/crypto/heimdal/lib/gssapi/ChangeLog
#! | 2970 lines | 1781 code | 1189 blank | 0 comment | 0 complexity | 064e0feaf998d4b0551c28c4ef696f4c MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
- 2008-08-14 Love Hornquist Astrand <lha@10a140laptop.local>
- * krb5/accept_sec_context.c: If there is a initiator subkey, copy
- that to acceptor subkey to match windows behavior. From Metze.
- 2008-08-02 Love Hörnquist Åstrand <lha@h5l.org>
- * ntlm/init_sec_context.c: Catch error
- * krb5/inquire_sec_context_by_oid.c: Catch store failure.
- * mech/gss_canonicalize_name.c: Not init m, return never
- used (overwritten later).
- 2008-07-25 Love Hörnquist Åstrand <lha@kth.se>
- * ntlm/init_sec_context.c: Use krb5_cc_get_config.
- 2008-07-25 Love Hörnquist Åstrand <lha@kth.se>
- * krb5/init_sec_context.c: Match the orignal patch I got from
- metze, seems that DCE-STYLE is even more weirer then what I though
- when I merged the patch.
- 2008-06-02 Love Hörnquist Åstrand <lha@kth.se>
- * krb5/init_sec_context.c: Don't add asn1 wrapping to token when
- using DCE_STYLE. Patch from Stefan Metzmacher.
- 2008-05-27 Love Hörnquist Åstrand <lha@kth.se>
-
- * ntlm/init_sec_context.c: use krb5_get_error_message
- 2008-05-05 Love Hörnquist Åstrand <lha@kth.se>
-
- * spnego/spnego_locl.h: Add back "mech/utils.h", its needed for
- oid/buffer functions.
- 2008-05-02 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego: Changes from doug barton to make spnego indepedant of
- the heimdal version of the plugin system.
- 2008-04-27 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5: use DES_set_key_unchecked()
- 2008-04-17 Love Hörnquist Åstrand <lha@it.su.se>
- * add __declspec() for windows.
- 2008-04-15 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/import_sec_context.c: Use tmp to read ac->flags value to
- avoid warning.
- 2008-04-07 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_mech_switch.c: Use unsigned where appropriate.
- 2008-03-14 Love Hörnquist Åstrand <lha@it.su.se>
- * test_context.c: Add test for gsskrb5_register_acceptor_identity.
- 2008-03-09 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/init_sec_context.c (init_auth): use right variable to
- detect if we want to free or not.
- 2008-02-26 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: add missing \
- * Makefile.am: reshuffle depenencies
- * Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
- 2008-02-21 Love Hörnquist Åstrand <lha@it.su.se>
- * make the SPNEGO mech store the error itself instead, works for
- everything except other stackable mechs
- 2008-02-18 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/init_sec_context.c (spnego_reply): if the reply token was
- of length 0, make it the same as no token. Pointed out by Zeqing
- Xia.
- * krb5/acquire_cred.c (acquire_initiator_cred): handle the
- credential cache better, use destroy/close when appriate and for
- all cases. Thanks to Michael Allen for point out the memory-leak
- that I also fixed.
- 2008-02-03 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/accept_sec_context.c: Make error reporting somewhat more
- correct for SPNEGO.
- 2008-01-27 Love Hörnquist Åstrand <lha@it.su.se>
- * test_common.c: Improve the error message.
- 2008-01-24 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/accept_sec_context.c: Avoid free-ing type1 message before
- its allocated.
-
- 2008-01-13 Love Hörnquist Åstrand <lha@it.su.se>
- * test_ntlm.c: Test source name (and make the acceptor in ntlm gss
- mech useful).
- 2007-12-30 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/init_sec_context.c: Don't confuse target name and source
- name, make regressiont tests pass again.
-
- 2007-12-29 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm: clean up name handling
- 2007-12-04 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/init_sec_context.c: Use credential if it was passed in.
- * ntlm/acquire_cred.c: Check if there is initial creds with
- _gss_ntlm_get_user_cred().
- * ntlm/init_sec_context.c: Add _gss_ntlm_get_user_info() that
- return the user info so it can be used by external modules.
- * ntlm/inquire_cred.c: use the right error code.
- * ntlm/inquire_cred.c: Return GSS_C_NO_CREDENTIAL if there is no
- credential, ntlm have (not yet) a default credential.
-
- * mech/gss_release_oid_set.c: Avoid trying to deref NULL, from
- Phil Fisher.
- 2007-12-03 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_acquire_cred.c: Always try to fetch cred (even with
- GSS_C_NO_NAME).
- 2007-08-09 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags.
- 2007-08-08 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/compat.c (_gss_spnego_internal_delete_sec_context):
- release ctx->target_name too From Rafal Malinowski.
- 2007-07-26 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't
- have dlopen. From Rune of Chalmers.
- 2007-07-10 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_duplicate_name.c: New signature of _gss_find_mn.
- * mech/gss_init_sec_context.c: New signature of _gss_find_mn.
- * mech/gss_acquire_cred.c: New signature of _gss_find_mn.
- * mech/name.h: New signature of _gss_find_mn.
- * mech/gss_canonicalize_name.c: New signature of _gss_find_mn.
- * mech/gss_compare_name.c: New signature of _gss_find_mn.
- * mech/gss_add_cred.c: New signature of _gss_find_mn.
- * mech/gss_names.c (_gss_find_mn): Return an error code for
- caller.
- * spnego/accept_sec_context.c: remove checks that are done by the
- previous function.
- * Makefile.am: New library version.
- 2007-07-04 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from
- Rafal Malinowski.
- * spnego/spnego.asn1: Indent and make NegTokenInit and
- NegTokenResp extendable.
- 2007-06-21 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred.
- * mech/gss_display_status.c: Provide message for GSS_S_COMPLETE.
-
- * mech/context.c: If the canned string is "", its no use to the
- user, make it fall back to the default error string.
-
- 2007-06-20 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_display_name.c (gss_display_name): no name ->
- fail. From Rafal Malinswski.
- * spnego/accept_sec_context.c: Wrap name in a spnego_name instead
- of just a copy of the underlaying object. From Rafal Malinswski.
- * spnego/accept_sec_context.c: Handle underlaying mech not
- returning mn.
- * mech/gss_accept_sec_context.c: Handle underlaying mech not
- returning mn.
- * spnego/accept_sec_context.c: Make sure src_name is always set to
- GSS_C_NO_NAME when returning.
- * krb5/acquire_cred.c (acquire_acceptor_cred): don't claim
- everything is well on failure. From Phil Fisher.
- * mech/gss_duplicate_name.c: catch error (and ignore it)
- * ntlm/init_sec_context.c: Use heim_ntlm_calculate_ntlm2_sess.
- * mech/gss_accept_sec_context.c: Only wrap the delegated cred if
- we got a delegated mech cred. From Rafal Malinowski.
- * spnego/accept_sec_context.c: Only wrap the delegated cred if we
- are going to return it to the consumer. From Rafal Malinowski.
- * spnego/accept_sec_context.c: Fixed memory leak pointed out by
- Rafal Malinowski, also while here moved to use NegotiationToken
- for decoding.
- 2007-06-18 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/prf.c (_gsskrb5_pseudo_random): add missing break.
- * krb5/release_name.c: Set *minor_status unconditionallty, its
- done later anyway.
- * spnego/accept_sec_context.c: Init get_mic to 0.
- * mech/gss_set_cred_option.c: Free memory in failure case, found
- by beam.
- * mech/gss_inquire_context.c: Handle mech_type being NULL.
- * mech/gss_inquire_cred_by_mech.c: Handle cred_name being NULL.
- * mech/gss_krb5.c: Free memory in error case, found by beam.
- 2007-06-12 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/inquire_context.c: Use ctx->gssflags for flags.
- * krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is
- not ment for machine consumption.
- 2007-06-09 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/digest.c (kdc_alloc): free memory on failure, pointed out
- by Rafal Malinowski.
-
- * ntlm/digest.c (kdc_destroy): free context when done, pointed out
- by Rafal Malinowski.
- * spnego/context_stubs.c (_gss_spnego_display_name): if input_name
- is null, fail. From Rafal Malinowski.
-
- 2007-06-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm/digest.c: Free memory when done.
-
- 2007-06-02 Love Hörnquist Åstrand <lha@it.su.se>
- * test_ntlm.c: Test both with and without keyex.
- * ntlm/digest.c: If we didn't set session key, don't expect one
- back.
- * test_ntlm.c: Set keyex flag and calculate session key.
-
- 2007-05-31 Love Hörnquist Åstrand <lha@it.su.se>
-
- * spnego/accept_sec_context.c: Use the return value before is
- overwritten by later calls. From Rafal Malinowski
- * krb5/release_cred.c: Give an minor_status argument to
- gss_release_oid_set. From Rafal Malinowski
-
- 2007-05-30 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/accept_sec_context.c: Catch errors and return the up the
- stack.
- * test_kcred.c: more testing of lifetimes
-
- 2007-05-17 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: Drop the gss oid_set function for the krb5 mech,
- use the mech glue versions instead. Pointed out by Rafal
- Malinowski.
- * krb5: Use gss oid_set functions from mechglue
- 2007-05-14 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/accept_sec_context.c: Set session key only if we are
- returned a session key. Found by David Love.
-
- 2007-05-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/prf.c: switched MIN to min to make compile on solaris,
- pointed out by David Love.
-
- 2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/inquire_cred_by_mech.c: Fill in all of the variables if
- they are passed in. Pointed out by Phil Fisher.
-
- 2007-05-08 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/inquire_cred.c: Fix copy and paste error, bug spotted by
- from Phil Fisher.
- * mech: dont keep track of gc_usage, just figure it out at
- gss_inquire_cred() time
- * mech/gss_mech_switch.c (add_builtin): ok for
- __gss_mech_initialize() to return NULL
- * test_kcred.c: more correct tests
- * spnego/cred_stubs.c (gss_inquire_cred*): wrap the name with a
- spnego_name.
- * ntlm/inquire_cred.c: make ntlm gss_inquire_cred fail for now,
- need to find default cred and friends.
- * krb5/inquire_cred_by_mech.c: reimplement
-
- 2007-05-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm/acquire_cred.c: drop unused variable.
- * ntlm/acquire_cred.c: Reimplement.
- * Makefile.am: add ntlm/digest.c
- * ntlm: split out backend ntlm server processing
- 2007-04-24 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free
- credcache when done
-
- 2007-04-22 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @
-
- * ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm
- creds from the krb5 credential cache.
-
- 2007-04-21 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/delete_sec_context.c: free the key stored in the context
- * ntlm/ntlm.h: switch password for a key
- * test_oid.c: Switch oid to one that is exported.
-
- 2007-04-20 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/init_sec_context.c: move where hash is calculated to make
- it easier to add ccache support.
- * Makefile.am: Add version-script.map to EXTRA_DIST.
-
- 2007-04-19 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: Unconfuse newer versions of automake that doesn't
- know the diffrence between depenences and setting variables. foo:
- vs foo=.
- * test_ntlm.c: delete sec context when done.
- * version-script.map: export more symbols.
-
- * Makefile.am: add version script if ld supports it
-
- * version-script.map: add version script if ld supports it
-
- 2007-04-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am: test_acquire_cred need test_common.[ch]
- * test_acquire_cred.c: add more test options.
