1 Kerberos Version 5, Release 1.7.1
6 Unpacking the Source Distribution
7 ---------------------------------
9 The source distribution of Kerberos 5 comes in a gzipped tarfile,
10 krb5-1.7.1.tar.gz. Instructions on how to extract the entire
13 If you have the GNU tar program and gzip installed, you can simply do:
15 gtar zxpf krb5-1.7.1.tar.gz
17 If you don't have GNU tar, you will need to get the FSF gzip
18 distribution and use gzcat:
20 gzcat krb5-1.7.1.tar.gz | tar xpf -
22 Both of these methods will extract the sources into krb5-1.7.1/src and
23 the documentation into krb5-1.7.1/doc.
25 Building and Installing Kerberos 5
26 ----------------------------------
28 The first file you should look at is doc/install-guide.ps; it contains
29 the notes for building and installing Kerberos 5. The info file
30 krb5-install.info has the same information in info file format. You
31 can view this using the GNU emacs info-mode, or by using the
32 standalone info file viewer from the Free Software Foundation. This
33 is also available as an HTML file, install.html.
35 Other good files to look at are admin-guide.ps and user-guide.ps,
36 which contain the system administrator's guide, and the user's guide,
37 respectively. They are also available as info files
38 kerberos-admin.info and krb5-user.info, respectively. These files are
39 also available as HTML files.
41 If you are attempting to build under Windows, please see the
42 src/windows/README file.
47 Please report any problems/bugs/comments using the krb5-send-pr
48 program. The krb5-send-pr program will be installed in the sbin
49 directory once you have successfully compiled and installed Kerberos
50 V5 (or if you have installed one of our binary distributions).
52 If you are not able to use krb5-send-pr because you haven't been able
53 compile and install Kerberos V5 on any platform, you may send mail to
56 Keep in mind that unencrypted e-mail is not secure; if you need to
57 send sensitive information, such as reporting potential security
58 vulnerabilities, please PGP-encrypt it to our security contact
59 address: krbcore-security@mit.edu.
61 You may view bug reports by visiting
63 http://krbdev.mit.edu/rt/
65 and logging in as "guest" with password "guest".
70 The Data Encryption Standard (DES) is widely recognized as weak. The
71 krb5-1.7 release will contain measures to encourage sites to migrate
72 away from using single-DES cryptosystems. Among these is a
73 configuration variable that enables "weak" enctypes, but will default
74 to "false" in the future. Additional migration aids are planned for
77 Major changes in 1.7.1
78 ----------------------
80 This is primarily a bugfix release.
82 * Fix vulnerabilities: MITKRB5-SA-2009-003 [CVE-2009-3295],
83 MITKRB5-SA-2009-004 [CVE-2009-4212].
85 * Restore compatibility for talking to older kadminds and kadmin
86 clients for the "addprinc -randkey" operation.
88 * Fix some build problems and memory leaks.
