/crypto/heimdal/lib/gssapi/ChangeLog

https://bitbucket.org/freebsd/freebsd-head/ · #! · 2970 lines · 1781 code · 1189 blank · 0 comment · 0 complexity · 064e0feaf998d4b0551c28c4ef696f4c MD5 · raw file

Large files are truncated click here to view the full file

  1. 2008-08-14 Love Hornquist Astrand <lha@10a140laptop.local>
  2. * krb5/accept_sec_context.c: If there is a initiator subkey, copy
  3. that to acceptor subkey to match windows behavior. From Metze.
  4. 2008-08-02 Love Hörnquist Åstrand <lha@h5l.org>
  5. * ntlm/init_sec_context.c: Catch error
  6. * krb5/inquire_sec_context_by_oid.c: Catch store failure.
  7. * mech/gss_canonicalize_name.c: Not init m, return never
  8. used (overwritten later).
  9. 2008-07-25 Love Hörnquist Åstrand <lha@kth.se>
  10. * ntlm/init_sec_context.c: Use krb5_cc_get_config.
  11. 2008-07-25 Love Hörnquist Åstrand <lha@kth.se>
  12. * krb5/init_sec_context.c: Match the orignal patch I got from
  13. metze, seems that DCE-STYLE is even more weirer then what I though
  14. when I merged the patch.
  15. 2008-06-02 Love Hörnquist Åstrand <lha@kth.se>
  16. * krb5/init_sec_context.c: Don't add asn1 wrapping to token when
  17. using DCE_STYLE. Patch from Stefan Metzmacher.
  18. 2008-05-27 Love Hörnquist Åstrand <lha@kth.se>
  19. * ntlm/init_sec_context.c: use krb5_get_error_message
  20. 2008-05-05 Love Hörnquist Åstrand <lha@kth.se>
  21. * spnego/spnego_locl.h: Add back "mech/utils.h", its needed for
  22. oid/buffer functions.
  23. 2008-05-02 Love Hörnquist Åstrand <lha@it.su.se>
  24. * spnego: Changes from doug barton to make spnego indepedant of
  25. the heimdal version of the plugin system.
  26. 2008-04-27 Love Hörnquist Åstrand <lha@it.su.se>
  27. * krb5: use DES_set_key_unchecked()
  28. 2008-04-17 Love Hörnquist Åstrand <lha@it.su.se>
  29. * add __declspec() for windows.
  30. 2008-04-15 Love Hörnquist Åstrand <lha@it.su.se>
  31. * krb5/import_sec_context.c: Use tmp to read ac->flags value to
  32. avoid warning.
  33. 2008-04-07 Love Hörnquist Åstrand <lha@it.su.se>
  34. * mech/gss_mech_switch.c: Use unsigned where appropriate.
  35. 2008-03-14 Love Hörnquist Åstrand <lha@it.su.se>
  36. * test_context.c: Add test for gsskrb5_register_acceptor_identity.
  37. 2008-03-09 Love Hörnquist Åstrand <lha@it.su.se>
  38. * krb5/init_sec_context.c (init_auth): use right variable to
  39. detect if we want to free or not.
  40. 2008-02-26 Love Hörnquist Åstrand <lha@it.su.se>
  41. * Makefile.am: add missing \
  42. * Makefile.am: reshuffle depenencies
  43. * Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
  44. 2008-02-21 Love Hörnquist Åstrand <lha@it.su.se>
  45. * make the SPNEGO mech store the error itself instead, works for
  46. everything except other stackable mechs
  47. 2008-02-18 Love Hörnquist Åstrand <lha@it.su.se>
  48. * spnego/init_sec_context.c (spnego_reply): if the reply token was
  49. of length 0, make it the same as no token. Pointed out by Zeqing
  50. Xia.
  51. * krb5/acquire_cred.c (acquire_initiator_cred): handle the
  52. credential cache better, use destroy/close when appriate and for
  53. all cases. Thanks to Michael Allen for point out the memory-leak
  54. that I also fixed.
  55. 2008-02-03 Love Hörnquist Åstrand <lha@it.su.se>
  56. * spnego/accept_sec_context.c: Make error reporting somewhat more
  57. correct for SPNEGO.
  58. 2008-01-27 Love Hörnquist Åstrand <lha@it.su.se>
  59. * test_common.c: Improve the error message.
  60. 2008-01-24 Love Hörnquist Åstrand <lha@it.su.se>
  61. * ntlm/accept_sec_context.c: Avoid free-ing type1 message before
  62. its allocated.
  63. 2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
  64. * test_ntlm.c: Test source name (and make the acceptor in ntlm gss
  65. mech useful).
  66. 2007-12-30 Love Hörnquist Åstrand <lha@it.su.se>
  67. * ntlm/init_sec_context.c: Don't confuse target name and source
  68. name, make regressiont tests pass again.
  69. 2007-12-29 Love Hörnquist Åstrand <lha@it.su.se>
  70. * ntlm: clean up name handling
  71. 2007-12-04 Love Hörnquist Åstrand <lha@it.su.se>
  72. * ntlm/init_sec_context.c: Use credential if it was passed in.
  73. * ntlm/acquire_cred.c: Check if there is initial creds with
  74. _gss_ntlm_get_user_cred().
  75. * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that
  76. return the user info so it can be used by external modules.
  77. * ntlm/inquire_cred.c: use the right error code.
  78. * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no
  79. credential, ntlm have (not yet) a default credential.
  80. * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from
  81. Phil Fisher.
  82. 2007-12-03 Love Hörnquist Åstrand <lha@it.su.se>
  83. * test_acquire_cred.c: Always try to fetch cred (even with
  84. GSS_C_NO_NAME).
  85. 2007-08-09 Love Hörnquist Åstrand <lha@it.su.se>
  86. * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags.
  87. 2007-08-08 Love Hörnquist Åstrand <lha@it.su.se>
  88. * spnego/compat.c (_gss_spnego_internal_delete_sec_context):
  89. release ctx->target_name too From Rafal Malinowski.
  90. 2007-07-26 Love Hörnquist Åstrand <lha@it.su.se>
  91. * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't
  92. have dlopen. From Rune of Chalmers.
  93. 2007-07-10 Love Hörnquist Åstrand <lha@it.su.se>
  94. * mech/gss_duplicate_name.c: New signature of _gss_find_mn.
  95. * mech/gss_init_sec_context.c: New signature of _gss_find_mn.
  96. * mech/gss_acquire_cred.c: New signature of _gss_find_mn.
  97. * mech/name.h: New signature of _gss_find_mn.
  98. * mech/gss_canonicalize_name.c: New signature of _gss_find_mn.
  99. * mech/gss_compare_name.c: New signature of _gss_find_mn.
