address-less tickets.

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear
        error string on error.
        
2006-07-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/crypto.c: remove aes-192 (CMS)

        * lib/krb5/crypto.c: Remove more CMS bits.
        
        * lib/krb5/crypto.c: Remove CMS symmetric encryption support.
        
2006-07-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when
        there are no acl

        * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos
        database

        * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to
        HDB-Ext-PKINIT-hash.  Add trust anchor to HDB-Ext-PKINIT-acl.

        * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to
        asn1_HDB_Ext_PKINIT_hash

        * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash().
        
2006-07-10  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: If --password-file gets STDIN, read the password
        from the standard input.

        * kuser/kinit.1: Document --password-file=STDIN.

        * lib/krb5/krb5_string_to_key.3: Remove duplicate to.
        
2006-07-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed
        principals, check the second component of the krbtgt, otherwise
        cross realm wont work.  Prompted by report from Mattias Amnefelt.

2006-07-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for
        length
        (handle_tcp): if the high bit it set in the unknown case, send
        back a KRB_ERR_FIELD_TOOLONG
        
2006-07-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/gssmaestro.c: Add get_version_capa, cache
        target_name.

        * appl/gssmask/gssmask.c: use utname() to find the local hostname
        and version of operatingsystem

        * appl/gssmask/common.h: include <sys/utsname.h>

        * appl/gssmask/gssmask.c: break out creation of a client and make
        handleServer pthread_create compatible

        * appl/gssmask/gssmaestro.c: break out out the build context
        function
        
2006-07-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * appl/gssmask/gssmaestro.c: externalize slave handling, add
        GetTargetName glue

        * appl/gssmask/gssmaestro.c: externalize principal/password handling

        * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL
        the first thing we do, so that on failure its set to a known value

        * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to
        avoid memory corruption GetTargetName: always send a string, even
        though we don't have a targetname

        * appl/gssmask: break out common function; add gssmaestro (that
        only tests one context for now)

2006-06-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on
        malloc failure

        * appl/gssmask/gssmask.c: split out fetching of credentials for
        easier reuse for pk-init testing

        * appl/gssmask: maggot replacement, handles context testing

        * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME
        as the default prefix
        
2006-06-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/heimdal.texi: Add Doug Rabson's license
        
2006-06-22  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the
        krb5_get_init_creds_opt structure.

        * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error.

        * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add
        KRB-ERROR
        
2006-06-21  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: section about verify_krb5_conf and kadmin check
        
2006-06-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred
        argument, its unused

        * lib/krb5/Makefile.am: install krb5_get_creds.3
        
        * lib/krb5/krb5_get_creds.3: new file
        
2006-06-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is
        ARCFOUR key already.  Idea from Andreas Hasenack.  While here, set
        pw change time using sambaPwdLastSet

        * kdc/kerberos4.c: Use enable_v4_per_principal and check the new
        hdb flag.

        * kdc/kdc.h: Add enable_v4_per_principal
        
2006-06-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c (_kdc_as_rep): if kdc_time +
        config->kdc_warn_pwexpire is past pw_end, add expiration
        message. From Bernard Antoine.
        
        * kdc/default_config.c (krb5_kdc_default_config): set
        kdc_warn_pwexpire to 0

        * kdc/kerberos5.c: indent.
        
2006-06-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos5.c: constify
        
2006-06-06  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/get_cred.c: Allow setting additional tickets in the
        tgs-req

        * kuser/kgetcred.c: add --delegation-credential-cache

        * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation.

        * kdc/krb5tgs.c: Add impersonation.

        * kuser/kgetcred.c: use new krb5_get_creds interface, add
        impersonation.

        * lib/krb5/get_cred.c (krb5_get_creds): add
        KRB5_GC_NO_TRANSIT_CHECK

        * lib/krb5/misc.c: Add impersonate support functions.

        * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface.

        * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation

        * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more
        KRB5_GC flags.
        
2006-06-01  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function.

        * lib/krb5/pkinit.c: Avoid more shadowing.

        * kdc/connect.c (do_request): clean reply with krb5_data_zero

        * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local
        clien must exists test.

        * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's.

        * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and
        tgs_build_reply.

        * kdc/kerberos5.c: split out krb5 tgs req to make it easier to
        reorganize the code.
        
2006-05-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell

        * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell
        
2006-05-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * kpasswd/kpasswdd.c (change): select the realm based on the
        target principal From Gabor Gombas

        * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO
        
        * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO
        
2006-05-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed.
        Fix a warning.