90 Changes in 1.7.1 by ticket ID
91 -----------------------------
93 1233 need to disable /dev/random use for testing
94 5668 DAL changes break --with-kdc-kdb-update build
95 6428 KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
96 6505 fix t_prf test code properly
97 6506 Make results of krb5_db_def_fetch_mkey more predictable
98 6508 kadm5int_acl_parse_restrictions could ref uninitialized variable
99 6509 kadmind is parsing acls good deref NULL pointer on error
100 6511 krb5int_rd_chpw_rep could call krb5_free_error with random value
101 6512 krb5int_yarrow_final could deref NULL if out of memory
102 6514 minor memory leak in 'none' replay cache type
103 6515 reduce some mutex performance problems in profile library
104 6519 krb5_copy_error_message() calls krb5int_clear_error() incorrectly
105 6530 check for slogin failure in setup_root_shell
106 6532 (1.7.x) include win-mac.h in gssftp/ftp/cmds.c for HAVE_STDLIB_H
107 6533 krb5-1.7 cannot be compiled on Debian stable (5.0.2)
108 6534 getaddrinfo in src/util/support/fake-addrinfo.c causes leak
109 6536 C++ compatibility for Windows compilation
110 6540 memory leak in test code t_authdata
111 6541 Fix memory leak in k5_pac_verify_server_checksum
112 6542 Check for null characters in pkinit cert fields
113 6543 Reply message ordering bug in ftpd
114 6551 Memory leak in spnego accept_sec_context error path
115 6552 Document kinit -C and -E options
116 6553 use perror instead of error in kadm5 test suite
117 6556 Supply LDAP service principal aliases to non-referrals clients
118 6557 Supply canonical name if present in LDAP iteration
119 6558 Fix memory leak in gss_krb5int_copy_ccache
120 6559 Fix parsing of GSS exported names
121 6568 Fix addprinc -randkey when policy requires multiple character classes
122 6571 krb5 1.7 memory leak
123 6573 Fix preauth looping in krb5_get_init_creds
124 6579 quoting bug causes solaris pre-10 thread handling bugs
125 6584 crypto modularity work r22778 broke MD4-DES, MD5-DES cksums
126 6585 KDC MUST NOT accept ap-request armor in FAST TGS
127 6587 pkinit-obtained tickets can't make TGS requests
128 6588 Fix ivec chaining for DES iov encryption
129 6589 Fix AES IOV decryption of small messages
130 6594 gss_krb5_copy_ccache() doesn't work with spnego delegation
131 6608 MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
132 6633 Use keyed checksum type for DES FAST
133 6635 Restore interoperability with 1.6 addprinc -randkey
134 6637 MITKRB5-SA-2009-004 [CVE-2009-4212] integer underflow in AES
140 The krb5-1.7 release contains a large number of changes, featuring
141 improvements in the following broad areas:
143 * Compatibility with Microsoft Windows
145 * Administrator experience
153 Compatibility with Microsoft Windows:
155 * Follow client principal referrals in the client library when
156 obtaining initial tickets.
158 * KDC can issue realm referrals for service principals based on domain
161 * Extensions supporting DCE RPC, including three-leg GSS context setup
162 and unencapsulated GSS tokens inside SPNEGO.
164 * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
165 similar to the equivalent SSPI functionality. This is needed to
166 support some instances of DCE RPC.
168 * NTLM recognition support in GSS-API, to facilitate dropping in an
169 NTLM implementation for improved compatibility with older releases
170 of Microsoft Windows.
172 * KDC support for principal aliases, if the back end supports them.
173 Currently, only the LDAP back end supports aliases.
175 * Support Microsoft set/change password (RFC 3244) protocol in
178 * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
179 allows a GSS application to request credential delegation only if
180 permitted by KDC policy.
182 Administrator experience:
184 * Install header files for the administration API, allowing
185 third-party software to manipulate the KDC database.
187 * Incremental propagation support for the KDC database.
189 * Master key rollover support, making it easier to change master key
190 passwords or encryption types.
192 * New libdefaults configuration variable "allow_weak_crypto". NOTE:
193 Currently defaults to "true", but may default to "false" in a future
194 release. Setting this variable to "false" will have the effect of
195 removing weak enctypes (currently defined to be all single-DES
196 enctypes) from permitted_enctypes, default_tkt_enctypes, and
197 default_tgs_enctypes.
201 * Provide enhanced GSS-API error message including supplementary
202 details about error conditions.
204 * In the replay cache, use a hash over the complete ciphertext to
205 avoid false-positive replay indications.
209 * Replace many uses of "unsafe" string functions. While most of these
210 instances were innocuous, they impeded efficient automatic and
211 manual static code analysis.
213 * Fix many instances of resource leaks and similar bugs identified by
214 static analysis tools.
216 * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
217 various vulnerabilities in SPNEGO and ASN.1 code.