  100. * mech/gss_add_cred.c: New signature of _gss_find_mn.
  101. * mech/gss_names.c (_gss_find_mn): Return an error code for
  102. caller.
  103. * spnego/accept_sec_context.c: remove checks that are done by the
  104. previous function.
  105. * Makefile.am: New library version.
  106. 2007-07-04 Love Hörnquist Åstrand <lha@it.su.se>
  107. * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from
  108. Rafal Malinowski.
  109. * spnego/spnego.asn1: Indent and make NegTokenInit and
  110. NegTokenResp extendable.
  111. 2007-06-21 Love Hörnquist Åstrand <lha@it.su.se>
  112. * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred.
  113. * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE.
  114. * mech/context.c: If the canned string is "", its no use to the
  115. user, make it fall back to the default error string.
  116. 2007-06-20 Love Hörnquist Åstrand <lha@it.su.se>
  117. * mech/gss_display_name.c (gss_display_name): no name ->
  118. fail. From Rafal Malinswski.
  119. * spnego/accept_sec_context.c: Wrap name in a spnego_name instead
  120. of just a copy of the underlaying object. From Rafal Malinswski.
  121. * spnego/accept_sec_context.c: Handle underlaying mech not
  122. returning mn.
  123. * mech/gss_accept_sec_context.c: Handle underlaying mech not
  124. returning mn.
  125. * spnego/accept_sec_context.c: Make sure src_name is always set to
  126. GSS_C_NO_NAME when returning.
  127. * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim
  128. everything is well on failure. From Phil Fisher.
  129. * mech/gss_duplicate_name.c: catch error (and ignore it)
  130. * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess.
  131. * mech/gss_accept_sec_context.c: Only wrap the delegated cred if
  132. we got a delegated mech cred. From Rafal Malinowski.
  133. * spnego/accept_sec_context.c: Only wrap the delegated cred if we
  134. are going to return it to the consumer. From Rafal Malinowski.
  135. * spnego/accept_sec_context.c: Fixed memory leak pointed out by
  136. Rafal Malinowski, also while here moved to use NegotiationToken
  137. for decoding.
  138. 2007-06-18 Love Hörnquist Åstrand <lha@it.su.se>
  139. * krb5/prf.c (_gsskrb5_pseudo_random): add missing break.
  140. * krb5/release_name.c: Set *minor_status unconditionallty, its
  141. done later anyway.
  142. * spnego/accept_sec_context.c: Init get_mic to 0.
  143. * mech/gss_set_cred_option.c: Free memory in failure case, found
  144. by beam.
  145. * mech/gss_inquire_context.c: Handle mech_type being NULL.
  146. * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL.
  147. * mech/gss_krb5.c: Free memory in error case, found by beam.
  148. 2007-06-12 Love Hörnquist Åstrand <lha@it.su.se>
  149. * ntlm/inquire_context.c: Use ctx->gssflags for flags.
  150. * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is
  151. not ment for machine consumption.
  152. 2007-06-09 Love Hörnquist Åstrand <lha@it.su.se>
  153. * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out
  154. by Rafal Malinowski.
  155. * ntlm/digest.c (kdc_destroy): free context when done, pointed out
  156. by Rafal Malinowski.
  157. * spnego/context_stubs.c (_gss_spnego_display_name): if input_name
  158. is null, fail. From Rafal Malinowski.
  159. 2007-06-04 Love Hörnquist Åstrand <lha@it.su.se>
  160. * ntlm/digest.c: Free memory when done.
  161. 2007-06-02 Love Hörnquist Åstrand <lha@it.su.se>
  162. * test_ntlm.c: Test both with and without keyex.
  163. * ntlm/digest.c: If we didn't set session key, don't expect one
  164. back.
  165. * test_ntlm.c: Set keyex flag and calculate session key.
  166. 2007-05-31 Love Hörnquist Åstrand <lha@it.su.se>
  167. * spnego/accept_sec_context.c: Use the return value before is
  168. overwritten by later calls. From Rafal Malinowski
  169. * krb5/release_cred.c: Give an minor_status argument to
  170. gss_release_oid_set. From Rafal Malinowski
  171. 2007-05-30 Love Hörnquist Åstrand <lha@it.su.se>
  172. * ntlm/accept_sec_context.c: Catch errors and return the up the
  173. stack.
  174. * test_kcred.c: more testing of lifetimes
  175. 2007-05-17 Love Hörnquist Åstrand <lha@it.su.se>
  176. * Makefile.am: Drop the gss oid_set function for the krb5 mech,
  177. use the mech glue versions instead. Pointed out by Rafal
  178. Malinowski.
  179. * krb5: Use gss oid_set functions from mechglue
  180. 2007-05-14 Love Hörnquist Åstrand <lha@it.su.se>
  181. * ntlm/accept_sec_context.c: Set session key only if we are
  182. returned a session key. Found by David Love.
  183. 2007-05-13 Love Hörnquist Åstrand <lha@it.su.se>
  184. * krb5/prf.c: switched MIN to min to make compile on solaris,
  185. pointed out by David Love.
  186. 2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
  187. * krb5/inquire_cred_by_mech.c: Fill in all of the variables if
  188. they are passed in. Pointed out by Phil Fisher.
  189. 2007-05-08 Love Hörnquist Åstrand <lha@it.su.se>
  190. * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by
  191. from Phil Fisher.
  192. * mech: dont keep track of gc_usage, just figure it out at
  193. gss_inquire_cred() time
  194. * mech/gss_mech_switch.c (add_builtin): ok for
  195. __gss_mech_initialize() to return NULL
  196. * test_kcred.c: more correct tests
  197. * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a
  198. spnego_name.
  199. * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now,
  200. need to find default cred and friends.
  201. * krb5/inquire_cred_by_mech.c: reimplement
  202. 2007-05-07 Love Hörnquist Åstrand <lha@it.su.se>
  203. * ntlm/acquire_cred.c: drop unused variable.
  204. * ntlm/acquire_cred.c: Reimplement.
  205. * Makefile.am: add ntlm/digest.c
  206. * ntlm: split out backend ntlm server processing
  207. 2007-04-24 Love Hörnquist Åstrand <lha@it.su.se>
  208. * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free
  209. credcache when done
  210. 2007-04-22 Love Hörnquist Åstrand <lha@it.su.se>
  211. * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @
  212. * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm
  213. creds from the krb5 credential cache.
  214. 2007-04-21 Love Hörnquist Åstrand <lha@it.su.se>
  215. * ntlm/delete_sec_context.c: free the key stored in the context
  216. * ntlm/ntlm.h: switch password for a key
  217. * test_oid.c: Switch oid to one that is exported.