- * krb5/external.c: add GSS_KRB5_CCACHE_NAME_X
- * gssapi/gssapi_krb5.h: add GSS_KRB5_CCACHE_NAME_X
- * krb5/set_sec_context_option.c: refactor code, implement
- GSS_KRB5_CCACHE_NAME_X
- * mech/gss_krb5.c: reimplement gss_krb5_ccache_name
-
- 2007-04-17 Love Hörnquist Åstrand <lha@it.su.se>
-
- * spnego/cred_stubs.c: Need to import spnego name before we can
- use it as a gss_name_t.
- * test_acquire_cred.c: use this test as part of the regression
- suite.
- * mech/gss_acquire_cred.c (gss_acquire_cred): dont init
- cred->gc_mc every time in the loop.
-
- 2007-04-15 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: add test_common.h
-
- 2007-02-16 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: Add link for
- gsskrb5_register_acceptor_identity.
- 2007-02-08 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/copy_ccache.c: Try to leak less memory in the failure case.
-
- 2007-01-31 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_display_status.c: Use right printf formater.
- * test_*.[ch]: split out the error printing function and try to
- return better errors
- 2007-01-30 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on
- GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
-
- This is because Kerberos always support INT|CONF, matches behavior
- with MS and MIT. The creates problems for the GSS-SPNEGO mech.
-
- 2007-01-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/prf.c: constrain desired_output_len
- * krb5/external.c (krb5_mech): add _gsskrb5_pseudo_random
- * mech/gss_pseudo_random.c: Catch error from underlaying mech on
- failure.
- * Makefile.am: Add krb5/prf.c
- * krb5/prf.c: gss_pseudo_random for krb5
- * test_context.c: Checks for gss_pseudo_random.
- * krb5/gkrb5_err.et: add KG_INPUT_TOO_LONG
- * Makefile.am: Add mech/gss_pseudo_random.c
- * gssapi/gssapi.h: try to load pseudo_random
- * mech/gss_mech_switch.c: try to load pseudo_random
- * mech/gss_pseudo_random.c: Add gss_pseudo_random.
- * gssapi_mech.h: Add hook for gm_pseudo_random.
-
- 2007-01-17 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c: Don't assume bufer from gss_display_status is
- ok.
- * mech/gss_wrap_size_limit.c: Reset out variables.
- * mech/gss_wrap.c: Reset out variables.
- * mech/gss_verify_mic.c: Reset out variables.
- * mech/gss_utils.c: Reset out variables.
- * mech/gss_release_oid_set.c: Reset out variables.
- * mech/gss_release_cred.c: Reset out variables.
- * mech/gss_release_buffer.c: Reset variables.
- * mech/gss_oid_to_str.c: Reset out variables.
- * mech/gss_inquire_sec_context_by_oid.c: Fix reset out variables.
- * mech/gss_mech_switch.c: Reset out variables.
- * mech/gss_inquire_sec_context_by_oid.c: Reset out variables.
- * mech/gss_inquire_names_for_mech.c: Reset out variables.
- * mech/gss_inquire_cred_by_oid.c: Reset out variables.
- * mech/gss_inquire_cred_by_oid.c: Reset out variables.
- * mech/gss_inquire_cred_by_mech.c: Reset out variables.
- * mech/gss_inquire_cred.c: Reset out variables, fix memory leak.
- * mech/gss_inquire_context.c: Reset out variables.
- * mech/gss_init_sec_context.c: Zero out outbuffer on failure.
- * mech/gss_import_name.c: Reset out variables.
- * mech/gss_import_name.c: Reset out variables.
- * mech/gss_get_mic.c: Reset out variables.
- * mech/gss_export_name.c: Reset out variables.
- * mech/gss_encapsulate_token.c: Reset out variables.
- * mech/gss_duplicate_oid.c: Reset out variables.
- * mech/gss_duplicate_oid.c: Reset out variables.
- * mech/gss_duplicate_name.c: Reset out variables.
- * mech/gss_display_status.c: Reset out variables.
- * mech/gss_display_name.c: Reset out variables.
- * mech/gss_delete_sec_context.c: Reset out variables using propper
- macros.
- * mech/gss_decapsulate_token.c: Reset out variables using propper
- macros.
- * mech/gss_add_cred.c: Reset out variables.
- * mech/gss_acquire_cred.c: Reset out variables.
- * mech/gss_accept_sec_context.c: Reset out variables using propper
- macros.
- * mech/gss_init_sec_context.c: Reset out variables.
- * mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a
- gss_buffer_t
- 2007-01-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech: sprinkel _gss_mg_error
- * mech/gss_display_status.c (gss_display_status): use
- _gss_mg_get_error to fetch the error from underlaying mech, if it
- failes, let do the regular dance for GSS-CODE version and a
- generic print-the-error code for MECH-CODE.
- * mech/gss_oid_to_str.c: Don't include the NUL in the length of
- the string.
- * mech/context.h: Protoypes for _gss_mg_.
- * mech/context.c: Glue to catch the error from the lower gss-api
- layer and save that for later so gss_display_status() can show the
- error.
- * gss.c: Detect NTLM.
-
- 2007-01-11 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_accept_sec_context.c: spelling
-
- 2007-01-04 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am: Include build (private) prototypes header files.
- * Makefile.am (ntlmsrc): add ntlm/ntlm-private.h
-
- 2006-12-28 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm/accept_sec_context.c: Pass signseal argument to
- _gss_ntlm_set_key.
- * ntlm/init_sec_context.c: Pass signseal argument to
- _gss_ntlm_set_key.
- * ntlm/crypto.c (_gss_ntlm_set_key): add signseal argument
- * test_ntlm.c: add ntlmv2 test
- * ntlm/ntlm.h: break out struct ntlmv2_key;
- * ntlm/crypto.c (_gss_ntlm_set_key): set ntlm v2 keys.
- * ntlm/accept_sec_context.c: Set dummy ntlmv2 keys and Check TI.
- * ntlm/ntlm.h: NTLMv2 keys.
- * ntlm/crypto.c: NTLMv2 sign and verify.
-
- 2006-12-20 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/accept_sec_context.c: Don't send targetinfo now.
-
- * ntlm/init_sec_context.c: Build ntlmv2 answer buffer.
- * ntlm/init_sec_context.c: Leak less memory.
- * ntlm/init_sec_context.c: Announce that we support key exchange.
- * ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2
- session security (disable because missing sign and seal).
-
- 2006-12-19 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm/accept_sec_context.c: split RC4 send and recv keystreams
- * ntlm/init_sec_context.c: split RC4 send and recv keystreams
- * ntlm/ntlm.h: split RC4 send and recv keystreams
- * ntlm/crypto.c: Implement SEAL.
- * ntlm/crypto.c: move gss_wrap/gss_unwrap here
- * test_context.c: request INT and CONF from the gss layer, test
- get and verify MIC.
- * ntlm/ntlm.h: add crypto bits.
- * ntlm/accept_sec_context.c: Save session master key.
- * Makefile.am: Move get and verify mic to the same file (crypto.c)
- since they share code.
- * ntlm/crypto.c: Move get and verify mic to the same file since
- they share code, implement NTLM v1 and dummy signatures.
- * ntlm/init_sec_context.c: pass on GSS_C_CONF_FLAG and
- GSS_C_INTEG_FLAG, save the session master key
-
- * spnego/accept_sec_context.c: try using gss_accept_sec_context()
- on the opportunistic token instead of guessing the acceptor name
- and do gss_acquire_cred, this make SPNEGO work like before.
-
- 2006-12-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * ntlm/init_sec_context.c: Calculate the NTLM version 1 "master"
- key.
- * spnego/accept_sec_context.c: Resurect negHints for the acceptor
- sends first packet.
-
- * Makefile.am: Add "windows" versions of the NegTokenInitWin and
- friends.
- * test_context.c: add --wrapunwrap flag
- * spnego/compat.c: move _gss_spnego_indicate_mechtypelist() to
- compat.c, use the sequence types of MechTypeList, make
- add_mech_type() static.
- * spnego/accept_sec_context.c: move
- _gss_spnego_indicate_mechtypelist() to compat.c
- * Makefile.am: Generate sequence code for MechTypeList
- * spnego: check that the generated acceptor mechlist is acceptable too
- * spnego/init_sec_context.c: Abstract out the initiator filter
- function, it will be needed for the acceptor too.
- * spnego/accept_sec_context.c: Abstract out the initiator filter
- function, it will be needed for the acceptor too. Remove negHints.
- * test_context.c: allow asserting return mech
- * ntlm/accept_sec_context.c: add _gss_ntlm_allocate_ctx
- * ntlm/acquire_cred.c: Check that the KDC seem to there and
- answering us, we can't do better then that wen checking if we will
- accept the credential.
- * ntlm/get_mic.c: return GSS_S_UNAVAILABLE
- * mech/utils.h: add _gss_free_oid, reverse of _gss_copy_oid
- * mech/gss_utils.c: add _gss_free_oid, reverse of _gss_copy_oid
- * spnego/spnego.asn1: Its very sad, but NegHints its are not part
- of the NegTokenInit, this makes SPNEGO acceptor life a lot harder.
-
- * spnego: try harder to handle names better. handle missing
- acceptor and initator creds better (ie dont propose/accept mech
- that there are no credentials for) split NegTokenInit and
- NegTokenResp in acceptor
- 2006-12-16 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/import_name.c: Allocate the buffer from the right length.
-
- 2006-12-15 Love Hörnquist Åstrand <lha@it.su.se>
- * ntlm/init_sec_context.c (init_sec_context): Tell the other side
- what domain we think we are talking to.
- * ntlm/delete_sec_context.c: free username and password
- * ntlm/release_name.c (_gss_ntlm_release_name): free name.
- * ntlm/import_name.c (_gss_ntlm_import_name): add support for
- GSS_C_NT_HOSTBASED_SERVICE names
- * ntlm/ntlm.h: Add ntlm_name.
- * test_context.c: allow testing of ntlm.
- * gssapi_mech.h: add __gss_ntlm_initialize
- * ntlm/accept_sec_context.c (handle_type3): verify that the kdc
- approved of the ntlm exchange too
- * mech/gss_mech_switch.c: Add the builtin ntlm mech
- * test_ntlm.c: NTLM test app.
- * mech/gss_accept_sec_context.c: Add detection of NTLMSSP.
- * gssapi/gssapi.h: add ntlm mech oid
- * ntlm/external.c: Switch OID to the ms ntlmssp oid
- * Makefile.am: Add ntlm gss-api module.
- * ntlm/accept_sec_context.c: Catch more error errors.
- * ntlm/accept_sec_context.c: Check after a credential to use.
-
- 2006-12-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X):
- don't fail on success. Bug report from Stefan Metzmacher.
-
- 2006-12-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/init_sec_context.c (init_auth): only turn on
- GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
- From Stefan Metzmacher.
-
- 2006-12-11 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h
- spnego_asn1.h.
- 2006-11-20 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a
- context argument.
-
- 2006-11-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c: Test that token keys are the same, return
- actual_mech.
-
- 2006-11-15 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open.
- * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
- encode CHOICE structure now that we can handle it.
- * spnego/init_sec_context.c: Use ASN.1 encoder functions to encode
- CHOICE structure now that we can handle it.