        * doc/setup.texi: Point to more examples, hint that you have to
        use openssl 0.9.8a or later.

        * doc/setup.texi: DIR now handles both PEM and DER.

        * kuser/kinit.c: Pass down prompter and password to
        krb5_get_init_creds_opt_set_pkinit.

        * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its
        longer then 0
        
        * doc/ack.texi: Add Jason McIntyre.
        
        * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason
        McIntyre.
        
2006-05-11  Love Hörnquist Å
strand  <lha@it.su.se>

        * kuser/kinit.c: Move parsing of the PK-INIT configuration file to
        the library so application doesn't need to deal with it.

        * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move
        parsing of the configuration file to the library so application
        doesn't need to deal with it.

        * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to
        when trying to read the user certificate.

        * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1
        on failure. Pointed out by Douglas E. Engert.
        
2006-05-08  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto
        context cases and doesn't reset the string, and corrects the
        grammar.

        * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support,
        its all containted in libhcrypto and libhx509 now.
        
2006-05-07  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use
        hx509_get_one_cert.

        * lib/krb5/crypto.c (create_checksum): provide a error message
        that a key checksum needs a key.  From Andew Bartlett.
        
2006-05-06  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check
        for hx509 null DH.

        * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in
        older OpenSSL.

        * doc/heimdal.texi: Add blob about imath.

        * doc/ack.texi: Add blob about imath.

        * include/make_crypto.c: Move up evp.h to please OpenSSL, from
        Douglas E. Engert.

        * kcm/acl.c: Multicache kcm interation isn't done yet, let wait
        with this enum.
        
2006-05-05  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn
        Sandell

        * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell

        * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell

        * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell

        * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn
        Sandell

        * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn
        Sandell

        * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit
        kvno if the reset of the data is longer then 4 bytes in hope to be
        forward compatible. Pointed out by Michael B Allen.

        * doc/programming.texi: Add fileformats.

        * appl/test: Rename u_intXX_t to uintXX_t

        * kuser: Rename u_intXX_t to uintXX_t

        * kdc: Rename u_intXX_t to uintXX_t

        * lib/hdb: Rename u_intXX_t to uintXX_t
        
        * lib/45]: Rename u_intXX_t to uintXX_t

        * lib/krb5: Rename u_intXX_t to uintXX_t

        * lib/krb5/Makefile.am: Add test_store to TESTS

        * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more
        useful error message.

        * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan.
        
2006-05-04  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/kerberos4.c: Use the new unsigned integer storage types.

        * kdc/kaserver.c: Use the new unsigned integer storage
        types. Sprinkle some error handling.

        * lib/krb5/krb5_storage.3: Document ret and store function for the
        unsigned fixed size integer types.

        * lib/krb5/v4_glue.c: Use the new unsigned integer storage
        types. Fail that the address doesn't match, not the reverse.

        * lib/krb5/store.c: Add ret and store function for the unsigned
        fixed size integer types.

        * lib/krb5/test_store.c: Test the integer storage types.
        
2006-05-03  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/store.c (krb5_store_principal): make it take a
        krb5_const_principal, indent

        * lib/krb5/krb5_storage.3: krb5_store_principal takes a
        krb5_const_principal

        * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no
        longer a pointer.

        * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file

        * kdc/config.c: read [kdc]pki-kdc-ocsp
        
2006-05-02  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if
        it seems to be valid, simplfy the pkinit-windows DH case (it
        doesn't exists).
        
2006-05-01  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell.

        * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn
        Sandell.

        * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
        from Björn Sandell.

        * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes,
        from Björn Sandell.

        * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_address.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from
        Björn Sandell.

        * lib/krb5/krb5.3: Spelling, from Björn Sandell.
        
        * doc/ack.texi: add Björn

2006-04-30  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (cert2epi): don't include subject if its null
        
2006-04-29  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: Send over what trust anchors the client have
        configured.

        * lib/krb5/pkinit.c (pk_verify_host): set better error string,
        only check kdc name/address when we got a hostname/address passed
        in the the function.

        * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log
        when a SAN matches.
        
2006-04-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * doc/setup.texi: More options and some text about windows
        clients, certificate and KDCs.

        * doc/setup.texi: notice about pki-mappings file space sensitive

        * doc/setup.texi: Example pki-mapping file.

        * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address

        * lib/hdb/hdb.h: Bump hdb interface version to 4.
        