  218. 2007-04-20 Love Hörnquist Åstrand <lha@it.su.se>
  219. * ntlm/init_sec_context.c: move where hash is calculated to make
  220. it easier to add ccache support.
  221. * Makefile.am: Add version-script.map to EXTRA_DIST.
  222. 2007-04-19 Love Hörnquist Åstrand <lha@it.su.se>
  223. * Makefile.am: Unconfuse newer versions of automake that doesn't
  224. know the diffrence between depenences and setting variables. foo:
  225. vs foo=.
  226. * test_ntlm.c: delete sec context when done.
  227. * version-script.map: export more symbols.
  228. * Makefile.am: add version script if ld supports it
  229. * version-script.map: add version script if ld supports it
  230. 2007-04-18 Love Hörnquist Åstrand <lha@it.su.se>
  231. * Makefile.am: test_acquire_cred need test_common.[ch]
  232. * test_acquire_cred.c: add more test options.
  233. * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X
  234. * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X
  235. * krb5/set_sec_context_option.c: refactor code, implement
  236. GSS_KRB5_CCACHE_NAME_X
  237. * mech/gss_krb5.c: reimplement gss_krb5_ccache_name
  238. 2007-04-17 Love Hörnquist Åstrand <lha@it.su.se>
  239. * spnego/cred_stubs.c: Need to import spnego name before we can
  240. use it as a gss_name_t.
  241. * test_acquire_cred.c: use this test as part of the regression
  242. suite.
  243. * mech/gss_acquire_cred.c (gss_acquire_cred): dont init
  244. cred->gc_mc every time in the loop.
  245. 2007-04-15 Love Hörnquist Åstrand <lha@it.su.se>
  246. * Makefile.am: add test_common.h
  247. 2007-02-16 Love Hörnquist Åstrand <lha@it.su.se>
  248. * gss_acquire_cred.3: Add link for
  249. gsskrb5_register_acceptor_identity.
  250. 2007-02-08 Love Hörnquist Åstrand <lha@it.su.se>
  251. * krb5/copy_ccache.c: Try to leak less memory in the failure case.
  252. 2007-01-31 Love Hörnquist Åstrand <lha@it.su.se>
  253. * mech/gss_display_status.c: Use right printf formater.
  254. * test_*.[ch]: split out the error printing function and try to
  255. return better errors
  256. 2007-01-30 Love Hörnquist Åstrand <lha@it.su.se>
  257. * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on
  258. GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
  259. This is because Kerberos always support INT|CONF, matches behavior
  260. with MS and MIT. The creates problems for the GSS-SPNEGO mech.
  261. 2007-01-24 Love Hörnquist Åstrand <lha@it.su.se>
  262. * krb5/prf.c: constrain desired_output_len
  263. * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random
  264. * mech/gss_pseudo_random.c: Catch error from underlaying mech on
  265. failure.
  266. * Makefile.am: Add krb5/prf.c
  267. * krb5/prf.c: gss_pseudo_random for krb5
  268. * test_context.c: Checks for gss_pseudo_random.
  269. * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG
  270. * Makefile.am: Add mech/gss_pseudo_random.c
  271. * gssapi/gssapi.h: try to load pseudo_random
  272. * mech/gss_mech_switch.c: try to load pseudo_random
  273. * mech/gss_pseudo_random.c: Add gss_pseudo_random.
  274. * gssapi_mech.h: Add hook for gm_pseudo_random.
  275. 2007-01-17 Love Hörnquist Åstrand <lha@it.su.se>
  276. * test_context.c: Don't assume bufer from gss_display_status is
  277. ok.
  278. * mech/gss_wrap_size_limit.c: Reset out variables.
  279. * mech/gss_wrap.c: Reset out variables.
  280. * mech/gss_verify_mic.c: Reset out variables.
  281. * mech/gss_utils.c: Reset out variables.
  282. * mech/gss_release_oid_set.c: Reset out variables.
  283. * mech/gss_release_cred.c: Reset out variables.
  284. * mech/gss_release_buffer.c: Reset variables.
  285. * mech/gss_oid_to_str.c: Reset out variables.
  286. * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables.
  287. * mech/gss_mech_switch.c: Reset out variables.
  288. * mech/gss_inquire_sec_context_by_oid.c: Reset out variables.
  289. * mech/gss_inquire_names_for_mech.c: Reset out variables.
  290. * mech/gss_inquire_cred_by_oid.c: Reset out variables.
  291. * mech/gss_inquire_cred_by_oid.c: Reset out variables.
  292. * mech/gss_inquire_cred_by_mech.c: Reset out variables.
  293. * mech/gss_inquire_cred.c: Reset out variables, fix memory leak.
  294. * mech/gss_inquire_context.c: Reset out variables.
  295. * mech/gss_init_sec_context.c: Zero out outbuffer on failure.
  296. * mech/gss_import_name.c: Reset out variables.
  297. * mech/gss_import_name.c: Reset out variables.
  298. * mech/gss_get_mic.c: Reset out variables.
  299. * mech/gss_export_name.c: Reset out variables.
  300. * mech/gss_encapsulate_token.c: Reset out variables.
  301. * mech/gss_duplicate_oid.c: Reset out variables.
  302. * mech/gss_duplicate_oid.c: Reset out variables.
  303. * mech/gss_duplicate_name.c: Reset out variables.
  304. * mech/gss_display_status.c: Reset out variables.
  305. * mech/gss_display_name.c: Reset out variables.
  306. * mech/gss_delete_sec_context.c: Reset out variables using propper
  307. macros.
  308. * mech/gss_decapsulate_token.c: Reset out variables using propper
  309. macros.
  310. * mech/gss_add_cred.c: Reset out variables.
  311. * mech/gss_acquire_cred.c: Reset out variables.
  312. * mech/gss_accept_sec_context.c: Reset out variables using propper
  313. macros.
  314. * mech/gss_init_sec_context.c: Reset out variables.
  315. * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a
  316. gss_buffer_t
  317. 2007-01-16 Love Hörnquist Åstrand <lha@it.su.se>
  318. * mech: sprinkel _gss_mg_error
  319. * mech/gss_display_status.c (gss_display_status): use
  320. _gss_mg_get_error to fetch the error from underlaying mech, if it
  321. failes, let do the regular dance for GSS-CODE version and a
  322. generic print-the-error code for MECH-CODE.
  323. * mech/gss_oid_to_str.c: Don't include the NUL in the length of
  324. the string.
  325. * mech/context.h: Protoypes for _gss_mg_.
  326. * mech/context.c: Glue to catch the error from the lower gss-api
  327. layer and save that for later so gss_display_status() can show the
  328. error.
  329. * gss.c: Detect NTLM.