- * spnego/accept_sec_context.c (_gss_spnego_accept_sec_context):
- send back ad accept_completed when the security context is ->open,
- w/o this the client doesn't know that the server have completed
- the transaction.
- * test_context.c: Add delegate flag and check that the delegated
- cred works.
- * spnego/init_sec_context.c: Keep track of the opportunistic token
- in the inital message, it might be a complete gss-api context, in
- that case we'll get back accept_completed without any token. With
- this change, krb5 w/o mutual authentication works.
- * spnego/accept_sec_context.c: Use ASN.1 encoder functions to
- encode CHOICE structure now that we can handle it.
- * spnego/accept_sec_context.c: Filter out SPNEGO from the out
- supported mechs list and make sure we don't select that for the
- preferred mechamism.
-
- 2006-11-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the
- cred finding to its own function
- * krb5/wrap.c: Better error strings, from Andrew Bartlet.
-
- 2006-11-13 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c: Create our own krb5_context.
- * krb5: Switch from using a specific error message context in the
- TLS to have a whole krb5_context in TLS. This have some
- interestion side-effekts for the configruration setting options
- since they operate on per-thread basis now.
- * mech/gss_set_cred_option.c: When calling ->gm_set_cred_option
- and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet.
-
- 2006-11-12 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: Help solaris make even more.
- * Makefile.am: Help solaris make.
-
- 2006-11-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am: remove include $(srcdir)/Makefile-digest.am for now
- * mech/gss_accept_sec_context.c: Try better guessing what is mech
- we are going to select by looking harder at the input_token, idea
- from Luke Howard's mechglue branch.
- * Makefile.am: libgssapi_la_OBJECTS: add depency on gkrb5_err.h
- * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X
- * mech/gss_krb5.c: implement gss_krb5_set_allowable_enctypes
- * gssapi/gssapi.h: GSS_KRB5_S_
- * krb5/gsskrb5_locl.h: Include <gkrb5_err.h>.
- * gssapi/gssapi_krb5.h: Add gss_krb5_set_allowable_enctypes.
- * Makefile.am: Build and install gkrb5_err.h
- * krb5/gkrb5_err.et: Move the GSS_KRB5_S error here.
-
- 2006-11-08 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_krb5.c: Add gsskrb5_set_default_realm.
- * krb5/set_sec_context_option.c: Support
- GSS_KRB5_SET_DEFAULT_REALM_X.
- * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DEFAULT_REALM_X
- * krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X
-
- 2006-11-07 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c: rename krb5_[gs]et_time_wrap to
- krb5_[gs]et_max_time_skew
- * krb5/copy_ccache.c: _gsskrb5_extract_authz_data_from_sec_context
- no longer used, bye bye
- * mech/gss_krb5.c: No depenency of the krb5 gssapi mech.
- * mech/gss_krb5.c (gsskrb5_extract_authtime_from_sec_context): use
- _gsskrb5_decode_om_uint32. From Andrew Bartlet.
- * mech/gss_krb5.c: Add dummy gss_krb5_set_allowable_enctypes for
- now.
- * spnego/spnego_locl.h: Include <roken.h> for compatiblity.
- * krb5/arcfour.c: Use IS_DCE_STYLE flag. There is no padding in
- DCE-STYLE, don't try to use to. From Andrew Bartlett.
- * test_context.c: test wrap/unwrap, add flag for dce-style and
- mutual auth, also support multi-roundtrip sessions
- * krb5/gsskrb5_locl.h: Add IS_DCE_STYLE macro.
- * krb5/accept_sec_context.c (gsskrb5_acceptor_start): use
- krb5_rd_req_ctx
- * mech/gss_krb5.c (gsskrb5_get_subkey): return the per message
- token subkey
- * krb5/inquire_sec_context_by_oid.c: check if there is any key at
- all
-
- 2006-11-06 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/inquire_sec_context_by_oid.c: Set more error strings, use
- right enum for acceptor subkey. From Andrew Bartlett.
-
- 2006-11-04 Love Hörnquist Åstrand <lha@it.su.se>
- * test_context.c: Test gsskrb5_extract_service_keyblock, needed in
- PAC valication. From Andrew Bartlett
- * mech/gss_krb5.c: Add gsskrb5_extract_authz_data_from_sec_context
- and keyblock extraction functions.
- * gssapi/gssapi_krb5.h: Add extraction of keyblock function, from
- Andrew Bartlett.
- * krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X
-
- 2006-11-03 Love Hörnquist Åstrand <lha@it.su.se>
- * test_context.c: Rename various routines and constants from
- canonize to canonicalize. From Andrew Bartlett
- * mech/gss_krb5.c: Rename various routines and constants from
- canonize to canonicalize. From Andrew Bartlett
- * krb5/set_sec_context_option.c: Rename various routines and
- constants from canonize to canonicalize. From Andrew Bartlett
- * krb5/external.c: Rename various routines and constants from
- canonize to canonicalize. From Andrew Bartlett
-
- * gssapi/gssapi_krb5.h: Rename various routines and constants from
- canonize to canonicalize. From Andrew Bartlett
-
- 2006-10-25 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need
- to free ccache
-
- 2006-10-24 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c (loop): free target_name
- * mech/gss_accept_sec_context.c: SLIST_INIT the ->gc_mc'
-
- * mech/gss_acquire_cred.c : SLIST_INIT the ->gc_mc'
- * krb5/init_sec_context.c: Avoid leaking memory.
- * mech/gss_buffer_set.c (gss_release_buffer_set): don't leak the
- ->elements memory.
- * test_context.c: make compile
- * krb5/cfx.c (_gssapi_verify_mic_cfx): always free crypto context.
- * krb5/set_cred_option.c (import_cred): free sp
-
- 2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_add_oid_set_member.c: Use old implementation of
- gss_add_oid_set_member, it leaks less memory.
- * krb5/test_cfx.c: free krb5_crypto.
- * krb5/test_cfx.c: free krb5_context
- * mech/gss_release_name.c (gss_release_name): free input_name
- it-self.
-
- 2006-10-21 Love Hörnquist Åstrand <lha@it.su.se>
- * test_context.c: Call setprogname.
- * mech/gss_krb5.c: Add gsskrb5_extract_authtime_from_sec_context.
- * gssapi/gssapi_krb5.h: add
- gsskrb5_extract_authtime_from_sec_context
-
- 2006-10-20 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/inquire_sec_context_by_oid.c: Add get_authtime.
- * krb5/external.c: add GSS_KRB5_GET_AUTHTIME_X
- * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_AUTHTIME_X
- * krb5/set_sec_context_option.c: Implement GSS_KRB5_SEND_TO_KDC_X.
- * mech/gss_krb5.c: Add gsskrb5_set_send_to_kdc
- * gssapi/gssapi_krb5.h: Add GSS_KRB5_SEND_TO_KDC_X and
- gsskrb5_set_send_to_kdc
- * krb5/external.c: add GSS_KRB5_SEND_TO_KDC_X
- * Makefile.am: more files
-
- 2006-10-19 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/
- * test_context.c: Allow specifing mech.
- * krb5/external.c: add GSS_SASL_DIGEST_MD5_MECHANISM (for now)
- * gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to
- GSS_SASL_DIGEST_MD5_MECHANISM
-
- 2006-10-18 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gssapi.asn1: Make it into a heim_any_set, its doesn't
- except a tag.
- * mech/gssapi.asn1: GSSAPIContextToken is IMPLICIT SEQUENCE
- * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X
- * krb5/external.c: Add GSS_KRB5_GET_ACCEPTOR_SUBKEY_X.
- * gssapi/gssapi_krb5.h: add GSS_KRB5_GET_INITIATOR_SUBKEY_X and
- GSS_KRB5_GET_SUBKEY_X
- * krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X,
- GSS_KRB5_GET_SUBKEY_X
-
- 2006-10-17 Love Hörnquist Åstrand <lha@it.su.se>
-
- * test_context.c: Support switching on name type oid's
- * test_context.c: add test for dns canon flag
- * mech/gss_krb5.c: Add gsskrb5_set_dns_canonlize.
- * gssapi/gssapi_krb5.h: remove gss_krb5_compat_des3_mic
- * gssapi/gssapi_krb5.h: Add gsskrb5_set_dns_canonlize.
- * krb5/set_sec_context_option.c: implement
- GSS_KRB5_SET_DNS_CANONIZE_X
- * gssapi/gssapi_krb5.h: add GSS_KRB5_SET_DNS_CANONIZE_X
- * krb5/external.c: add GSS_KRB5_SET_DNS_CANONIZE_X
- * mech/gss_krb5.c: add bits to make lucid context work
-
- 2006-10-14 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_oid_to_str.c: Prefix der primitives with der_.
- * krb5/inquire_sec_context_by_oid.c: Prefix der primitives with
- der_.
- * krb5/encapsulate.c: Prefix der primitives with der_.
- * mech/gss_oid_to_str.c: New der_print_heim_oid signature.
-
- 2006-10-12 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: add test_context
- * krb5/inquire_sec_context_by_oid.c: Make it work.
- * test_oid.c: Test lucid oid.
- * gssapi/gssapi.h: Add OM_uint64_t.
- * krb5/inquire_sec_context_by_oid.c: Add lucid interface.
- * krb5/external.c: Add lucid interface, renumber oids to my
- delegated space.
- * mech/gss_krb5.c: Add lucid interface.
- * gssapi/gssapi_krb5.h: Add lucid interface.
- * spnego/spnego_locl.h: Maybe include <netdb.h>.
-
- 2006-10-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined.
-
- 2006-10-08 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: install gssapi_krb5.H and gssapi_spnego.h
- * gssapi/gssapi_krb5.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
- * gssapi/gssapi.h: Move krb5 stuff to <gssapi/gssapi_krb5.h>.
- * Makefile.am: Drop some -I no longer needed.
- * gssapi/gssapi_spnego.h: Move gssapi_spengo.h over here.
- * krb5: reference all include files using 'krb5/'
- 2006-10-07 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: Add file inclusion protection.
- * gssapi/gssapi.h: Correct header file inclusion protection.
- * gssapi/gssapi.h: Move the gssapi.h from lib/gssapi/ to
- lib/gssapi/gssapi/ to please automake.
-
- * spnego/spnego_locl.h: Maybe include <sys/types.h>.
- * mech/mech_locl.h: Include <roken.h>.
- * Makefile.am: split build files into dist_ and noinst_ SOURCES
-
- 2006-10-06 Love Hörnquist Åstrand <lha@it.su.se>
- * gss.c: #if 0 out unused code.
- * mech/gss_mech_switch.c: Cast argument to ctype(3) functions
- to (unsigned char).
-
- 2006-10-05 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/name.h: remove <sys/queue.h>
- * mech/mech_switch.h: remove <sys/queue.h>
-
- * mech/cred.h: remove <sys/queue.h>
- 2006-10-02 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/arcfour.c: Thinker more with header lengths.
- * krb5/arcfour.c: Improve the calcucation of header
- lengths. DCE-STYLE data is also padded so remove if (1 || ...)
- code.
- * krb5/wrap.c (_gsskrb5_wrap_size_limit): use
- _gssapi_wrap_size_arcfour for arcfour
- * krb5/arcfour.c: Move _gssapi_wrap_size_arcfour here.