221 * Remove support for version 4 of the Kerberos protocol (krb4).
223 * Encryption algorithm negotiation (RFC 4537), allowing clients and
224 application services to negotiate stronger encryption than their KDC
227 * Flexible Authentication Secure Tunneling (FAST), a preauthentiation
228 framework that can protect the AS exchange from dictionary attacks
229 on weak user passwords.
231 Known bugs by ticket ID
232 -----------------------
234 6481 kdb ldap integration removed rev/recurse kdb5_util dumps
235 6487 gss_unwrap_iov fails in stream mode
236 6505 fix t_prf test code properly
237 6506 Make results of krb5_db_def_fetch_mkey more predictable
238 6507 kdb5_util update_princ_encryption uses latest mkey instead of
244 194 a stash file is not a keytab
245 914 keytab add without randomizing key
246 1165 annoying error message from krb5_mk_priv()
247 1201 replay cache can produce false positive indications
248 1624 use more secure checksum types
249 2836 feature request: compile/link time warnings for deprecated functions
250 2939 unified CCAPI implementation
251 3496 krb524d should log success as well as failure
252 3497 problems with corrupt (truncated) ccaches
253 3499 race in replay cache file ownership
254 3737 plugins support requires a Windows equivalent to opendir and friends
255 3929 support lazy launching of ccapi server
256 3930 CCAPI server must be able to distinguish context handles from
257 other server instances
258 3931 CCAPI context and ccache change times must be stored by the client
259 3932 CCAPI should use a cc_handle not implemented as a pointer
260 3933 CCAPI client library reconnection support
261 3934 Implement CCAPI blocking calls
262 3935 CCAPI implement locking
263 3936 krb5_ccache functions should use the ccapi version 3 interface
264 4241 Command line --version option
266 5425 nonce needs to be random
267 5427 buffer overflow in krb5_kt_get_name
268 5428 MEMORY keytab leaks
269 5429 MEMORY keytab should use krb5_copy_keyblock
270 5430 MEMORY keytab's get_entry should set enctypes and kvnos
271 5431 krb5_kt_get_type should return const char *.
272 5432 krb5_kt_default_name should take an unsized length
273 5440 sendto_kdc() not signal safe, doesn't respond well to
274 staggered TCP responses.
275 5481 manual test of commit handler
276 5517 use IP(V6)_PKTINFO in KDC for UDP sockets
277 5545 uninitialized salt length when reading some keys
278 5560 threads on Solaris 10
279 5561 close-on-exec flags
280 5565 krb5kdc.M is confused about keytype
281 5567 don't check for readability resolving SRVTAB: keytab
282 5568 Move CCAPI sources to krb5 repository
283 5569 Fixed bugs introduced while moving to krb5 repository
284 5570 Only use __attribute__ on GNUC compilers
285 5574 Add advisory locking to CCAPI
286 5575 don't include time.h in CredentialsCache.h if it's not needed
287 5578 test commit handler
288 5580 provide asprintf functionality for internal use
289 5587 PRF for non-AES enctypes
290 5589 krb5 trunk no longer builds on Windows - vsnprintf
291 implementation required
292 5590 gss krb5 mech enhanced error messages
293 5593 kadmind crash on Debian AMD64
294 5594 Work on compiling CCAPI test suite on Windows
295 5595 Problems with kpasswd and an IPv6 enviroment
296 5596 patch for providing a way to set the ok-as-delegate flag
297 5598 ccs_pipe_t needs copy and release functions
298 5599 Added new autogenerated file to generate-files-mac target
299 5600 provide more useful error message when running kpropd on command line
300 5635 need more dylib_file specs for darwin
301 5641 kadm5_setkey_principal_3 fix
302 5642 Remove unused, unlocalizable error strings
304 5649 t_ser should no longer use kdb libraries
305 5654 remap mechanism-specific status codes in mechglue/spnego
306 5655 authorization-data plugin support in KDC
307 5657 (Mac-specific) PROG_LIBPATH build fix
308 5667 listprincs *z is broken
309 5670 Add documentation for CCAPI
310 5671 cleanup src/lib/gssapi/krb5/error_map.h on Windows
311 5672 no unistd.h on Windows
312 5699 test program build problem
313 5754 cci_array_move should work when the source and dest positions are equal
314 5760 stdint.h should only be accessed if HAVE_STDINT_H defined
315 5771 cc_ccache_set_principal always returns error 227
316 5776 profile library memory leaks introduced when malloc returns 0
317 5786 Update Release Documentation for KFW 3.2.2
318 5804 cc_initalize(ccapi_version_2) should return CC_BAD_API_VERSION
320 5805 Add documentation for error codes used for flow control.