  330. 2007-01-11 Love Hörnquist Åstrand <lha@it.su.se>
  331. * mech/gss_accept_sec_context.c: spelling
  332. 2007-01-04 Love Hörnquist Åstrand <lha@it.su.se>
  333. * Makefile.am: Include build (private) prototypes header files.
  334. * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h
  335. 2006-12-28 Love Hörnquist Åstrand <lha@it.su.se>
  336. * ntlm/accept_sec_context.c: Pass signseal argument to
  337. _gss_ntlm_set_key.
  338. * ntlm/init_sec_context.c: Pass signseal argument to
  339. _gss_ntlm_set_key.
  340. * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument
  341. * test_ntlm.c: add ntlmv2 test
  342. * ntlm/ntlm.h: break out struct ntlmv2_key;
  343. * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys.
  344. * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI.
  345. * ntlm/ntlm.h: NTLMv2 keys.
  346. * ntlm/crypto.c: NTLMv2 sign and verify.
  347. 2006-12-20 Love Hörnquist Åstrand <lha@it.su.se>
  348. * ntlm/accept_sec_context.c: Don't send targetinfo now.
  349. * ntlm/init_sec_context.c: Build ntlmv2 answer buffer.
  350. * ntlm/init_sec_context.c: Leak less memory.
  351. * ntlm/init_sec_context.c: Announce that we support key exchange.
  352. * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2
  353. session security (disable because missing sign and seal).
  354. 2006-12-19 Love Hörnquist Åstrand <lha@it.su.se>
  355. * ntlm/accept_sec_context.c: split RC4 send and recv keystreams
  356. * ntlm/init_sec_context.c: split RC4 send and recv keystreams
  357. * ntlm/ntlm.h: split RC4 send and recv keystreams
  358. * ntlm/crypto.c: Implement SEAL.
  359. * ntlm/crypto.c: move gss_wrap/gss_unwrap here
  360. * test_context.c: request INT and CONF from the gss layer, test
  361. get and verify MIC.
  362. * ntlm/ntlm.h: add crypto bits.
  363. * ntlm/accept_sec_context.c: Save session master key.
  364. * Makefile.am: Move get and verify mic to the same file (crypto.c)
  365. since they share code.
  366. * ntlm/crypto.c: Move get and verify mic to the same file since
  367. they share code, implement NTLM v1 and dummy signatures.
  368. * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and
  369. GSS_C_INTEG_FLAG, save the session master key
  370. * spnego/accept_sec_context.c: try using gss_accept_sec_context()
  371. on the opportunistic token instead of guessing the acceptor name
  372. and do gss_acquire_cred, this make SPNEGO work like before.
  373. 2006-12-18 Love Hörnquist Åstrand <lha@it.su.se>
  374. * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master"
  375. key.
  376. * spnego/accept_sec_context.c: Resurect negHints for the acceptor
  377. sends first packet.
  378. * Makefile.am: Add "windows" versions of the NegTokenInitWin and
  379. friends.
  380. * test_context.c: add --wrapunwrap flag
  381. * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to
  382. compat.c, use the sequence types of MechTypeList, make
  383. add_mech_type() static.
  384. * spnego/accept_sec_context.c: move
  385. _gss_spnego_indicate_mechtypelist() to compat.c
  386. * Makefile.am: Generate sequence code for MechTypeList
  387. * spnego: check that the generated acceptor mechlist is acceptable too
  388. * spnego/init_sec_context.c: Abstract out the initiator filter
  389. function, it will be needed for the acceptor too.
  390. * spnego/accept_sec_context.c: Abstract out the initiator filter
  391. function, it will be needed for the acceptor too. Remove negHints.
  392. * test_context.c: allow asserting return mech
  393. * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx
  394. * ntlm/acquire_cred.c: Check that the KDC seem to there and
  395. answering us, we can't do better then that wen checking if we will
  396. accept the credential.
  397. * ntlm/get_mic.c: return GSS_S_UNAVAILABLE
  398. * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid
  399. * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid
  400. * spnego/spnego.asn1: Its very sad, but NegHints its are not part
  401. of the NegTokenInit, this makes SPNEGO acceptor life a lot harder.
  402. * spnego: try harder to handle names better. handle missing
  403. acceptor and initator creds better (ie dont propose/accept mech
  404. that there are no credentials for) split NegTokenInit and
  405. NegTokenResp in acceptor
  406. 2006-12-16 Love Hörnquist Åstrand <lha@it.su.se>
  407. * ntlm/import_name.c: Allocate the buffer from the right length.
  408. 2006-12-15 Love Hörnquist Åstrand <lha@it.su.se>
  409. * ntlm/init_sec_context.c (init_sec_context): Tell the other side
  410. what domain we think we are talking to.
  411. * ntlm/delete_sec_context.c: free username and password
  412. * ntlm/release_name.c (_gss_ntlm_release_name): free name.
  413. * ntlm/import_name.c (_gss_ntlm_import_name): add support for
  414. GSS_C_NT_HOSTBASED_SERVICE names
  415. * ntlm/ntlm.h: Add ntlm_name.
  416. * test_context.c: allow testing of ntlm.
  417. * gssapi_mech.h: add __gss_ntlm_initialize
  418. * ntlm/accept_sec_context.c (handle_type3): verify that the kdc
  419. approved of the ntlm exchange too
  420. * mech/gss_mech_switch.c: Add the builtin ntlm mech
  421. * test_ntlm.c: NTLM test app.
  422. * mech/gss_accept_sec_context.c: Add detection of NTLMSSP.
  423. * gssapi/gssapi.h: add ntlm mech oid
  424. * ntlm/external.c: Switch OID to the ms ntlmssp oid
  425. * Makefile.am: Add ntlm gss-api module.
  426. * ntlm/accept_sec_context.c: Catch more error errors.
  427. * ntlm/accept_sec_context.c: Check after a credential to use.
  428. 2006-12-14 Love Hörnquist Åstrand <lha@it.su.se>
  429. * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X):
  430. don't fail on success. Bug report from Stefan Metzmacher.
  431. 2006-12-13 Love Hörnquist Åstrand <lha@it.su.se>
  432. * krb5/init_sec_context.c (init_auth): only turn on
  433. GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
  434. From Stefan Metzmacher.
  435. 2006-12-11 Love Hörnquist Åstrand <lha@it.su.se>
  436. * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h
  437. spnego_asn1.h.
  438. 2006-11-20 Love Hörnquist Åstrand <lha@it.su.se>
  439. * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a
  440. context argument.
  441. 2006-11-16 Love Hörnquist Åstrand <lha@it.su.se>
  442. * test_context.c: Test that token keys are the same, return
  443. actual_mech.