2006-04-27  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kdestroy.1: Document --credential=principal.

        * kdc/kerberos5.c (tgs_rep2): check that the client exists in the
        kerberos database if its local request.

        * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_
        flags as appropriate

        * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though
        krb5_425_conv_principal_ext2

        * kdc/misc.c (_kdc_db_fetch): Break out the that we request from
        principal from the entry and pass it in as a seprate argument.

        * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request
        from principal from the entry and pass it in as a seprate
        argument.

        * lib/hdb/common.c: Break out the that we request from principal
        from the entry and pass it in as a seprate argument.

        * lib/hdb/hdb.h: Break out the that we request from principal from
        the entry and pass it in as a seprate argument. Add more flags to
        ->hdb_get(). Re-indent.
        
2006-04-26  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * doc/setup.texi: document pki-allow-proxy-certificate

        * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool
        to allow using proxy certificate.

        * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose
        hx509_verify_set_proxy_certificate

        * kdc/pkinit.c (_kdc_pk_check_client): Use
        hx509_cert_get_base_subject to get subject name of the
        certificate, needed for proxy certificates.

        * kdc/kerberos5.c: Now that find_keys speaks for it self, remove
        extra logging.

        * kdc/kerberos5.c (find_keys): add client_name and server_name
        argument and use them, and adapt callers.
        
2006-04-25  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kuser/kinit.1: document option password-file

        * kuser/kinit.c: Add option password-file, read password from the
        first line of a file.

        * configure.in: make tests/kdc/Makefile

        * kdc/kerberos5.c: Catch the case where the client sends no
        encryption types or no pa-types.

        * lib/hdb/ext.c (hdb_replace_extension): set error message on
        failure, not success.

        * lib/hdb/keys.c (parse_key_set): handle error case better
        (hdb_generate_key_set): return better error
        
2006-04-24  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/hdb/hdb.c (hdb_create): print out what we don't support

        * lib/krb5/principal.c: Remove a double free introduced in 1.93

        * lib/krb5/log.c (log_file): reset pointer to freed memory

        * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to
        make sure its not refereced

        * tools/krb5-config.in: libhcrypto might depend on libasn1, switch
        order

        * lib/krb5/recvauth.c: indent

        * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node
        Listing.

        * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the
        function can verify the certificate is from the right realm.

        * lib/krb5/init_creds_pw.c: Pass down realm to
        _krb5_pk_rd_pa_reply
        
2006-04-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding
        subjectAltName_otherName pk-init-san and verifing it.

        * lib/krb5/sendauth.c: reindent

        * doc/Makefile.am: use --no-split to make one large file, mostly
        for html

        * doc/setup.texi: "document" pkinit_require_eku and
        pkinit_require_krbtgt_otherName

        * lib/krb5/pkinit.c: Add pkinit_require_eku and
        pkinit_require_krbtgt_otherName

        * doc/setup.texi: Add text about pk-init

        * tools/kdc-log-analyze.pl: count v5 cross realms too
        
2006-04-22  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1.

        * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1.
        
2006-04-20  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c (_kdc_pk_rd_padata): use
        hx509_cms_unwrap_ContentInfo.

        * kdc/config.c: unbreak

        * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and
        libcrypto.

        * kdc/config.c: Rename pki-chain to pki-pool to match rest of
        code.
        
2006-04-12  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero.

        * kdc/config.c: Added certificate revoke information from
        configuration file.
        
        * kdc/pkinit.c: Added certificate revoke information.

        * kuser/kinit.c: Added certificate revoke information from
        configuration file.

        * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke
        information, ie CRL's
        
2006-04-10 Love Hörnquist Å
strand <lha@it.su.se>

        * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again.

        * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile
        again.

        * lib/krb5/transited.c (make_path): make sure we return allocated
        memory Coverity, NetBSD CID#1892

        * lib/krb5/transited.c (make_path): make sure we return allocated
        memory Coverity, NetBSD CID#1892

        * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on
        protocol failure, avoid leaking memory Coverity, NetBSD CID#1900

        * lib/krb5/principal.c (krb5_parse_name): remember to free realm
        in case of error Coverity, NetBSD CID#1883

        * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove
        memory leak in case of weird formated dns replys.
        Coverity, NetBSD CID#1885
        
        * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer
        to a allocated krb5_rcache in case of error.

        * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error
        Coverity, NetBSD CID#1882
        
        * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error
        handling.  Coverity, NetBSD CID#2369

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
        in_creds->client should always be set, assume so.