- * Makefile.am: Split all mech to diffrent mechsrc variables.
- * spnego/context_stubs.c: Make internal function static (and
- rename).
-
- 2006-10-01 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald
- Barth.
- * spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN.
-
- 2006-09-25 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/arcfour.c: Add wrap support, interrop with itself but not
- w2k3s-sp1
- * krb5/gsskrb5_locl.h: move the arcfour specific stuff to the
- arcfour header.
- * krb5/arcfour.c: Support DCE-style unwrap, tested with
- w2k3server-sp1.
- * mech/gss_accept_sec_context.c (gss_accept_sec_context): if the
- token doesn't start with [APPLICATION 0] SEQUENCE, lets assume its
- a DCE-style kerberos 5 connection. XXX this needs to be made
- better in cause we get another GSS-API protocol violating
- protocol. It should be possible to detach the Kerberos DCE-style
- since it starts with a AP-REQ PDU, but that have to wait for now.
-
- 2006-09-22 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: Add GSS_C flags from
- draft-brezak-win2k-krb-rc4-hmac-04.txt.
- * krb5/delete_sec_context.c: Free service_keyblock and fwd_data,
- indent.
- * krb5/accept_sec_context.c: Merge of the acceptor part from the
- samba patch by Stefan Metzmacher and Andrew Bartlet.
- * krb5/init_sec_context.c: Add GSS_C_DCE_STYLE.
- * krb5/{init_sec_context.c,gsskrb5_locl.h}: merge most of the
- initiator part from the samba patch by Stefan Metzmacher and
- Andrew Bartlet (still missing DCE/RPC support)
- 2006-08-28 Love Hörnquist Åstrand <lha@it.su.se>
- * gss.c (help): use sl_slc_help().
-
- 2006-07-22 Love Hörnquist Åstrand <lha@it.su.se>
- * gss-commands.in: rename command to supported-mechanisms
- * Makefile.am: Make gss objects depend on the slc built
- gss-commands.h
-
- 2006-07-20 Love Hörnquist Åstrand <lha@it.su.se>
-
- * gss-commands.in: add slc commands for gss
- * krb5/gsskrb5_locl.h: Remove dup prototype of _gsskrb5_init()
- * Makefile.am: Add test_cfx
- * krb5/external.c: add GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
- * krb5/set_sec_context_option.c: catch
- GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
- * krb5/accept_sec_context.c: reimplement
- gsskrb5_register_acceptor_identity
- * mech/gss_krb5.c: implement gsskrb5_register_acceptor_identity
- * mech/gss_inquire_mechs_for_name.c: call _gss_load_mech
- * mech/gss_inquire_cred.c (gss_inquire_cred): call _gss_load_mech
- * mech/gss_mech_switch.c: Make _gss_load_mech() atomic and run
- only once, this have the side effect that _gss_mechs and
- _gss_mech_oids is only initialized once, so if just the users of
- these two global variables calls _gss_load_mech() first, it will
- act as a barrier and make sure the variables are never changed and
- we don't need to lock them.
- * mech/utils.h: no need to mark functions extern.
- * mech/name.h: no need to mark _gss_find_mn extern.
-
- 2006-07-19 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/cfx.c: Redo the wrap length calculations.
- * krb5/test_cfx.c: test max_wrap_size in cfx.c
- * mech/gss_display_status.c: Handle more error codes.
-
- 2006-07-07 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h"
- * mech/mechqueue.h: Add SLIST macros.
- * krb5/inquire_context.c: Don't free return values on success.
- * krb5/inquire_cred.c (_gsskrb5_inquire_cred): When cred provided
- is the default cred, acquire the acceptor cred and initator cred
- in two diffrent steps and then query them for the information,
- this way, the code wont fail if there are no keytab, but there is
- a credential cache.
- * mech/gss_inquire_cred.c: move the check if we found any cred
- where it matter for both cases
- (default cred and provided cred)
- * mech/gss_init_sec_context.c: If the desired mechanism can't
- convert the name to a MN, fail with GSS_S_BAD_NAME rather then a
- NULL de-reference.
-
- 2006-07-06 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/external.c: readd gss_spnego_inquire_names_for_mech
- * spnego/spnego_locl.h: reimplement
- gss_spnego_inquire_names_for_mech add support function
- _gss_spnego_supported_mechs
- * spnego/context_stubs.h: reimplement
- gss_spnego_inquire_names_for_mech add support function
- _gss_spnego_supported_mechs
- * spnego/context_stubs.c: drop gss_spnego_indicate_mechs
-
- * mech/gss_indicate_mechs.c: if the underlaying mech doesn't
- support gss_indicate_mechs, use the oid in the mechswitch
- structure
- * spnego/external.c: let the mech glue layer implement
- gss_indicate_mechs
- * spnego/cred_stubs.c (gss_spnego_acquire_cred): don't care about
- desired_mechs, get our own list with indicate_mechs and remove
- ourself.
-
- 2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
- * spnego/external.c: remove gss_spnego_inquire_names_for_mech, let
- the mechglue layer implement it
-
- * spnego/context_stubs.c: remove gss_spnego_inquire_names_for_mech, let
- the mechglue layer implement it
- * spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let
- the mechglue layer implement it
- 2006-07-01 Love Hörnquist Åstrand <lha@it.su.se>
-
- * mech/gss_set_cred_option.c: fix argument to gss_release_cred
-
- 2006-06-30 Love Hörnquist Åstrand <lha@it.su.se>
- * krb5/init_sec_context.c: Make work on compilers that are
- somewhat more picky then gcc4 (like gcc2.95)
- * krb5/init_sec_context.c (do_delegation): use KDCOptions2int to
- convert fwd_flags to an integer, since otherwise int2KDCOptions in
- krb5_get_forwarded_creds wont do the right thing.
- * mech/gss_set_cred_option.c (gss_set_cred_option): free memory on
- failure
- * krb5/set_sec_context_option.c (_gsskrb5_set_sec_context_option):
- init global kerberos context
- * krb5/set_cred_option.c (_gsskrb5_set_cred_option): init global
- kerberos context
- * mech/gss_accept_sec_context.c: Insert the delegated sub cred on
- the delegated cred handle, not cred handle
- * mech/gss_accept_sec_context.c (gss_accept_sec_context): handle
- the case where ret_flags == NULL
- * mech/gss_mech_switch.c (add_builtin): set
- _gss_mech_switch->gm_mech_oid
- * mech/gss_set_cred_option.c (gss_set_cred_option): laod mechs
- * test_cred.c (gss_print_errors): don't try to print error when
- gss_display_status failed
- * Makefile.am: Add mech/gss_release_oid.c
-
- * mech/gss_release_oid.c: Add gss_release_oid, reverse of
- gss_duplicate_oid
- * spnego/compat.c: preferred_mech_type was allocated with
- gss_duplicate_oid in one place and assigned static varianbles a
- the second place. change that static assignement to
- gss_duplicate_oid and bring back gss_release_oid.
- * spnego/compat.c (_gss_spnego_delete_sec_context): don't release
- preferred_mech_type and negotiated_mech_type, they where never
- allocated from the begining.
-
- 2006-06-29 Love Hörnquist Åstrand <lha@it.su.se>
- * mech/gss_import_name.c (gss_import_name): avoid
- type-punned/strict aliasing rules
- * mech/gss_add_cred.c: avoid type-punned/strict aliasing rules
- * gssapi.h: Make gss_name_t an opaque type.
-
- * krb5: make gss_name_t an opaque type
- * krb5/set_cred_option.c: Add
- * mech/gss_set_cred_option.c (gss_set_cred_option): support the
- case where *cred_handle == NULL
- * mech/gss_krb5.c (gss_krb5_import_cred): make sure cred is
- GSS_C_NO_CREDENTIAL on failure.
- * mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is
- NO_OID_SET, there is a need to load the mechs, so always do that.
-
- 2006-06-28 Love Hörnquist Åstrand <lha@it.su.se>
-
- * krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X
- to instead pass a fullname to the credential, then resolve and
- copy out the content, and then close the cred.
- * mech/gss_krb5.c: Reimplement GSS_KRB5_COPY_CCACHE_X to instead
- pass a fullname to the credential, then resolve and copy out the
- content, and then close the cred.
-
- * krb5/inquire_cred_by_oid.c: make "work", GSS_KRB5_COPY_CCACHE_X
- interface needs to be re-done, currently its utterly broken.
- * mech/gss_set_cred_option.c: Make work.
- * krb5/external.c: Add _gsskrb5_set_{sec_context,cred}_option
- * mech/gss_krb5.c (gss_krb5_import_cred): implement
- * Makefile.am: Add gss_set_{sec_context,cred}_option and sort
-
- * mech/gss_set_{sec_context,cred}_option.c: add
- * gssapi.h: Add GSS_KRB5_IMPORT_CRED_X
- * test_*.c: make compile again
- * Makefile.am: Add lib dependencies and test programs
- * spnego: remove dependency on libkrb5
- * mech: Bug fixes, cleanup, compiler warnings, restructure code.
- * spnego: Rename gss_context_id_t and gss_cred_id_t to local names
- * krb5: repro copy the krb5 files here
- * mech: import Doug Rabson mechglue from freebsd
-
- * spnego: Import Luke Howard's SPNEGO from the mechglue branch
- 2006-06-22 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: Add oid_to_str.
- * Makefile.am: add oid_to_str and test_oid
-
- * oid_to_str.c: Add gss_oid_to_str
- * test_oid.c: Add test for gss_oid_to_str()
-
- 2006-05-13 Love Hörnquist Åstrand <lha@it.su.se>
- * verify_mic.c: Less pointer signedness warnings.
- * unwrap.c: Less pointer signedness warnings.
- * arcfour.c: Less pointer signedness warnings.
- * gssapi_locl.h: Use const void * to instead of unsigned char * to
- avoid pointer signedness warnings.
- * encapsulate.c: Use const void * to instead of unsigned char * to
- avoid pointer signedness warnings.
- * decapsulate.c: Use const void * to instead of unsigned char * to
- avoid pointer signedness warnings.
- * decapsulate.c: Less pointer signedness warnings.
- * cfx.c: Less pointer signedness warnings.
- * init_sec_context.c: Less pointer signedness warnings (partly by
- using the new asn.1 CHOICE decoder)
- * import_sec_context.c: Less pointer signedness warnings.
- 2006-05-09 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From
- Andrew Abartlet.
-
- 2006-05-08 Love Hörnquist Åstrand <lha@it.su.se>
- * get_mic.c (mic_des3): make sure message_buffer doesn't point to
- free()ed memory on failure. Pointed out by IBM checker.
-
- 2006-05-05 Love Hörnquist Åstrand <lha@it.su.se>
- * Rename u_intXX_t to uintXX_t
-
- 2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: Less pointer signedness warnings.
- * arcfour.c: Avoid pointer signedness warnings.
- * gssapi_locl.h (gssapi_decode_*): make data argument const void *
-
- * 8003.c (gssapi_decode_*): make data argument const void *
-
- 2006-04-12 Love Hörnquist Åstrand <lha@it.su.se>
-
- * export_sec_context.c: Export sequence order element. From Wynn
- Wilkes <wynn.wilkes@quest.com>.
- * import_sec_context.c: Import sequence order element. From Wynn
- Wilkes <wynn.wilkes@quest.com>.