321 5806 Removed NOP line of code from krb5_fcc_next_cred()
322 5807 can't store delegated krb5 creds when using spnego
323 5813 cc_ccache_store_credentials should return ccErrBadCredentialsVersion
324 5814 cci_array_move not returning correct new position
325 5815 ccs_lock_status_grant_lock granting wrong lock
326 5822 fixed mispelling in kadmin error message
327 5828 Include time.h for time()
328 5835 Kerberos with apple leopard
330 5864 improve debugging of ticket verification in ksu
331 5867 krb-priv sequence numbers don't match up in retransmitted requests
332 5872 Add ccs_pipe_compare
333 5884 Need CCAPI v2 support for Windows
334 5885 Remove AppleConnect workaround
335 5894 krb5int_arcfour_string_to_key does not support utf-8 strings
336 5899 Compiling krb5-1.6.3 on FreeBSD 7.0-RELEASE
337 5900 ccs_ccache_reset should check all arguments for NULL
338 5901 CCAPI v2 support crash when client or server strings are NULL
339 5902 cci_cred_union_compare_to_credentials_union doesn't work for v5 creds
340 5903 Fix pointer cast in cc_seq_fetch_NCs_end
341 5904 cc_set_principal should return error on bad cred version
342 5905 cc_remove_cred should only remove one cred
343 5906 Fixed error code remapping
344 5907 Removed tests for check_cc_context_get_version
345 5908 Remove C warnings from CCAPI tests
346 5909 Add CCAPI v2 tests
347 5911 removed unused header file inclusion CoreFoundation.h
348 5912 Invalid assignment while trying to set input to NULL
349 5915 cc_ccache_iterator_release, cc_credentials_iterator_release
351 5920 CCacheServer should track client iterators
352 5923 Protect CFBundle calls with mutexes
353 5925 Windows socket(...) returns SOCKET, not file handle
354 5926 Added prototype to test function to remove warning.
355 5943 db creation creates a kadmin/hostname princ but doesn't fix case
356 5947 krb5_walk_realm_tree broken substring logic
357 5948 error in filebase+suffix list generation in plugin code
358 5949 Don't leak memory when multiple arguments are NULL
359 5954 ksu fails without domain_realm mapping for local host
360 5960 Move KIM implementation to the krb5 repository
361 5962 unchecked calls to k5_mutex_lock() interact poorly with finalizers
362 5963 Profile library should not call rw_access earlier than needed
363 5964 Re: Fwd: [modauthkerb] [SOLVED] 'Request is a replay' + Basic auth
364 5966 signed vs unsigned char * warnings in kdb_xdr.c
365 5967 No prototype when building kdb5_util without krb4 support
366 5969 Add header for kill() in USE_PASSWORD_SERVER case
367 5982 cci_credentials_iterator_release using wrong message ID
368 5989 Add new launchd flags to CCacheServer plist file
369 5990 kadm5_setkey_principal_3 not copying key_data_ver and key_data_kvno
370 5993 Masterkey Keytab Stash
371 5999 fix ktutil listing with timestamp
372 6000 misc uninitialized-storage accesses
373 6001 Big endian stash file support
374 6002 krb5_rc_io_creat should use mkstemp
375 6005 krb5_get_error_message returns const char *
376 6009 kdc does not compile with glibc 2.8
377 6010 krb5int_gic_opte_copy should copy elements individually
378 6011 Add EnableTransactions launchd option to CCacheServer
379 6012 Add EnableTransactions launchd option to KerberosAgent
380 6013 Stop building Kerberos.app as part of KfM.