        * lib/krb5/keytab_any.c (any_next_entry): restructure to make it
        easier to read Fixes Coverity, NetBSD CID#625

        * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL
        check.  Coverity NetBSD CID#2367

        * lib/krb5/build_auth.c (krb5_build_authenticator): use
        calloc. removed check that was never really used. Coverity NetBSD
        CID#2370
        
2006-04-09  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticketÂŽ
        points to NULL in case of error, add error handling, use calloc.

        * kpasswd/kpasswdd.c (doit): when done, close all fd in the
        sockets array and free it.  Coverity NetBSD CID#1916
        
2006-04-08  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity,
        NetBSD CID#1695

        * kdc/524.c (_kdc_do_524): Handle memory allocation failure
        Coverity, NetBSD CID#2752
        
2006-04-07  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory
        leak Coverity NetBSD CID#1890

        * kdc/hprop.c (main): make sure type doesn't need to be set

        * kdc/mit_dump.c (mit_prop_dump): close fd when done processing
        Coverity NetBSD CID#1955

        * kdc/string2key.c (tokey): catch warnings, free memory after use.
        Based on Coverity NetBSD CID#1894

        * kdc/hprop.c (main): remove dead code.  Coverity NetBSD CID#633
        
2006-04-04  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kpasswd/kpasswd-generator.c (read_words): catch empty file case,
        will cause PBE (division by zero) later. From Tobias Stoeckmann.
        
2006-04-02  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/hdb/keytab.c: Remove a delta from last revision that should
        have gone in later.
        
        * lib/krb5/krbhst.c: fix spelling

        * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed
        pointer, found by IBM checker.

        * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer,
        found by IBM checker.

        * lib/krb5/addr_families.c (krb5_make_addrport): clear return
        value on error, found by IBM checker.

        * kdc/kerberos5.c (check_addresses): treat netbios as no addresses
        
        * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex

        * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to
        avoid ?:'s at callers

        * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM
        checker.

        * lib/krb5/transited.c (expand_realm): avoid passing NULL to
        strlen, found by IBM checker.

        * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc
        failure, found by IBM checker.

        * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy
        with a memcpy

        * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory
        leak, found by IBM checker.

        * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a
        dereferencing NULL pointer, found by IBM checker.

        * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the
        cname must always be given, don't avoid that fact and remove a
        cname == NULL case. Plugs a memory leak found by IBM checker.

        * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing
        free-ed memory on error. Found by IBM checker.

        * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use
        calloc to avoid uninitialized memory problem.

        * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory
        on error. Found by IBM checker.

        * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by
        IBM checker.

        * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker
        thought it found a memory leak, it didn't, but there was another
        error in the code, lets fix that instead.

        * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory
        leak. Found by IBM checker.

        * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return
        pointer to freed memory in the error case. Found by IBM checker.

        * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM
        checker.

        * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before
        going into the error clause and freeing key_set. Found by IBM
        checker.  Make sure ret == 0 after of parse error, we catch the
        "no entries parsed" case later.

        * lib/krb5/log.c (krb5_addlog_dest): make string length match
        strings in strcasecmp.  Found by IBM checker.
        
2006-03-30  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set
        variable_name as "hdb_entry_ex"
        (hdb_ldap_common): change "arg" in condition (if) to "search_base"
        (hdb_ldapi_create): change "serach_base" to "search_base" From
        Alex V. Labuta.

        * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix
        prototype

        * kuser/kinit.c: Add pool of certificates to help certificate path
        building for clients sending incomplete path in the signedData.
        
2006-03-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/pkinit.c: Add pool of certificates to help certificate path
        building for clients sending incomplete path in the signedData.

        * lib/krb5/pkinit.c: Add pool of certificates to help certificate
        path building for clients sending incomplete path in the
        signedData.
        
2006-03-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * kdc/config.c: Allow passing in related certificates used to
        build the chain.

        * kdc/pkinit.c: Allow passing in related certificates used to
        build the chain.

        * kdc/kerberos5.c (log_patype): Add case for
        KRB5_PADATA_PA_PK_OCSP_RESPONSE.

        * tools/Makefile.am: Spelling

        * tools/krb5-config.in: Add hx509 when using PK-INIT.

        * tools/Makefile.am: Add hx509 when using PK-INIT.
        
2006-03-26  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS
        X Kerberos.app problems.