- * sequence.c (_gssapi_msg_order_import,_gssapi_msg_order_export):
- New functions, used by {import,export}_sec_context. From Wynn
- Wilkes <wynn.wilkes@quest.com>.
- * test_sequence.c: Add test for import/export sequence.
-
- 2006-04-09 Love Hörnquist Åstrand <lha@it.su.se>
-
- * add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a
- standard conformance failure, but much better then a crash.
-
- 2006-04-02 Love Hörnquist Åstrand <lha@it.su.se>
-
- * get_mic.c (get_mic*)_: make sure message_token is cleaned on
- error, found by IBM checker.
- * wrap.c (wrap*): Reset output_buffer on error, found by IBM
- checker.
-
- 2006-02-15 Love Hörnquist Åstrand <lha@it.su.se>
-
- * import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and
- GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names.
-
- 2006-01-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * delete_sec_context.c (gss_delete_sec_context): if the context
- handle is GSS_C_NO_CONTEXT, don't fall over.
- 2005-12-12 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: Replace gss_krb5_import_ccache with
- gss_krb5_import_cred and add more references
-
- 2005-12-05 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred,
- it can handle keytabs too.
- * add_cred.c (gss_add_cred): avoid deadlock
- * context_time.c (gssapi_lifetime_left): define the 0 lifetime as
- GSS_C_INDEFINITE.
-
- 2005-12-01 Love Hörnquist Åstrand <lha@it.su.se>
- * acquire_cred.c (acquire_acceptor_cred): only check if principal
- exists if we got called with principal as an argument.
- * acquire_cred.c (acquire_acceptor_cred): check that the acceptor
- exists in the keytab before returning ok.
-
- 2005-11-29 Love Hörnquist Åstrand <lha@it.su.se>
-
- * copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew
- Bartlett.
-
- 2005-11-25 Love Hörnquist Åstrand <lha@it.su.se>
- * test_kcred.c: Rename gss_krb5_import_ccache to
- gss_krb5_import_cred.
-
- * copy_ccache.c: Rename gss_krb5_import_ccache to
- gss_krb5_import_cred and let it grow code to handle keytabs too.
-
- 2005-11-02 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c: Change sematics of ok-as-delegate to match
- windows if
- [gssapi]realm/ok-as-delegate=true is set, otherwise keep old
- sematics.
-
- * release_cred.c (gss_release_cred): use
- GSS_CF_DESTROY_CRED_ON_RELEASE to decide if the cache should be
- krb5_cc_destroy-ed
-
- * acquire_cred.c (acquire_initiator_cred):
- GSS_CF_DESTROY_CRED_ON_RELEASE on created credentials.
- * accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite
- to use gss_krb5_import_ccache
-
- 2005-11-01 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c: Remove signedness warnings.
-
- 2005-10-31 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy
- by reference.
- * copy_ccache.c (gss_krb5_import_ccache): Instead of making a copy
- of the ccache, make a reference by getting the name and resolving
- the name. This way the cache is shared, this flipp side is of
- course that if someone calls krb5_cc_destroy the cache is lost for
- everyone.
-
- * test_kcred.c: Remove memory leaks.
-
- 2005-10-26 Love Hörnquist Åstrand <lha@it.su.se>
-
- * Makefile.am: build test_kcred
-
- * gss_acquire_cred.3: Document gss_krb5_import_ccache
- * gssapi.3: Sort and add gss_krb5_import_ccache.
-
- * acquire_cred.c (_gssapi_krb5_ccache_lifetime): break out code
- used to extract lifetime from a credential cache
- * gssapi_locl.h: Add _gssapi_krb5_ccache_lifetime, used to extract
- lifetime from a credential cache.
- * gssapi.h: add gss_krb5_import_ccache, reverse of
- gss_krb5_copy_ccache
- * copy_ccache.c: add gss_krb5_import_ccache, reverse of
- gss_krb5_copy_ccache
- * test_kcred.c: test gss_krb5_import_ccache
-
- 2005-10-21 Love Hörnquist Åstrand <lha@it.su.se>
- * acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match
- to find a matching creditial cache, if that failes, fallback to
- the default cache.
-
- 2005-10-12 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi_locl.h: Add gssapi_krb5_set_status and
- gssapi_krb5_clear_status
-
- * init_sec_context.c (spnego_reply): Don't pass back raw Kerberos
- errors, use GSS-API errors instead. From Michael B Allen.
- * display_status.c: Add gssapi_krb5_clear_status,
- gssapi_krb5_set_status for handling error messages.
-
- 2005-08-23 Love Hörnquist Åstrand <lha@it.su.se>
- * external.c: Use rk_UNCONST to avoid const warning.
-
- * display_status.c: Constify strings to avoid warnings.
-
- 2005-08-11 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c: avoid warnings, update (c)
- 2005-07-13 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (spnego_initial): use NegotiationToken
- encoder now that we have one with the new asn1. compiler.
-
- * Makefile.am: the new asn.1 compiler includes the modules name in
- the depend file
- 2005-06-16 Love Hörnquist Åstrand <lha@it.su.se>
- * decapsulate.c: use rk_UNCONST
- * ccache_name.c: rename to avoid shadowing
- * gssapi_locl.h: give kret in GSSAPI_KRB5_INIT a more unique name
-
- * process_context_token.c: use rk_UNCONST to unconstify
-
- * test_cred.c: rename optind to optidx
- 2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (init_auth): honor ok-as-delegate if local
- configuration approves
- * gssapi_locl.h: prototype for _gss_check_compat
- * compat.c: export check_compat as _gss_check_compat
- 2005-05-29 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
- problems with system headerfiles that pollute the name space.
- * accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
- problems with system headerfiles that pollute the name space.
- 2005-05-17 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (init_auth): set
- KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
- also while here, use krb5_auth_con_addflags
- 2005-05-06 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap
- length. From: Tom Maher <tmaher@eecs.berkeley.edu>
- 2005-05-02 Dave Love <fx@gnu.org>
- * test_cred.c (main): Call setprogname.
- 2005-04-27 Love Hörnquist Åstrand <lha@it.su.se>
- * prefix all sequence symbols with _, they are not part of the
- GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com>
- 2005-04-10 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c: break out the processing of the delegated
- credential to a separate function to make error handling easier,
- move the credential handling to after other setup is done
-
- * test_sequence.c: make less verbose in case of success
- * Makefile.am: add test_sequence to TESTS
- 2005-04-01 Love Hörnquist Åstrand <lha@it.su.se>
- * 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum
- isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com>
- 2005-03-21 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: use $(LIB_roken)
- 2005-03-16 Love Hörnquist Åstrand <lha@it.su.se>
- * display_status.c (gssapi_krb5_set_error_string): pass in the
- krb5_context to krb5_free_error_string
-
- 2005-03-15 Love Hörnquist Åstrand <lha@it.su.se>
- * display_status.c (gssapi_krb5_set_error_string): don't misuse
- the krb5_get_error_string api
- 2005-03-01 Love Hörnquist Åstrand <lha@it.su.se>
- * compat.c (_gss_DES3_get_mic_compat): don't unlock mutex
- here. Bug reported by Stefan Metzmacher <metze@samba.org>
- 2005-02-21 Luke Howard <lukeh@padl.com>
- * init_sec_context.c: don't call krb5_get_credentials() with
- KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
- growing indefinitely as no key is found with KEYTYPE_NULL
- * compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
- no longer used (however the mechListMIC behaviour is broken,
- rfc2478bis support requires the code in the mechglue branch)
- * init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
- * gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
- 2005-01-05 Luke Howard <lukeh@padl.com>
- * 8003.c: use symbolic name for checksum type
- * accept_sec_context.c: allow client to indicate
- that subkey should be used
- * acquire_cred.c: plug leak
- * get_mic.c: use gss_krb5_get_subkey() instead
- of gss_krb5_get_{local,remote}key(), support
- KEYTYPE_ARCFOUR_56
- * gssapi_local.c: use gss_krb5_get_subkey(),
- support KEYTYPE_ARCFOUR_56
- * import_sec_context.c: plug leak
- * unwrap.c: use gss_krb5_get_subkey(),
- support KEYTYPE_ARCFOUR_56
- * verify_mic.c: use gss_krb5_get_subkey(),
- support KEYTYPE_ARCFOUR_56
- * wrap.c: use gss_krb5_get_subkey(),
- support KEYTYPE_ARCFOUR_56
- 2004-11-30 Love Hörnquist Åstrand <lha@it.su.se>
- * inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and
- gss_release_cred to avoid deadlock, from Luke Howard
- <lukeh@padl.com>.
- 2004-09-06 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context
- was renamed to gsskrb5_extract_authz_data_from_sec_context
-
- 2004-08-07 Love Hörnquist Åstrand <lha@it.su.se>
- * unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
-
- * arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
-
- 2004-05-06 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while
- here, write some text about the SPNEGO situation
-
- 2004-04-08 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/
-
- 2004-04-07 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke
- Howard <lukeh@padl.com>
-
- * init_sec_context.c (spnego_reply): use
- _gss_spnego_require_mechlist_mic to figure out if we need to check
- MechListMIC; From: Luke Howard <lukeh@padl.com>
- * accept_sec_context.c (send_accept): use
- _gss_spnego_require_mechlist_mic to figure out if we need to send
- MechListMIC; From: Luke Howard <lukeh@padl.com>
- * gssapi_locl.h: add _gss_spnego_require_mechlist_mic
- From: Luke Howard <lukeh@padl.com>
- * compat.c: add _gss_spnego_require_mechlist_mic for compatibility
- with MS SPNEGO, From: Luke Howard <lukeh@padl.com>
-
- 2004-04-05 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is
- an enctype, not keytype
- * accept_sec_context.c: use ASN1_MALLOC_ENCODE
-
- * init_sec_context.c: avoid the malloc loop and just allocate the
- propper amount of data
- * init_sec_context.c (spnego_initial): handle mech_token better
-
- 2004-03-19 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: add gss_krb5_get_tkt_flags
-
- * Makefile.am: add ticket_flags.c
-
- * ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke
- Howard <lukeh@PADL.COM>
-
- * gss_acquire_cred.3: document gss_krb5_get_tkt_flags
-
- 2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
- * acquire_cred.c (gss_acquire_cred): check usage before even
- bothering to process it, add both keytab and initial tgt if
- requested
- * wrap.c: support cfx, try to handle acceptor asserted subkey
-
- * unwrap.c: support cfx, try to handle acceptor asserted subkey
-
- * verify_mic.c: support cfx
-
- * get_mic.c: support cfx
-
- * test_sequence.c: handle changed signature of
- gssapi_msg_order_create
- * import_sec_context.c: handle acceptor asserted subkey
-
- * init_sec_context.c: handle acceptor asserted subkey
-
- * accept_sec_context.c: handle acceptor asserted subkey
-
- * sequence.c: add dummy use_64 argument to gssapi_msg_order_create
-
- * gssapi_locl.h: add partial support for CFX
-
- * Makefile.am (noinst_PROGRAMS) += test_cred
-
- * test_cred.c: gssapi credential testing
- * test_acquire_cred.c: fix comment
-
- 2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.h: drop structures for message formats, no longer used
-
- * arcfour.c: comment describing message formats
- * accept_sec_context.c (spnego_accept_sec_context): make sure the
- length of the choice element doesn't overrun us
-
- * init_sec_context.c (spnego_reply): make sure the length of the
- choice element doesn't overrun us
-
- * spnego.asn1: move NegotiationToken to avoid warning
-
- * spnego.asn1: uncomment NegotiationToken
-
- * Makefile.am: spnego_files += asn1_NegotiationToken.x
-
- 2004-01-25 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: add gss_krb5_ccache_name
-
- * Makefile.am (libgssapi_la_SOURCES): += ccache_name.c
-
- * ccache_name.c (gss_krb5_ccache_name): help function enable to
- set krb5 name, using out_name argument makes function no longer
- thread-safe
- * gssapi.3: add missing gss_krb5_ references
-
- * gss_acquire_cred.3: document gss_krb5_ccache_name
-
- 2003-12-12 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: make rrc a modulus operation if its longer then the
- length of the message, noticed by Sam Hartman
- 2003-12-07 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c: use krb5_auth_con_addflags
-
- 2003-12-05 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: Wrap token id was in wrong order, found by Sam Hartman
-
- 2003-12-04 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: add AcceptorSubkey (but no code understand it yet) ignore
- unknown token flags
-
- 2003-11-22 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c: Don't require timestamp to be set on
- delegated token, its already protected by the outer token (and
- windows doesn't alway send it) Pointed out by Zi-Bin Yang
- <zbyang@decru.com> on heimdal-discuss
- 2003-11-14 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: fix {} error, pointed out by Liqiang Zhu
-
- 2003-11-10 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: Sequence number should be stored in bigendian order From:
- Luke Howard <lukeh@padl.com>
-
- 2003-11-09 Love Hörnquist Åstrand <lha@it.su.se>
- * delete_sec_context.c (gss_delete_sec_context): don't free
- ticket, krb5_free_ticket does that now
- 2003-11-06 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: checksum the header last in MIC token, update to -03
- From: Luke Howard <lukeh@padl.com>
-
- 2003-10-07 Love Hörnquist Åstrand <lha@it.su.se>
- * add_cred.c: If its a MEMORY cc, make a copy. We need to do this
- since now gss_release_cred will destroy the cred. This should be
- really be solved a better way.