  444. 2006-11-15 Love Hörnquist Åstrand <lha@it.su.se>
  445. * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open.
  446. * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
  447. encode CHOICE structure now that we can handle it.
  448. * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode
  449. CHOICE structure now that we can handle it.
  450. * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context):
  451. send back ad accept_completed when the security context is ->open,
  452. w/o this the client doesn't know that the server have completed
  453. the transaction.
  454. * test_context.c: Add delegate flag and check that the delegated
  455. cred works.
  456. * spnego/init_sec_context.c: Keep track of the opportunistic token
  457. in the inital message, it might be a complete gss-api context, in
  458. that case we'll get back accept_completed without any token. With
  459. this change, krb5 w/o mutual authentication works.
  460. * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
  461. encode CHOICE structure now that we can handle it.
  462. * spnego/accept_sec_context.c: Filter out SPNEGO from the out
  463. supported mechs list and make sure we don't select that for the
  464. preferred mechamism.
  465. 2006-11-14 Love Hörnquist Åstrand <lha@it.su.se>
  466. * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the
  467. cred finding to its own function
  468. * krb5/wrap.c: Better error strings, from Andrew Bartlet.
  469. 2006-11-13 Love Hörnquist Åstrand <lha@it.su.se>
  470. * test_context.c: Create our own krb5_context.
  471. * krb5: Switch from using a specific error message context in the
  472. TLS to have a whole krb5_context in TLS. This have some
  473. interestion side-effekts for the configruration setting options
  474. since they operate on per-thread basis now.
  475. * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option
  476. and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet.
  477. 2006-11-12 Love Hörnquist Åstrand <lha@it.su.se>
  478. * Makefile.am: Help solaris make even more.
  479. * Makefile.am: Help solaris make.
  480. 2006-11-09 Love Hörnquist Åstrand <lha@it.su.se>
  481. * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now
  482. * mech/gss_accept_sec_context.c: Try better guessing what is mech
  483. we are going to select by looking harder at the input_token, idea
  484. from Luke Howard's mechglue branch.
  485. * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h
  486. * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X
  487. * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes
  488. * gssapi/gssapi.h: GSS_KRB5_S_
  489. * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>.
  490. * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes.
  491. * Makefile.am: Build and install gkrb5_err.h
  492. * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here.
  493. 2006-11-08 Love Hörnquist Åstrand <lha@it.su.se>
  494. * mech/gss_krb5.c: Add gsskrb5_set_default_realm.
  495. * krb5/set_sec_context_option.c: Support
  496. GSS_KRB5_SET_DEFAULT_REALM_X.
  497. * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X
  498. * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X
  499. 2006-11-07 Love Hörnquist Åstrand <lha@it.su.se>
  500. * test_context.c: rename krb5_[gs]et_time_wrap to
  501. krb5_[gs]et_max_time_skew
  502. * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context
  503. no longer used, bye bye
  504. * mech/gss_krb5.c: No depenency of the krb5 gssapi mech.
  505. * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use
  506. _gsskrb5_decode_om_uint32. From Andrew Bartlet.
  507. * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for
  508. now.
  509. * spnego/spnego_locl.h: Include <roken.h> for compatiblity.
  510. * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in
  511. DCE-STYLE, don't try to use to. From Andrew Bartlett.
  512. * test_context.c: test wrap/unwrap, add flag for dce-style and
  513. mutual auth, also support multi-roundtrip sessions
  514. * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro.
  515. * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use
  516. krb5_rd_req_ctx
  517. * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message
  518. token subkey
  519. * krb5/inquire_sec_context_by_oid.c: check if there is any key at
  520. all
  521. 2006-11-06 Love Hörnquist Åstrand <lha@it.su.se>
  522. * krb5/inquire_sec_context_by_oid.c: Set more error strings, use
  523. right enum for acceptor subkey. From Andrew Bartlett.
  524. 2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
  525. * test_context.c: Test gsskrb5_extract_service_keyblock, needed in
  526. PAC valication. From Andrew Bartlett
  527. * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context
  528. and keyblock extraction functions.
  529. * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from
  530. Andrew Bartlett.
  531. * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X
  532. 2006-11-03 Love Hörnquist Åstrand <lha@it.su.se>
  533. * test_context.c: Rename various routines and constants from
  534. canonize to canonicalize. From Andrew Bartlett
  535. * mech/gss_krb5.c: Rename various routines and constants from
  536. canonize to canonicalize. From Andrew Bartlett
  537. * krb5/set_sec_context_option.c: Rename various routines and
  538. constants from canonize to canonicalize. From Andrew Bartlett
  539. * krb5/external.c: Rename various routines and constants from
  540. canonize to canonicalize. From Andrew Bartlett
  541. * gssapi/gssapi_krb5.h: Rename various routines and constants from
  542. canonize to canonicalize. From Andrew Bartlett
  543. 2006-10-25 Love Hörnquist Åstrand <lha@it.su.se>
  544. * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need
  545. to free ccache
  546. 2006-10-24 Love Hörnquist Åstrand <lha@it.su.se>
  547. * test_context.c (loop): free target_name
  548. * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc'
  549. * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc'
  550. * krb5/init_sec_context.c: Avoid leaking memory.
  551. * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the
  552. ->elements memory.
  553. * test_context.c: make compile
  554. * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context.
  555. * krb5/set_cred_option.c (import_cred): free sp
  556. 2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
  557. * mech/gss_add_oid_set_member.c: Use old implementation of
  558. gss_add_oid_set_member, it leaks less memory.
  559. * krb5/test_cfx.c: free krb5_crypto.
  560. * krb5/test_cfx.c: free krb5_context
  561. * mech/gss_release_name.c (gss_release_name): free input_name
  562. it-self.
  563. 2006-10-21 Love Hörnquist Åstrand <lha@it.su.se>
  564. * test_context.c: Call setprogname.
  565. * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context.
  566. * gssapi/gssapi_krb5.h: add
  567. gsskrb5_extract_authtime_from_sec_context
  568. 2006-10-20 Love Hörnquist Åstrand <lha@it.su.se>
  569. * krb5/inquire_sec_context_by_oid.c: Add get_authtime.
  570. * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X
  571. * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X
  572. * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X.
  573. * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc
  574. * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and
  575. gsskrb5_set_send_to_kdc
  576. * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X
  577. * Makefile.am: more files
  578. 2006-10-19 Love Hörnquist Åstrand <lha@it.su.se>
  579. * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/
  580. * test_context.c: Allow specifing mech.
  581. * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now)
  582. * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to
  583. GSS_SASL_DIGEST_MD5_MECHANISM
  584. 2006-10-18 Love Hörnquist Åstrand <lha@it.su.se>
  585. * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't
  586. except a tag.