        * lib/krb5/krb5_ccapi.h: Add ticket flags definitions

        * lib/krb5/pkinit.c: Use less openssl, spell chelling.

        * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with
        asn1 wrapping

        * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile

        * lib/Makefile.am: Add hx509.

        * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used.

        * configure.in: define automake PKINIT variable

        * kdc/pkinit.c: Switch to hx509.

        * lib/krb5/pkinit.c: Switch to hx509.
        
2006-03-24  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kdc/kerberos5.c (log_patypes): log the patypes requested by the
        client
        
2006-03-23  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the
        req_buffer in the w2k case too. From Douglas E. Engert.
        
2006-03-19  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto
        error handling.  Fixes Coverity NetBSD CID 2591 by catching a
        failing krb5_copy_keyblock()
        
2006-03-17  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in
        address when free-ing.  Fixes Coverity NetBSD bug #2605
        (krb5_parse_address): reset val,len before possibly return errors
        Fixes Coverity NetBSD bug #2605
        
2006-03-07  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but
        make sure nbytes > 0

        * lib/krb5/get_for_creds.c (add_addrs): handle the case where
        addr->len == 0 and n == 0, then realloc might return NULL.

        * lib/krb5/crypto.c (decrypt_*): handle the case where the
        plaintext is 0 bytes long, realloc might then return NULL.
        
2006-02-28  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived.

        * lib/krb5/krb5.3: Remove krb5_string_to_key_derived.

        * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2
        and use PKCS5_PBKDF2_HMAC_SHA1 instead.

        * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory

        * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1.
        
2006-02-27  Johan Danielsson  <joda@pdc.kth.se>

        * doc/setup.texi: remove cartouches - we don't use them anywhere
        else, they should be around the example, not inside it, and
        probably shouldn't be used in html at all

2006-02-18  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_warn.3: Document that applications want to use
        krb5_get_error_message, add example.

2006-02-16  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/crypto.c (krb5_generate_random_block): check return
        value from RAND_bytes

        * lib/krb5/error_string.c: Change indentation, update (c)

2006-02-14  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when
        compiling w/o pkinit.
        
2006-02-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/pkinit.c: update to new paChecksum definition, update
        the dhgroup handling

        * kdc/pkinit.c: update to new paChecksum definition, use
        hdb_entry_ex
        
2006-02-09  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/krb5_locl.h: Move Configurable options to last in the
        file.
        
        * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef
        
2006-02-03  Love Hörnquist Å
strand  <lha@it.su.se>
        
        * kpasswd/kpasswdd.c: Send back a better error-message to the
        client in case the password change was rejected.

        * lib/krb5/krb5_warn.3: Document krb5_get_error_message.

        * lib/krb5/error_string.c (krb5_get_error_message): new function,
        and combination of krb5_get_error_string and krb5_get_err_text

        * lib/krb5/krb5.3: sort, and krb5_get_error_message

        * lib/hdb/hdb-ldap.c: Log the filter string to the error message
        when doing searches.

        * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags):
        Use KRB5_ADDRESSLESS_DEFAULT when
        checking [appdefault]no-addresses.

        * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use
        KRB5_ADDRESSLESS_DEFAULT when checking
        [appdefault]no-addresses.

        * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds):
        Use [appdefault]no-addresses before checking if the krbtgt is
        address-less, use KRB5_ADDRESSLESS_DEFAULT.

        * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that
        controlls all address-less behavior.  Defaults to false.
        
2006-02-01  Love Hörnquist Å
strand  <lha@it.su.se>

        * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION

        * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
        failes to produce the matching lenghts.
        
2006-01-27  Love Hörnquist Å
strand  <lha@it.su.se>

        * kcm/protocol.c (kcm_op_retrieve): remove unused variable
        
2006-01-15  Love Hörnquist Å
strand  <lha@it.su.se>

        * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to
        kadm-server, kerberos library doesn't depend on db-library.
        
2006-01-13  Love Hörnquist Å
strand  <lha@it.su.se>

        * include/Makefile.am: Don't clean crypto headers, they now live
        in hcrypto/.  Add hcrypto to SUBDIRS.

        * include/hcrypto/Makefile.am: clean installed headers

        * include/make_crypto.c: include crypto headers from hcrypto/

        * include/make_crypto.c: Include more crypto headerfiles. Remove
        support for old hash names.
        
2006-01-02  Love Hörnquist Å
strand <lha@it.su.se>
        
        * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry,
        from Andrew Bartlet.
        
        * Happy New Year.