381 6015 gss_export_lucid_sec_context support for SPNEGO
382 6016 SPNEGO workaround for SAMBA mech OID quirks
383 6017 KDC virtual address support
384 6019 Add signal to force KDC to check for changed interfaces
385 6024 Don't use "ccache" in error string printed to user
386 6025 Add macro so we don't print deprecated warnings while building KfM
387 6026 CCacheServer crashes iterating over creds which have been destroyed
388 6029 kadmind leaks error strings on failures
389 6031 krb needs better realm lookup logic
390 6032 test commit handler change
391 6044 Add Apple Inc. to copyright lists.
392 6052 Return extended krb5 error strings
394 6066 turn off thread-support debugging code
395 6070 update DES code copyright notices
396 6074 Use a valid UTF8 password for randkey password
397 6075 Open log file for appending only, not also reading
398 6076 Don't build PKINIT ASN.1 support code if not building PKINIT plugin
399 6077 krb5_fcc_resolve file locking error on malloc failuer
400 6080 mac port of kim should not depend on kipc
401 6081 Conditionalize building of CCAPI ccache type on USE_CCAPI
402 6083 profile write code should only quote empty strings
403 6087 Notify clients on ccache deletion
404 6088 Add support to send CFNotifications on ccache and cache
406 6090 k5_mutex_destroy calls pthread_mutex_destroy with mutex locked
407 6091 lean client changes
408 6093 KIM should not provide keytab functions when building lite framework
409 6094 CCAPI is leaking mach ports
410 6101 compile-time flag to disable iprop
411 6103 fix resource leak in USE_PASSWORD_SERVER code
412 6108 A client can fail to get initial creds if it changes the
413 password while doing so.
414 6111 CCAPI should only use one pthread key
415 6120 increase rpc timeout
416 6121 dead code in lib/rpc/clnt_udp.c
417 6131 Removed argument from kipc_client_lookup_server
418 6133 don't do C99-style mixing declarations with code
419 6138 Switch KfM back to error tables
420 6140 CCAPI should use common ipc and stream code
421 6142 KerberosAgent dialogs jump around the screen
422 6143 KerberosAgent: Enter Identity text field shouldn't be clear
424 6144 KerberosAgent: ignore user interaction while busy
425 6145 KerberosAgent attach associated dialogs to Select Identity dialog
426 6146 Client name passed by KIM is incorrect
427 6147 KerberosAgent Use Defaults button doesn't work
428 6151 Don't touch keychain if home directory access is disabled
429 6153 Add KLL error table
430 6154 Hinge building KLL shim off KIM_TO_KLL_SHIM, not LEAN_CLIENT
431 6155 KLLastChangedTime should return current time, not 0
432 6156 KLL shim layer does not correctly handle options
433 6157 KIM should remember options and identity if prefs indicate
434 6158 KerberosAgent should handle multiple clients simultaneously
435 6159 KerberosAgent should handle zoom button better
436 6160 KLL should use __attribute ((deprecated))
437 6162 kim_options_copy should allow in_options to be KIM_OPTIONS_DEFAULT
438 6163 Crash in kim_credential_create_from_keytab
439 6164 KL APIs which take a NULL principal return klParameterErr
440 6165 kim_options_create sometimes returns KIM_OPTIONS_DEFAULT
441 6166 preferences should handle KIM_OPTIONS_DEFAULT
442 6168 prefs should not create empty dictionary for KIM_OPTIONS_DEFAULT
443 6169 Missing keys in KerberosAgent Info.plist
444 6170 change password should always reprompt on error
445 6171 allow kim ui plugins to have any name
446 6172 kim_ui_plugin_fini sends pointer to context instead of context.