- * acquire_cred.c (gss_release_cred): if its a mcc, destroy it
- rather the just release it Found by: "Zi-Bin Yang"
- <zbyang@decru.com>
- * acquire_cred.c (acquire_initiator_cred): use kret instead of ret
- where appropriate
- 2003-09-30 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: spelling
- From: jmc <jmc@prioris.mini.pw.edu.pl>
-
- 2003-09-23 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: - EC and RRC are big-endian, not little-endian - The
- default is now to rotate regardless of GSS_C_DCE_STYLE. There are
- no longer any references to GSS_C_DCE_STYLE. - rrc_rotate()
- avoids allocating memory on the heap if rrc <= 256
- From: Luke Howard <lukeh@padl.com>
-
- 2003-09-22 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.[ch]: rrc_rotate() was untested and broken, fix it.
- Set and verify wrap Token->Filler.
- Correct token ID for wrap tokens,
- were accidentally swapped with delete tokens.
- From: Luke Howard <lukeh@PADL.COM>
- 2003-09-21 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.[ch]: no ASN.1-ish header on per-message tokens
- From: Luke Howard <lukeh@PADL.COM>
-
- 2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.h: remove depenency on gss_arcfour_mic_token and
- gss_arcfour_warp_token
- * arcfour.c: remove depenency on gss_arcfour_mic_token and
- gss_arcfour_warp_token
- 2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
- * 8003.c: remove #if 0'ed code
-
- 2003-09-17 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c (gsskrb5_accept_sec_context): set sequence
- number when not requesting mutual auth From: Luke Howard
- <lukeh@PADL.COM>
- * init_sec_context.c (init_auth): set sequence number when not
- requesting mutual auth From: Luke Howard <lukeh@PADL.COM>
-
- 2003-09-16 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c (*): set minor_status
- (gss_wrap): set conf_state to conf_req_flags on success
- From: Luke Howard <lukeh@PADL.COM>
-
- * wrap.c (gss_wrap_size_limit): use existing function From: Luke
- Howard <lukeh@PADL.COM>
-
- 2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
- * indicate_mechs.c (gss_indicate_mechs): in case of error, free
- mech_set
- * indicate_mechs.c (gss_indicate_mechs): add SPNEGO
- 2003-09-10 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (spnego_initial): catch errors and return
- them
- * init_sec_context.c (spnego_initial): add #if 0 out version of
- the CHOICE branch encoding, also where here, free no longer used
- memory
- 2003-09-09 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM
-
- * accept_sec_context.c: SPNEGO doesn't include gss wrapping on
- SubsequentContextToken like the Kerberos 5 mech does.
-
- * init_sec_context.c (spnego_reply): SPNEGO doesn't include gss
- wrapping on SubsequentContextToken like the Kerberos 5 mech
- does. Lets check for it anyway.
-
- * accept_sec_context.c: Add support for SPNEGO on the initator
- side. Implementation initially from Assar Westerlund, passes
- though quite a lot of hands before I commited it.
-
- * init_sec_context.c: Add support for SPNEGO on the initator side.
- Tested with ldap server on a Windows 2000 DC. Implementation
- initially from Assar Westerlund, passes though quite a lot of
- hands before I commited it.
-
- * gssapi.h: export GSS_SPNEGO_MECHANISM
-
- * gssapi_locl.h: include spnego_as.h add prototype for
- gssapi_krb5_get_mech
-
- * decapsulate.c (gssapi_krb5_get_mech): make non static
-
- * Makefile.am: build SPNEGO file
-
- 2003-09-08 Love Hörnquist Åstrand <lha@it.su.se>
- * external.c: SPENGO and IAKERB oids
-
- * spnego.asn1: SPENGO ASN1
-
- 2003-09-05 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.c: RRC also need to be zero before wraping them
- From: Luke Howard <lukeh@PADL.COM>
-
- 2003-09-04 Love Hörnquist Åstrand <lha@it.su.se>
- * encapsulate.c (gssapi_krb5_encap_length): don't return void
-
- 2003-09-03 Love Hörnquist Åstrand <lha@it.su.se>
- * verify_mic.c: switch from the des_ to the DES_ api
-
- * get_mic.c: switch from the des_ to the DES_ api
-
- * unwrap.c: switch from the des_ to the DES_ api
-
- * wrap.c: switch from the des_ to the DES_ api
-
- * cfx.c: EC is not included in the checksum since the length might
- change depending on the data. From: Luke Howard <lukeh@PADL.COM>
-
- * acquire_cred.c: use
- krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
- 2003-09-01 Love Hörnquist Åstrand <lha@it.su.se>
- * copy_ccache.c: rename
- gss_krb5_extract_authz_data_from_sec_context to
- gsskrb5_extract_authz_data_from_sec_context
- * gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to
- gsskrb5_extract_authz_data_from_sec_context
-
- 2003-08-31 Love Hörnquist Åstrand <lha@it.su.se>
- * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
- check that we have a ticket before we start to use it
-
- * gss_acquire_cred.3: document
- gss_krb5_extract_authz_data_from_sec_context
-
- * gssapi.h (gss_krb5_extract_authz_data_from_sec_context):
- return the kerberos authorizationdata, from idea of Luke Howard
- * copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
- return the kerberos authorizationdata, from idea of Luke Howard
-
- * verify_mic.c (gss_verify_mic_internal): switch type and key
- argument
- 2003-08-30 Love Hörnquist Åstrand <lha@it.su.se>
- * cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation
- From: Luke Howard <lukeh@PADL.COM>
-
- 2003-08-28 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c (arcfour_mic_cksum): use free_Checksum to free the
- checksum
- * arcfour.h: swap two last arguments to verify_mic for consistency
- with des3
- * wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h:
- prefix cfx symbols with _gssapi_
- * arcfour.c: release the right buffer
-
- * arcfour.c: rename token structure in consistency with rest of
- GSS-API From: Luke Howard <lukeh@PADL.COM>
-
- * unwrap.c (unwrap_des3): use _gssapi_verify_pad
- (unwrap_des): use _gssapi_verify_pad
- * arcfour.c (_gssapi_wrap_arcfour): set the correct padding
- (_gssapi_unwrap_arcfour): verify and strip padding
- * gssapi_locl.h: added _gssapi_verify_pad
-
- * decapsulate.c (_gssapi_verify_pad): verify padding of a gss
- wrapped message and return its length
-
- * arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard
- <lukeh@PADL.COM>
-
- * arcfour.c: use right seal alg, inherit keytype from parent key
-
- * arcfour.c: include the confounder in the checksum use the right
- key usage number for warped/unwraped tokens
-
- * gssapi.h: add gss_krb5_nt_general_name as an mit compat glue
- (same as GSS_KRB5_NT_PRINCIPAL_NAME)
- * unwrap.c: hook in arcfour unwrap
-
- * wrap.c: hook in arcfour wrap
-
- * verify_mic.c: hook in arcfour verify_mic
-
- * get_mic.c: hook in arcfour get_mic
-
- * arcfour.c: implement wrap/unwarp
-
- * gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32
-
- * 8003.c: add gssapi_{en,de}code_be_om_uint32
-
- 2003-08-27 Love Hörnquist Åstrand <lha@it.su.se>
- * arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right
- area. Swap filler check, it was reversed.
-
- * Makefile.am (libgssapi_la_SOURCES): += arcfour.c
-
- * gssapi_locl.h: include "arcfour.h"
-
- * arcfour.c: arcfour gss-api mech, get_mic/verify_mic working
- * arcfour.h: arcfour gss-api mech, get_mic/verify_mic working
-
- 2003-08-26 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi_locl.h: always include cfx.h add prototype for
- _gssapi_decapsulate
- * cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt
- from Luke Howard <lukeh@PADL.COM>
- * decapsulate.c: add _gssapi_decapsulate, from Luke Howard
- <lukeh@PADL.COM>
-
- 2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
- * unwrap.c: encap/decap now takes a oid if the enctype/keytype is
- arcfour, return error add hook for cfx
-
- * verify_mic.c: encap/decap now takes a oid if the enctype/keytype
- is arcfour, return error add hook for cfx
-
- * get_mic.c: encap/decap now takes a oid if the enctype/keytype is
- arcfour, return error add hook for cfx
-
- * accept_sec_context.c: encap/decap now takes a oid
-
- * init_sec_context.c: encap/decap now takes a oid
-
- * gssapi_locl.h: include cfx.h if we need it lifetime is a
- OM_uint32, depend on gssapi interface add all new encap/decap
- functions
-
- * decapsulate.c: add decap functions that doesn't take the token
- type also make all decap function take the oid mech that they
- should use
- * encapsulate.c: add encap functions that doesn't take the token
- type also make all encap function take the oid mech that they
- should use
- * sequence.c (elem_insert): fix a off by one index counter
-
- * inquire_cred.c (gss_inquire_cred): handle cred_handle being
- GSS_C_NO_CREDENTIAL and use the default cred then.