  587. * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE
  588. * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
  589. * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X.
  590. * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and
  591. GSS_KRB5_GET_SUBKEY_X
  592. * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X,
  593. GSS_KRB5_GET_SUBKEY_X
  594. 2006-10-17 Love Hörnquist Åstrand <lha@it.su.se>
  595. * test_context.c: Support switching on name type oid's
  596. * test_context.c: add test for dns canon flag
  597. * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize.
  598. * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic
  599. * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize.
  600. * krb5/set_sec_context_option.c: implement
  601. GSS_KRB5_SET_DNS_CANONIZE_X
  602. * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X
  603. * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X
  604. * mech/gss_krb5.c: add bits to make lucid context work
  605. 2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
  606. * mech/gss_oid_to_str.c: Prefix der primitives with der_.
  607. * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with
  608. der_.
  609. * krb5/encapsulate.c: Prefix der primitives with der_.
  610. * mech/gss_oid_to_str.c: New der_print_heim_oid signature.
  611. 2006-10-12 Love Hörnquist Åstrand <lha@it.su.se>
  612. * Makefile.am: add test_context
  613. * krb5/inquire_sec_context_by_oid.c: Make it work.
  614. * test_oid.c: Test lucid oid.
  615. * gssapi/gssapi.h: Add OM_uint64_t.
  616. * krb5/inquire_sec_context_by_oid.c: Add lucid interface.
  617. * krb5/external.c: Add lucid interface, renumber oids to my
  618. delegated space.
  619. * mech/gss_krb5.c: Add lucid interface.
  620. * gssapi/gssapi_krb5.h: Add lucid interface.
  621. * spnego/spnego_locl.h: Maybe include <netdb.h>.
  622. 2006-10-09 Love Hörnquist Åstrand <lha@it.su.se>
  623. * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined.
  624. 2006-10-08 Love Hörnquist Åstrand <lha@it.su.se>
  625. * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h
  626. * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
  627. * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
  628. * Makefile.am: Drop some -I no longer needed.
  629. * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here.
  630. * krb5: reference all include files using 'krb5/'
  631. 2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
  632. * gssapi.h: Add file inclusion protection.
  633. * gssapi/gssapi.h: Correct header file inclusion protection.
  634. * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to
  635. lib/gssapi/gssapi/ to please automake.
  636. * spnego/spnego_locl.h: Maybe include <sys/types.h>.
  637. * mech/mech_locl.h: Include <roken.h>.
  638. * Makefile.am: split build files into dist_ and noinst_ SOURCES
  639. 2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
  640. * gss.c: #if 0 out unused code.
  641. * mech/gss_mech_switch.c: Cast argument to ctype(3) functions
  642. to (unsigned char).
  643. 2006-10-05 Love Hörnquist Åstrand <lha@it.su.se>
  644. * mech/name.h: remove <sys/queue.h>
  645. * mech/mech_switch.h: remove <sys/queue.h>
  646. * mech/cred.h: remove <sys/queue.h>
  647. 2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
  648. * krb5/arcfour.c: Thinker more with header lengths.
  649. * krb5/arcfour.c: Improve the calcucation of header
  650. lengths. DCE-STYLE data is also padded so remove if (1 || ...)
  651. code.
  652. * krb5/wrap.c (_gsskrb5_wrap_size_limit): use
  653. _gssapi_wrap_size_arcfour for arcfour
  654. * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here.
  655. * Makefile.am: Split all mech to diffrent mechsrc variables.
  656. * spnego/context_stubs.c: Make internal function static (and
  657. rename).
  658. 2006-10-01 Love Hörnquist Åstrand <lha@it.su.se>
  659. * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald
  660. Barth.
  661. * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN.
  662. 2006-09-25 Love Hörnquist Åstrand <lha@it.su.se>
  663. * krb5/arcfour.c: Add wrap support, interrop with itself but not
  664. w2k3s-sp1
  665. * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the
  666. arcfour header.
  667. * krb5/arcfour.c: Support DCE-style unwrap, tested with
  668. w2k3server-sp1.
  669. * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the
  670. token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its
  671. a DCE-style kerberos 5 connection. XXX this needs to be made
  672. better in cause we get another GSS-API protocol violating
  673. protocol. It should be possible to detach the Kerberos DCE-style
  674. since it starts with a AP-REQ PDU, but that have to wait for now.
  675. 2006-09-22 Love Hörnquist Åstrand <lha@it.su.se>
  676. * gssapi.h: Add GSS_C flags from
  677. draft-brezak-win2k-krb-rc4-hmac-04.txt.
  678. * krb5/delete_sec_context.c: Free service_keyblock and fwd_data,
  679. indent.
  680. * krb5/accept_sec_context.c: Merge of the acceptor part from the
  681. samba patch by Stefan Metzmacher and Andrew Bartlet.
  682. * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE.
  683. * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the
  684. initiator part from the samba patch by Stefan Metzmacher and
  685. Andrew Bartlet (still missing DCE/RPC support)
  686. 2006-08-28 Love Hörnquist Åstrand <lha@it.su.se>
  687. * gss.c (help): use sl_slc_help().
  688. 2006-07-22 Love Hörnquist Åstrand <lha@it.su.se>
  689. * gss-commands.in: rename command to supported-mechanisms
  690. * Makefile.am: Make gss objects depend on the slc built
  691. gss-commands.h
  692. 2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
  693. * gss-commands.in: add slc commands for gss
  694. * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init()
  695. * Makefile.am: Add test_cfx
  696. * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  697. * krb5/set_sec_context_option.c: catch
  698. GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  699. * krb5/accept_sec_context.c: reimplement
  700. gsskrb5_register_acceptor_identity
  701. * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity
  702. * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech
  703. * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech
  704. * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run
  705. only once, this have the side effect that _gss_mechs and
  706. _gss_mech_oids is only initialized once, so if just the users of
  707. these two global variables calls _gss_load_mech() first, it will
  708. act as a barrier and make sure the variables are never changed and
  709. we don't need to lock them.
  710. * mech/utils.h: no need to mark functions extern.
  711. * mech/name.h: no need to mark _gss_find_mn extern.
  712. 2006-07-19 Love Hörnquist Åstrand <lha@it.su.se>
  713. * krb5/cfx.c: Redo the wrap length calculations.
  714. * krb5/test_cfx.c: test max_wrap_size in cfx.c
  715. * mech/gss_display_status.c: Handle more error codes.
  716. 2006-07-07 Love Hörnquist Åstrand <lha@it.su.se>
  717. * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h"
  718. * mech/mechqueue.h: Add SLIST macros.
  719. * krb5/inquire_context.c: Don't free return values on success.