447 6175 always zero out authentication strings
449 6179 kim_os_string_create_localized leaks CFStringRef
450 6181 Free error message returned by krb5_get_error_message
451 6182 kim test suite reports error messages incorrectly
452 6183 KerberosAgent enter identity dialog should use default
453 6184 handle stash file names with missing keytab type spec and colon in path
454 6185 Merge KerberosIPC into k5_mig support
455 6186 Move GUI/CLI detection from KerberosIPC into KIM
456 6187 use KIM_BUILTIN_UI instead of LEAN_CLIENT for builtin UI
457 6189 remove unused variable in kim_ui_cli_ask_change_password
458 6190 Use a context to store error table info
459 6192 Treat unreadable terminal as user cancelled so regression tests work
460 6193 Remap some of the more confusing krb5 errors
461 6194 Double free and leak in kim_os_library_get_application_path
462 6195 Added back KLL test programs
463 6197 KLCreatePrincipalFromTriplet should work with empty instance
464 6198 KerberosAgent continues to ignore mouse events after error
465 6199 don't include "WRFILE:" in call to mktemp
466 6201 small leak in KDC authdata plugins
467 6202 kadmind leaks extended error strings
468 6203 DELEG_POLICY_FLAG for GSS
469 6210 pa_sam leaks parts of krb5_sam_challenge
470 6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response
471 6214 krb5_change_set_password not freeing chpw_rep contents
472 6216 Free data in tests so leaks checking is easier
473 6217 kim_preferences should free old identity before overwriting
474 6218 kim_ccache_iterator_next leaks principal
475 6219 kim_os_library_get_caller_name leaks file path
476 6220 kim_identity_change_password_with_credential leaks krb5_creds
477 6221 KerberosAgent should clear generic auth prompt
478 6222 KerberosAgent enter dialog should add entered identities to favorites
479 6224 KerberosAgent 'no selection' placeholder in ticket options
480 6225 Remove ipc message sent on cc_context_release
481 6226 KIM should only display error dialogs if it has displayed UI already
482 6227 Apple LW_net_trans.patch make KDC rescan network after 30 seconds
483 6231 Apple split build support
484 6247 Apple patch: null out pointer in string_to_key after free
485 6248 Apple patch: destroy Mach ports on unload
486 6250 Use CFStringGetCStringPtr when possible
487 6251 Add test for kim_identity_create_from_components
488 6252 krb5_build_principal_va does not allocate krb5_principal
489 6254 krb5_build_principal_ext walks off beginning of array
490 6255 partial rewrite of the ASN.1 encoders
491 6256 localize format strings, not final error string
492 6260 KerberosAgent hangs changing pw for passwordless identities
493 6261 Remove saved password if it fails to get tickets
494 6262 Only prompt automatically from GUI apps
495 6264 Avoid duplicate identical dialogs in KIM
496 6265 KerberosAgent bindings causing crashes
497 6266 BIND_8_COMPAT no longer needed in Leopard
498 6267 Add _with_password credential acquisition functions to KIM API
499 6274 Crypto IOV API per Projects/AEAD encryption API
500 6282 krb5kdc deref uninit memory on the stack on unknown principal (pk-init)
501 6285 Provide SPI to switch the mach port lookup for kipc
502 6286 Allow kerberos configuration files fail with EPERM
503 6289 replay cache is insecurely handled
504 6290 KIM: Pushing authentication login window do application
505 6291 Using referrals fills the the credentials cache more entries
507 6294 lib/gssapi/krb5/init_sec_context.c: don't leak on mutex_lock failure
508 6295 Memory leak in KIM identity object
509 6297 "make check" fails due to krb5_cc_new_unique() on 64-bit
510 Solaris SPARC under Sun Studio
511 6302 kadmind mem leaks [rdar 6358917]
512 6303 Remove krb4 support
513 6308 Alignment problem in resolver test