-
- 2003-08-19 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: break out extensions and document
- gsskrb5_register_acceptor_identity
- 2003-08-18 Love Hörnquist Åstrand <lha@it.su.se>
- * test_acquire_cred.c (print_time): time is returned in seconds
- from now, not unix time
- 2003-08-17 Love Hörnquist Åstrand <lha@it.su.se>
-
- * compat.c (check_compat): avoid leaking principal when finding a
- match
- * address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is
- a krb5_socklen_t
- * acquire_cred.c (gss_acquire_cred): 4th argument to
- gss_test_oid_set_member is a int
- 2003-07-22 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (repl_mutual): don't set kerberos error where
- there was no kerberos error
- * gssapi_locl.h: Add destruction/creation prototypes and structure
- for the thread specific storage.
- * display_status.c: use thread specific storage to set/get the
- kerberos error message
- * init.c: Provide locking around the creation of the global
- krb5_context. Add destruction/creation functions for the thread
- specific storage that the error string handling is using.
-
- 2003-07-20 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: add missing prototype and missing .Ft
- arguments
- 2003-06-17 Love Hörnquist Åstrand <lha@it.su.se>
- * verify_mic.c: reorder code so sequence numbers can can be used
-
- * unwrap.c: reorder code so sequence numbers can can be used
-
- * sequence.c: remove unused function, indent, add
- gssapi_msg_order_f that filter gss flags to gss_msg_order flags
-
- * gssapi_locl.h: prototypes for
- gssapi_{encode_om_uint32,decode_om_uint32} add sequence number
- verifier prototypes
- * delete_sec_context.c: destroy sequence number verifier
-
- * init_sec_context.c: remember to free data use sequence number
- verifier
-
- * accept_sec_context.c: don't clear output_token twice remember to
- free data use sequence number verifier
-
- * 8003.c: export and rename encode_om_uint32/decode_om_uint32 and
- start to use them
- 2003-06-09 Johan Danielsson <joda@pdc.kth.se>
- * Makefile.am: can't have sequence.c in two different places
- 2003-06-06 Love Hörnquist Åstrand <lha@it.su.se>
- * test_sequence.c: check rollover, print summery
-
- * wrap.c (sub_wrap_size): gss_wrap_size_limit() has
- req_output_size and max_input_size around the wrong way -- it
- returns the output token size for a given input size, rather than
- the maximum input size for a given output token size.
-
- From: Luke Howard <lukeh@PADL.COM>
-
- 2003-06-05 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi_locl.h: add prototypes for sequence.c
-
- * Makefile.am (libgssapi_la_SOURCES): add sequence.c
- (test_sequence): build
- * sequence.c: sequence number checks, order and replay
- * test_sequence.c: sequence number checks, order and replay
- 2003-06-03 Love Hörnquist Åstrand <lha@it.su.se>
- * accept_sec_context.c (gss_accept_sec_context): make sure time is
- returned in seconds from now, not in kerberos time
-
- * acquire_cred.c (gss_aquire_cred): make sure time is returned in
- seconds from now, not in kerberos time
-
- * init_sec_context.c (init_auth): if the cred is expired before we
- tries to create a token, fail so the peer doesn't need reject us
- (*): make sure time is returned in seconds from now,
- not in kerberos time
- (repl_mutual): remember to unlock the context mutex
- * context_time.c (gss_context_time): remove unused variable
-
- * verify_mic.c: make sure minor_status is always set, pointed out
- by Luke Howard <lukeh@PADL.COM>
- 2003-05-21 Love Hörnquist Åstrand <lha@it.su.se>
- * *.[ch]: do some basic locking (no reference counting so contexts
- can be removed while still used)
- - don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct
- - make sure all lifetime are returned in seconds left until expired,
- not in unix epoch
- * gss_acquire_cred.3: document argument lifetime_rec to function
- gss_inquire_context
- 2003-05-17 Love Hörnquist Åstrand <lha@it.su.se>
- * test_acquire_cred.c: test gss_add_cred more then once
-
- 2003-05-06 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.h: if __cplusplus, wrap the extern variable (just to be
- safe) and functions in extern "C" { }
-
- 2003-04-30 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.3: more about the des3 mic mess
-
- * verify_mic.c (verify_mic_des3): always check if the mic is the
- correct mic or the mic that old heimdal would have generated
-
- 2003-04-28 Jacques Vidrine <nectar@kth.se>
- * verify_mic.c (verify_mic_des3): If MIC verification fails,
- retry using the `old' MIC computation (with zero IV).
- 2003-04-26 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: more about difference between comparing IN
- and MN
- * gss_acquire_cred.3: more about name type and access control
-
- 2003-04-25 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: document gss_context_time
-
- * context_time.c: if lifetime of context have expired, set
- time_rec to 0 and return GSS_S_CONTEXT_EXPIRED
-
- * gssapi.3: document [gssapi]correct_des3_mic
- [gssapi]broken_des3_mic
- * gss_acquire_cred.3: document gss_krb5_compat_des3_mic
-
- * compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3
- mic compat
- (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too
- * gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off
- des3 mic compat
- (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if
- gss_krb5_compat_des3_mic exists
-
- 2003-04-24 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: (libgssapi_la_LDFLAGS): update major
- version of gssapi for incompatiblity in 3des getmic support
-
- 2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not
- ./libgssapi.la (make make -jN work)
- 2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.3: spelling
-
- * gss_acquire_cred.3: Change .Fd #include <header.h> to .In
- header.h, from Thomas Klausner <wiz@netbsd.org>
-
- 2003-04-06 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: spelling
-
- * Makefile.am: remove stuff that sneaked in with last commit
-
- * acquire_cred.c (acquire_initiator_cred): if the requested name
- isn't in the ccache, also check keytab. Extact the krbtgt for the
- default realm to check how long the credentials will last.
-
- * add_cred.c (gss_add_cred): don't create a new ccache, just open
- the old one; better check if output handle is compatible with new
- (copied) handle
- * test_acquire_cred.c: test gss_add_cred too
-
- 2003-04-03 Love Hörnquist Åstrand <lha@it.su.se>
- * Makefile.am: build test_acquire_cred
-
- * test_acquire_cred.c: simple gss_acquire_cred test
-
- 2003-04-02 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: s/gssapi/GSS-API/
-
- 2003-03-19 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: document v1 interface (and that they are
- obsolete)
- 2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_acquire_cred.3: list supported mechanism and nametypes
-
- 2003-03-16 Love Hörnquist Åstrand <lha@it.su.se>
-
- * gss_acquire_cred.3: text about gss_display_name
- * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2
- (libgssapi_la_SOURCES): add all new functions
- * gssapi.3: now that we have a functions, uncomment the missing
- ones
- * gss_acquire_cred.3: now that we have a functions, uncomment the
- missing ones
- * process_context_token.c: implement gss_process_context_token
-
- * inquire_names_for_mech.c: implement gss_inquire_names_for_mech
-
- * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name
-
- * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech
-
- * add_cred.c: implement gss_add_cred
-
- * acquire_cred.c (gss_acquire_cred): more testing of input
- argument, make sure output arguments are ok, since we don't know
- the time_rec (for now), set it to time_req
-
- * export_sec_context.c: send lifetime, also set minor_status
-
- * get_mic.c: set minor_status
-
- * import_sec_context.c (gss_import_sec_context): add error
- checking, pick up lifetime (if there is no lifetime, use
- GSS_C_INDEFINITE)
- * init_sec_context.c: take care to set export value to something
- sane before we start so caller will have harmless values in them
- if then function fails
- * release_buffer.c (gss_release_buffer): set minor_status
-
- * wrap.c: make sure minor_status get set
-
- * verify_mic.c (gss_verify_mic_internal): rename verify_mic to
- gss_verify_mic_internal and let it take the type as an argument,
- (gss_verify_mic): call gss_verify_mic_internal
- set minor_status
-
- * unwrap.c: set minor_status
-
- * test_oid_set_member.c (gss_test_oid_set_member): use
- gss_oid_equal
- * release_oid_set.c (gss_release_oid_set): set minor_status
-
- * release_name.c (gss_release_name): set minor_status
-
- * release_cred.c (gss_release_cred): set minor_status
-
- * add_oid_set_member.c (gss_add_oid_set_member): set minor_status
-
- * compare_name.c (gss_compare_name): set minor_status
-
- * compat.c (check_compat): make sure ret have a defined value
-
- * context_time.c (gss_context_time): set minor_status
-
- * copy_ccache.c (gss_krb5_copy_ccache): set minor_status
-
- * create_emtpy_oid_set.c (gss_create_empty_oid_set): set
- minor_status
- * delete_sec_context.c (gss_delete_sec_context): set minor_status
-
- * display_name.c (gss_display_name): set minor_status
-
- * display_status.c (gss_display_status): use gss_oid_equal, handle
- supplementary errors
- * duplicate_name.c (gss_duplicate_name): set minor_status
-
- * inquire_context.c (gss_inquire_context): set lifetime_rec now
- when we know it, set minor_status
- * inquire_cred.c (gss_inquire_cred): take care to set export value
- to something sane before we start so caller will have harmless
- values in them if the function fails
-
- * accept_sec_context.c (gss_accept_sec_context): take care to set
- export value to something sane before we start so caller will have
- harmless values in them if then function fails, set lifetime from
- ticket expiration date
- * indicate_mechs.c (gss_indicate_mechs): use
- gss_create_empty_oid_set and gss_add_oid_set_member
- * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred,
- since there is no ticket transfered in the exported context
-
- * export_name.c (gss_export_name): export name with
- GSS_C_NT_EXPORT_NAME wrapping, not just the principal
-
- * import_name.c (import_export_name): new function, parses a
- GSS_C_NT_EXPORT_NAME
- (import_krb5_name): factor out common code of parsing krb5 name
- (gss_oid_equal): rename from oid_equal
- * gssapi_locl.h: add prototypes for gss_oid_equal and
- gss_verify_mic_internal
- * gssapi.h: comment out the argument names
-
- 2003-03-15 Love Hörnquist Åstrand <lha@it.su.se>
- * gssapi.3: add LIST OF FUNCTIONS and copyright/license
- * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/
-
- * Makefile.am: man_MANS += gss_aquire_cred.3
-
- 2003-03-14 Love Hörnquist Åstrand <lha@it.su.se>
- * gss_aquire_cred.3: the gssapi api manpage
-
- 2003-03-03 Love Hörnquist Åstrand <lha@it.su.se>
- * inquire_context.c: (gss_inquire_context): rename argument open
- to open_context
- * gssapi.h (gss_inquire_context): rename argument open to open_context
- 2003-02-27 Love Hörnquist Åstrand <lha@it.su.se>
- * init_sec_context.c (do_delegation): remove unused variable
- subkey
- * gssapi.3: all 0.5.x version had broken token delegation
-
- 2003-02-21 Love Hörnquist Åstrand <lha@it.su.se>
- * (init_auth): only generate one subkey
- 2003-01-27 Love Hörnquist Åstrand <lha@it.su.se>
- * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform
- to rfc (and mit kerberos), provide backward compat hook
-
- * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and
- mit kerberos), provide backward compat hook
-
- * init_sec_context.c (init_auth): check if we need compat for
- older get_mic/verify_mic
- * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat
-
- * gssapi.h (more_flags): add COMPAT_OLD_DES3
-
- * Makefile.am: add gssapi.3 and compat.c
-
- * gssapi.3: add gssapi COMPATIBILITY documentation
-
- * accept_sec_context.c (gss_accept_sec_context): check if we need
- compat for older get_mic/verify_mic
- * compat.c: check for compatiblity with other heimdal's 3des
- get_mic/verify_mic
- 2002-10-31 Johan Danielsson <joda@pdc.kth.se>
- * check return value from gssapi_krb5_init
-
- * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input
- 2002-09-03 Johan Danielsson <joda@pdc.kth.se>
- * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE
- * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE
- 2002-09-02 Johan Danielsson <joda@pdc.kth.se>
- * init_sec_context.c: we need to generate a local subkey here
- 2002-08-20 Jacques Vidrine <n@nectar.com>
- * acquire_cred.c, inquire_cred.c, release_cred.c: Use default
- credential resolution if gss_acquire_cred is called with
- GSS_C_NO_NAME.