  720. * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided
  721. is the default cred, acquire the acceptor cred and initator cred
  722. in two diffrent steps and then query them for the information,
  723. this way, the code wont fail if there are no keytab, but there is
  724. a credential cache.
  725. * mech/gss_inquire_cred.c: move the check if we found any cred
  726. where it matter for both cases
  727. (default cred and provided cred)
  728. * mech/gss_init_sec_context.c: If the desired mechanism can't
  729. convert the name to a MN, fail with GSS_S_BAD_NAME rather then a
  730. NULL de-reference.
  731. 2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
  732. * spnego/external.c: readd gss_spnego_inquire_names_for_mech
  733. * spnego/spnego_locl.h: reimplement
  734. gss_spnego_inquire_names_for_mech add support function
  735. _gss_spnego_supported_mechs
  736. * spnego/context_stubs.h: reimplement
  737. gss_spnego_inquire_names_for_mech add support function
  738. _gss_spnego_supported_mechs
  739. * spnego/context_stubs.c: drop gss_spnego_indicate_mechs
  740. * mech/gss_indicate_mechs.c: if the underlaying mech doesn't
  741. support gss_indicate_mechs, use the oid in the mechswitch
  742. structure
  743. * spnego/external.c: let the mech glue layer implement
  744. gss_indicate_mechs
  745. * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about
  746. desired_mechs, get our own list with indicate_mechs and remove
  747. ourself.
  748. 2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
  749. * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let
  750. the mechglue layer implement it
  751. * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let
  752. the mechglue layer implement it
  753. * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let
  754. the mechglue layer implement it
  755. 2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
  756. * mech/gss_set_cred_option.c: fix argument to gss_release_cred
  757. 2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
  758. * krb5/init_sec_context.c: Make work on compilers that are
  759. somewhat more picky then gcc4 (like gcc2.95)
  760. * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to
  761. convert fwd_flags to an integer, since otherwise int2KDCOptions in
  762. krb5_get_forwarded_creds wont do the right thing.
  763. * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on
  764. failure
  765. * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option):
  766. init global kerberos context
  767. * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global
  768. kerberos context
  769. * mech/gss_accept_sec_context.c: Insert the delegated sub cred on
  770. the delegated cred handle, not cred handle
  771. * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle
  772. the case where ret_flags == NULL
  773. * mech/gss_mech_switch.c (add_builtin): set
  774. _gss_mech_switch->gm_mech_oid
  775. * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs
  776. * test_cred.c (gss_print_errors): don't try to print error when
  777. gss_display_status failed
  778. * Makefile.am: Add mech/gss_release_oid.c
  779. * mech/gss_release_oid.c: Add gss_release_oid, reverse of
  780. gss_duplicate_oid
  781. * spnego/compat.c: preferred_mech_type was allocated with
  782. gss_duplicate_oid in one place and assigned static varianbles a
  783. the second place. change that static assignement to
  784. gss_duplicate_oid and bring back gss_release_oid.
  785. * spnego/compat.c (_gss_spnego_delete_sec_context): don't release
  786. preferred_mech_type and negotiated_mech_type, they where never
  787. allocated from the begining.
  788. 2006-06-29 Love Hörnquist Åstrand <lha@it.su.se>
  789. * mech/gss_import_name.c (gss_import_name): avoid
  790. type-punned/strict aliasing rules
  791. * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules
  792. * gssapi.h: Make gss_name_t an opaque type.
  793. * krb5: make gss_name_t an opaque type
  794. * krb5/set_cred_option.c: Add
  795. * mech/gss_set_cred_option.c (gss_set_cred_option): support the
  796. case where *cred_handle == NULL
  797. * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is
  798. GSS_C_NO_CREDENTIAL on failure.
  799. * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is
  800. NO_OID_SET, there is a need to load the mechs, so always do that.
  801. 2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
  802. * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X
  803. to instead pass a fullname to the credential, then resolve and
  804. copy out the content, and then close the cred.
  805. * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead
  806. pass a fullname to the credential, then resolve and copy out the
  807. content, and then close the cred.
  808. * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X
  809. interface needs to be re-done, currently its utterly broken.
  810. * mech/gss_set_cred_option.c: Make work.
  811. * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option
  812. * mech/gss_krb5.c (gss_krb5_import_cred): implement
  813. * Makefile.am: Add gss_set_{sec_context,cred}_option and sort
  814. * mech/gss_set_{sec_context,cred}_option.c: add
  815. * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X
  816. * test_*.c: make compile again
  817. * Makefile.am: Add lib dependencies and test programs
  818. * spnego: remove dependency on libkrb5
  819. * mech: Bug fixes, cleanup, compiler warnings, restructure code.
  820. * spnego: Rename gss_context_id_t and gss_cred_id_t to local names
  821. * krb5: repro copy the krb5 files here
  822. * mech: import Doug Rabson mechglue from freebsd
  823. * spnego: Import Luke Howard's SPNEGO from the mechglue branch
  824. 2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
  825. * gssapi.h: Add oid_to_str.
  826. * Makefile.am: add oid_to_str and test_oid
  827. * oid_to_str.c: Add gss_oid_to_str
  828. * test_oid.c: Add test for gss_oid_to_str()
  829. 2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
  830. * verify_mic.c: Less pointer signedness warnings.
  831. * unwrap.c: Less pointer signedness warnings.
  832. * arcfour.c: Less pointer signedness warnings.
  833. * gssapi_locl.h: Use const void * to instead of unsigned char * to
  834. avoid pointer signedness warnings.
  835. * encapsulate.c: Use const void * to instead of unsigned char * to
  836. avoid pointer signedness warnings.
  837. * decapsulate.c: Use const void * to instead of unsigned char * to
  838. avoid pointer signedness warnings.
  839. * decapsulate.c: Less pointer signedness warnings.
  840. * cfx.c: Less pointer signedness warnings.
  841. * init_sec_context.c: Less pointer signedness warnings (partly by
  842. using the new asn.1 CHOICE decoder)
  843. * import_sec_context.c: Less pointer signedness warnings.
  844. 2006-05-09 Love Hörnquist Åstrand <lha@it.su.se>
  845. * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From
  846. Andrew Abartlet.
  847. 2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
  848. * get_mic.c (mic_des3): make sure message_buffer doesn't point to
  849. free()ed memory on failure. Pointed out by IBM checker.
  850. 2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
  851. * Rename u_intXX_t to uintXX_t
  852. 2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
  853. * cfx.c: Less pointer signedness warnings.
  854. * arcfour.c: Avoid pointer signedness warnings.