514 6309 update ldap plugin Makefile for krb4 removal
515 6315 move generated dependencies out of Makefile.in
516 6316 KIM GC problem on 64-bit
517 6335 test failures in password changing
518 6336 enctype negotiation - etype list
519 6337 kadmin should force non-forwardable tickets
520 6339 Fwd: krb5_sendauth vs NAGLE vs DelayedAck
521 6342 hash db2 code breaks if st_blksize > 64k
522 6348 kadmin and ktutil installed in sbin, should be bin
523 6349 lib/rpc tests should not fail if portmap/rpcbind not running
524 6351 gss_header|trailerlen should be unsigned int
525 6352 return correct kvno in TGS case
526 6354 Master Key Migration Project
527 6355 use t_inetd with a ready message and avoid waiting a lot in
529 6356 small storage leak in KDC startup
530 6357 address lib/kadm5 test suite slowness
531 6358 speed up kpasswd tests
532 6360 utf8_conv.c: wrong level of indirection in free()
533 6361 new multi-masterkey support doesn't work well when system
535 6362 don't do arithmetic on void pointers
536 6363 int/ptr bug in gssapi code
537 6364 declare replacement [v]asprintf functions
538 6365 include omitted system header string.h
539 6367 Fix a memory leak in krb5_kt_resolve
540 6368 chpw.c: missing break in switch statement
541 6370 Fix assertion in gc_frm_kdc.c
542 6371 deal with memleaks in migrate mkey project
543 6372 Fix memory handling bug in mk_req_ext
544 6373 remove some redundant or useless qualifiers
545 6374 Do not assume sizeof(bool_t) == sizeof(krb5_boolean)
546 6375 Fix error handling in krb5_walk_realm_tree
547 6376 Memory handling fixes in walk_rtree
548 6377 make krb5_free_* functions ignore NULL
549 6378 Change contract of krb5int_utf8_normalize and fix memory leaks
550 6379 Fix possible free of uninitialized value in walk_rtree
551 6390 --disable-rpath is not working
552 6392 Fix allocation failure check in walk_rtree
553 6393 Implement TGS authenticator subkey support
554 6397 use macros for config parameter strings
555 6398 remove obsolete GNU.ORG realm info
556 6400 GSSAPI authdata extraction should merge ticket and
557 authenticator authdata
558 6401 send_as_req re-encodes the request
559 6402 CVE-2009-0845 SPNEGO can dereference a null pointer
560 6403 kdb5_ldap_util create segfaults when
561 krb5_dbekd_encrypt_key_data() called
562 6405 fixing several bugs relating to the migrate mkey project using
564 6407 Make a working krb5_copy_error_message
565 6408 Report verbose error messages from KDC
566 6412 crash using library-allocated storage for header in wrap_iov
567 6415 Use correct salt for canonicalized principals
568 6418 Improve LDAP admin documentation
569 6419 Document alias support in LDAP back end
570 6420 Add LDAP back end support for canonical name attribute
571 6421 Implement KRB-FX_CF2
572 6422 Implement krb5int_find_authdata
573 6423 krb5_auth_con_free should support freeing a null auth_context
575 6424 Call kdb_set_mkey_list from the KDC
576 6425 Memory leak cleanup in ASN.1
577 6427 Fix error handling issue in ASN.1 decoder
578 6431 Install kadmin and kdb headers
579 6432 Update kdb5_util man page for mkey migration project
580 6435 Add PAC and principal parsing test cases
581 6436 Implement FAST from draft-ietf-krb-wg-preauth-framework
582 6437 mark export grade RC4 as weak
583 6438 Handle authdata encrypted in subkey
584 6439 Implement KDC side of TGS FAST
585 6442 Null pointer defref in adding info
586 6443 CVE-2009-0844 SPNEGO can read beyond buffer end
587 6444 CVE-2009-0847 asn1buf_imbed incorrect length validation
588 6445 CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
589 6449 Fall through on error return
590 6450 kdc: handle_referral_params does not return ENOMEM errors
591 6451 Update defaults in documentation
592 6452 Document allow_weak_crypto