- 2002-06-20 Jacques Vidrine <n@nectar.com>
- * import_name.c: Compare name types by value if pointers do
- not match. Reported by: "Douglas E. Engert" <deengert@anl.gov>
- 2002-05-20 Jacques Vidrine <n@nectar.com>
- * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize
- the qop_state parameter. from Doug Rabson <dfr@nlsystems.com>
- 2002-05-09 Jacques Vidrine <n@nectar.com>
- * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH
- 2002-05-08 Jacques Vidrine <n@nectar.com>
- * acquire_cred.c: initialize gssapi; handle null desired_name
- 2002-03-22 Johan Danielsson <joda@pdc.kth.se>
- * Makefile.am: remove non-functional stuff accidentally committed
- 2002-03-11 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2
- * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel
- bindings
- 2001-10-31 Jacques Vidrine <n@nectar.com>
- * get_mic.c (mic_des3): MIC computation using DES3/SHA1
- was bogusly appending the message buffer to the result,
- overwriting a heap buffer in the process.
- 2001-08-29 Assar Westerlund <assar@sics.se>
- * 8003.c (gssapi_krb5_verify_8003_checksum,
- gssapi_krb5_create_8003_checksum): make more consistent by always
- returning an gssapi error and setting minor status. update
- callers
- 2001-08-28 Jacques Vidrine <n@nectar.com>
- * accept_sec_context.c: Create a cache for delegated credentials
- when needed.
- 2001-08-28 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2
- 2001-08-23 Assar Westerlund <assar@sics.se>
- * *.c: handle minor_status more consistently
- * display_status.c (gss_display_status): handle krb5_get_err_text
- failing
- 2001-08-15 Johan Danielsson <joda@pdc.kth.se>
- * gssapi_locl.h: fix prototype for gssapi_krb5_init
- 2001-08-13 Johan Danielsson <joda@pdc.kth.se>
- * accept_sec_context.c (gsskrb5_register_acceptor_identity): init
- context and check return value from kt_resolve
- * init.c: return error code
- 2001-07-19 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2
- 2001-07-12 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LIBADD): add required library
- dependencies
- 2001-07-06 Assar Westerlund <assar@sics.se>
- * accept_sec_context.c (gsskrb5_register_acceptor_identity): set
- the keytab to be used for gss_acquire_cred too'
- 2001-07-03 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2
- 2001-06-18 Assar Westerlund <assar@sics.se>
- * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
- and gss_krb5_get_remotekey
- * verify_mic.c: update krb5_auth_con function names use
- gss_krb5_get_remotekey
- * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
- and gss_krb5_get_remotekey
- * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey):
- add prototypes
- * get_mic.c: update krb5_auth_con function names. use
- gss_krb5_get_localkey
- * accept_sec_context.c: update krb5_auth_con function names
- 2001-05-17 Assar Westerlund <assar@sics.se>
- * Makefile.am: bump version to 3:1:2
- 2001-05-14 Assar Westerlund <assar@sics.se>
- * address_to_krb5addr.c: adapt to new address functions
- 2001-05-11 Assar Westerlund <assar@sics.se>
- * try to return the error string from libkrb5 where applicable
- 2001-05-08 Assar Westerlund <assar@sics.se>
- * delete_sec_context.c (gss_delete_sec_context): remember to free
- the memory used by the ticket itself. from <tmartin@mirapoint.com>
- 2001-05-04 Assar Westerlund <assar@sics.se>
- * gssapi_locl.h: add config.h for completeness
- * gssapi.h: remove config.h, this is an installed header file
- sys/types.h is not needed either
-
- 2001-03-12 Assar Westerlund <assar@sics.se>
- * acquire_cred.c (gss_acquire_cred): remove memory leaks. from
- Jason R Thorpe <thorpej@zembu.com>
- 2001-02-18 Assar Westerlund <assar@sics.se>
- * accept_sec_context.c (gss_accept_sec_context): either return
- gss_name NULL-ed or set
- * import_name.c: set minor_status in some cases where it was not
- done
- 2001-02-15 Assar Westerlund <assar@sics.se>
- * wrap.c: use krb5_generate_random_block for the confounders
- 2001-01-30 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2
- * acquire_cred.c, init_sec_context.c, release_cred.c: add support
- for getting creds from a keytab, from fvdl@netbsd.org
- * copy_ccache.c: add gss_krb5_copy_ccache
- 2001-01-27 Assar Westerlund <assar@sics.se>
- * get_mic.c: cast parameters to des function to non-const pointers
- to handle the case where these functions actually take non-const
- des_cblock *
- 2001-01-09 Assar Westerlund <assar@sics.se>
- * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2
- instead of krb5_rd_cred
- 2000-12-11 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1
- 2000-12-08 Assar Westerlund <assar@sics.se>
- * wrap.c (wrap_des3): use the checksum as ivec when encrypting the
- sequence number
- * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting
- the sequence number
- * init_sec_context.c (init_auth): always zero fwd_data
- 2000-12-06 Johan Danielsson <joda@pdc.kth.se>
- * accept_sec_context.c: de-pointerise auth_context parameter to
- krb5_mk_rep
- 2000-11-15 Assar Westerlund <assar@sics.se>
- * init_sec_context.c (init_auth): update to new
- krb5_build_authenticator
- 2000-09-19 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1
- 2000-08-27 Assar Westerlund <assar@sics.se>
- * init_sec_context.c: actually pay attention to `time_req'
- * init_sec_context.c: re-organize. leak less memory.
- * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey):
- update prototypes add assert.h
- * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD):
- add
- * verify_mic.c: re-organize and add 3DES code
- * wrap.c: re-organize and add 3DES code
- * unwrap.c: re-organize and add 3DES code
- * get_mic.c: re-organize and add 3DES code
- * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data',
- let the caller do that. fix the callers.
- 2000-08-16 Assar Westerlund <assar@sics.se>
- * Makefile.am: bump version to 2:1:1
- 2000-07-29 Assar Westerlund <assar@sics.se>
- * decapsulate.c (gssapi_krb5_verify_header): sanity-check length
- 2000-07-25 Johan Danielsson <joda@pdc.kth.se>
- * Makefile.am: bump version to 2:0:1
- 2000-07-22 Assar Westerlund <assar@sics.se>
- * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other
- details from rfc2744
- 2000-06-29 Assar Westerlund <assar@sics.se>
- * address_to_krb5addr.c (gss_address_to_krb5addr): actually use
- `int' instead of `sa_family_t' for the address family.
- 2000-06-21 Assar Westerlund <assar@sics.se>
- * add support for token delegation. From Daniel Kouril
- <kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>
- 2000-05-15 Assar Westerlund <assar@sics.se>
- * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1
- 2000-04-12 Assar Westerlund <assar@sics.se>
- * release_oid_set.c (gss_release_oid_set): clear set for
- robustness. From GOMBAS Gabor <gombasg@inf.elte.hu>
- * release_name.c (gss_release_name): reset input_name for
- robustness. From GOMBAS Gabor <gombasg@inf.elte.hu>
- * release_buffer.c (gss_release_buffer): set value to NULL to be
- more robust. From GOMBAS Gabor <gombasg@inf.elte.hu>
- * add_oid_set_member.c (gss_add_oid_set_member): actually check if
- the oid is a member first. leave the oid_set unchanged if realloc
- fails.
- 2000-02-13 Assar Westerlund <assar@sics.se>
- * Makefile.am: set version to 1:0:1
- 2000-02-12 Assar Westerlund <assar@sics.se>
- * gssapi_locl.h: add flags for import/export
- * import_sec_context.c (import_sec_context: add flags for what
- fields are included. do not include the authenticator for now.
- * export_sec_context.c (export_sec_context: add flags for what
- fields are included. do not include the authenticator for now.
- * accept_sec_context.c (gss_accept_sec_context): set target in
- context_handle
- 2000-02-11 Assar Westerlund <assar@sics.se>
- * delete_sec_context.c (gss_delete_sec_context): set context to
- GSS_C_NO_CONTEXT
- * Makefile.am: add {export,import}_sec_context.c
- * export_sec_context.c: new file
- * import_sec_context.c: new file
- * accept_sec_context.c (gss_accept_sec_context): set trans flag
- 2000-02-07 Assar Westerlund <assar@sics.se>
- * Makefile.am: set version to 0:5:0
- 2000-01-26 Assar Westerlund <assar@sics.se>
- * delete_sec_context.c (gss_delete_sec_context): handle a NULL
- output_token
- * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some
- changes to libdes calls to make them more portable.
- * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha.
- some changes to libdes calls to make them more portable.
- * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some
- changes to libdes calls to make them more portable.
- * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some
- changes to libdes calls to make them more portable.
- * 8003.c: update to pseudo-standard APIs for md4,md5,sha.
- 2000-01-06 Assar Westerlund <assar@sics.se>
- * Makefile.am: set version to 0:4:0
- 1999-12-26 Assar Westerlund <assar@sics.se>
- * accept_sec_context.c (gss_accept_sec_context): always set
- `output_token'
- * init_sec_context.c (init_auth): always initialize `output_token'
- * delete_sec_context.c (gss_delete_sec_context): always set
- `output_token'
- 1999-12-06 Assar Westerlund <assar@sics.se>
- * Makefile.am: bump version to 0:3:0
- 1999-10-20 Assar Westerlund <assar@sics.se>
- * Makefile.am: set version to 0:2:0
- 1999-09-21 Assar Westerlund <assar@sics.se>
- * init_sec_context.c (gss_init_sec_context): initialize `ticket'
- * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick.
- * delete_sec_context.c (gss_delete_sec_context): free ticket
- * accept_sec_context.c (gss_accept_sec_context): stove away
- `krb5_ticket' in context so that ugly programs such as
- gss_nt_server can get at it. uck.
- 1999-09-20 Johan Danielsson <joda@pdc.kth.se>
- * accept_sec_context.c: set minor_status
- 1999-08-04 Assar Westerlund <assar@sics.se>
- * display_status.c (calling_error, routine_error): right shift the
- code to make it possible to index into the arrays
- 1999-07-28 Assar Westerlund <assar@sics.se>
- * gssapi.h (GSS_C_AF_INET6): add
- * import_name.c (import_hostbased_name): set minor_status
- 1999-07-26 Assar Westerlund <assar@sics.se>
- * Makefile.am: set version to 0:1:0
- Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se>
- * display_status.c: set minor_status
- * init_sec_context.c: set minor_status
- * lib/gssapi/init.c: remove donep (check gssapi_krb5_context
- directly)