  855. * gssapi_locl.h (gssapi_decode_*): make data argument const void *
  856. * 8003.c (gssapi_decode_*): make data argument const void *
  857. 2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
  858. * export_sec_context.c: Export sequence order element. From Wynn
  859. Wilkes <wynn.wilkes@quest.com>.
  860. * import_sec_context.c: Import sequence order element. From Wynn
  861. Wilkes <wynn.wilkes@quest.com>.
  862. * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export):
  863. New functions, used by {import,export}_sec_context. From Wynn
  864. Wilkes <wynn.wilkes@quest.com>.
  865. * test_sequence.c: Add test for import/export sequence.
  866. 2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
  867. * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a
  868. standard conformance failure, but much better then a crash.
  869. 2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
  870. * get_mic.c (get_mic*)_: make sure message_token is cleaned on
  871. error, found by IBM checker.
  872. * wrap.c (wrap*): Reset output_buffer on error, found by IBM
  873. checker.
  874. 2006-02-15 Love Hörnquist Åstrand <lha@it.su.se>
  875. * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and
  876. GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names.
  877. 2006-01-16 Love Hörnquist Åstrand <lha@it.su.se>
  878. * delete_sec_context.c (gss_delete_sec_context): if the context
  879. handle is GSS_C_NO_CONTEXT, don't fall over.
  880. 2005-12-12 Love Hörnquist Åstrand <lha@it.su.se>
  881. * gss_acquire_cred.3: Replace gss_krb5_import_ccache with
  882. gss_krb5_import_cred and add more references
  883. 2005-12-05 Love Hörnquist Åstrand <lha@it.su.se>
  884. * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred,
  885. it can handle keytabs too.
  886. * add_cred.c (gss_add_cred): avoid deadlock
  887. * context_time.c (gssapi_lifetime_left): define the 0 lifetime as
  888. GSS_C_INDEFINITE.
  889. 2005-12-01 Love Hörnquist Åstrand <lha@it.su.se>
  890. * acquire_cred.c (acquire_acceptor_cred): only check if principal
  891. exists if we got called with principal as an argument.
  892. * acquire_cred.c (acquire_acceptor_cred): check that the acceptor
  893. exists in the keytab before returning ok.
  894. 2005-11-29 Love Hörnquist Åstrand <lha@it.su.se>
  895. * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew
  896. Bartlett.
  897. 2005-11-25 Love Hörnquist Åstrand <lha@it.su.se>
  898. * test_kcred.c: Rename gss_krb5_import_ccache to
  899. gss_krb5_import_cred.
  900. * copy_ccache.c: Rename gss_krb5_import_ccache to
  901. gss_krb5_import_cred and let it grow code to handle keytabs too.
  902. 2005-11-02 Love Hörnquist Åstrand <lha@it.su.se>
  903. * init_sec_context.c: Change sematics of ok-as-delegate to match
  904. windows if
  905. [gssapi]realm/ok-as-delegate=true is set, otherwise keep old
  906. sematics.
  907. * release_cred.c (gss_release_cred): use
  908. GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be
  909. krb5_cc_destroy-ed
  910. * acquire_cred.c (acquire_initiator_cred):
  911. GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials.
  912. * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite
  913. to use gss_krb5_import_ccache
  914. 2005-11-01 Love Hörnquist Åstrand <lha@it.su.se>
  915. * arcfour.c: Remove signedness warnings.
  916. 2005-10-31 Love Hörnquist Åstrand <lha@it.su.se>
  917. * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy
  918. by reference.
  919. * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy
  920. of the ccache, make a reference by getting the name and resolving
  921. the name. This way the cache is shared, this flipp side is of
  922. course that if someone calls krb5_cc_destroy the cache is lost for
  923. everyone.
  924. * test_kcred.c: Remove memory leaks.
  925. 2005-10-26 Love Hörnquist Åstrand <lha@it.su.se>
  926. * Makefile.am: build test_kcred
  927. * gss_acquire_cred.3: Document gss_krb5_import_ccache
  928. * gssapi.3: Sort and add gss_krb5_import_ccache.
  929. * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code
  930. used to extract lifetime from a credential cache
  931. * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract
  932. lifetime from a credential cache.
  933. * gssapi.h: add gss_krb5_import_ccache, reverse of
  934. gss_krb5_copy_ccache
  935. * copy_ccache.c: add gss_krb5_import_ccache, reverse of
  936. gss_krb5_copy_ccache
  937. * test_kcred.c: test gss_krb5_import_ccache
  938. 2005-10-21 Love Hörnquist Åstrand <lha@it.su.se>
  939. * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match
  940. to find a matching creditial cache, if that failes, fallback to
  941. the default cache.
  942. 2005-10-12 Love Hörnquist Åstrand <lha@it.su.se>
  943. * gssapi_locl.h: Add gssapi_krb5_set_status and
  944. gssapi_krb5_clear_status
  945. * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos
  946. errors, use GSS-API errors instead. From Michael B Allen.
  947. * display_status.c: Add gssapi_krb5_clear_status,
  948. gssapi_krb5_set_status for handling error messages.
  949. 2005-08-23 Love Hörnquist Åstrand <lha@it.su.se>
  950. * external.c: Use rk_UNCONST to avoid const warning.
  951. * display_status.c: Constify strings to avoid warnings.
  952. 2005-08-11 Love Hörnquist Åstrand <lha@it.su.se>
  953. * init_sec_context.c: avoid warnings, update (c)
  954. 2005-07-13 Love Hörnquist Åstrand <lha@it.su.se>
  955. * init_sec_context.c (spnego_initial): use NegotiationToken
  956. encoder now that we have one with the new asn1. compiler.
  957. * Makefile.am: the new asn.1 compiler includes the modules name in
  958. the depend file
  959. 2005-06-16 Love Hörnquist Åstrand <lha@it.su.se>
  960. * decapsulate.c: use rk_UNCONST
  961. * ccache_name.c: rename to avoid shadowing
  962. * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name
  963. * process_context_token.c: use rk_UNCONST to unconstify
  964. * test_cred.c: rename optind to optidx
  965. 2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
  966. * init_sec_context.c (init_auth): honor ok-as-delegate if local
  967. configuration approves
  968. * gssapi_locl.h: prototype for _gss_check_compat
  969. * compat.c: export check_compat as _gss_check_compat
  970. 2005-05-29 Love Hörnquist Åstrand <lha@it.su.se>
  971. * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
  972. problems with system headerfiles that pollute the name space.
  973. * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
  974. problems with system headerfiles that pollute the name space.
  975. 2005-05-17 Love Hörnquist Åstrand <lha@it.su.se>
  976. * init_sec_context.c (init_auth): set
  977. KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
  978. also while here, use krb5_auth_con_addflags
  979. 2005-05-06 Love Hörnquist Åstrand <lha@it.su.se>
  980. * arcfour.c (_