593 6456 fix memory management in handle_referral_params
594 6457 KDC realm referral test
595 6458 use isflagset correctly in TGS referrals
596 6459 Update kdb5_util man page with missing purge_mkeys command
597 6460 Implement kinit option for FAST armor ccache
598 6461 Require fast_req checksum to be keyed
599 6462 clean up KDC realm referrals error handling
600 6463 realm referral test cases forcing KRB5_NT_UNKNOWN
601 6464 verify return code from krb5_db_set_mkey_list
602 6465 send_tgs.c static analyzer friendliness
603 6466 check encode_krb5_ap_req return in send_tgs.c
604 6467 new copy_data_contents variant that null-terminates
605 6468 k5_utf8s_to_ucs2s could deref NULL pointer...
606 6469 fcc_generate_new destroys locked mutex on error
607 6470 Send explicit salt for SALTTYPE_NORMAL keys
608 6472 typo in ksu error message
609 6473 strip ok-as-delegate if not in cross-realm TGT chain
610 6474 move kadmin, ktutil, k5srvutil man pages to man1
611 6475 Adding keys to malformed keytabs can infinitely extend the file
612 6477 make installed headers C++-safe
613 6478 Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred
614 6479 Add DEBUG_ERROR_LOCATIONS support
615 6480 Do not return PREAUTH_FAILED on unknown preauth
616 6482 Allow more than 10 past keys to be stored by a policy
617 6483 man1 in title header for man1 manpages
618 6484 work around Heimdal not using subkey in TGS-REP
619 6485 document ok_as_delegate in admin.texinfo
620 6486 t_pac fails on SPARC Solaris
621 6488 NFS fails to work with KRB5 1.7
622 6489 UCS2 support doesn't handle upper half of BMP
623 6490 Windows interop with RC4 TGS-REQ subkeys
624 6492 Remove spurious assertion in handle_authdata
625 6493 some fixes for 1.7
626 6495 Fix test rules for non-gmake make versions
627 6496 Fix vector initialization error in KDC preauth code
628 6497 kinit/fast usage message
629 6498 spnego_mech.c syntax error under _GSS_STATIC_LINK
630 6499 use printf format attribute only with gcc
631 6500 use correct type for krb5_c_prf_length length arg
632 6501 Temporarily disable FAST PKINIT for 1.7 release
633 6502 typo in doc/api/krb5.tex
634 6503 typo in admin.texinfo
636 Copyright and Other Legal Notices
637 ---------------------------------
639 Copyright (C) 1985-2009 by the Massachusetts Institute of Technology.
643 Export of this software from the United States of America may require
644 a specific license from the United States Government. It is the
645 responsibility of any person or organization contemplating export to
646 obtain such a license before exporting.
648 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
649 distribute this software and its documentation for any purpose and
650 without fee is hereby granted, provided that the above copyright
651 notice appear in all copies and that both that copyright notice and
652 this permission notice appear in supporting documentation, and that
653 the name of M.I.T. not be used in advertising or publicity pertaining
654 to distribution of the software without specific, written prior
655 permission. Furthermore if you modify this software you must label
656 your software as modified software and not distribute it in such a
657 fashion that it might be confused with the original MIT software.
658 M.I.T. makes no representations about the suitability of this software
659 for any purpose. It is provided "as is" without express or implied
662 THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
663 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
664 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
666 Individual source code files are copyright MIT, Cygnus Support,
667 Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
668 FundsXpress, and others.
670 Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
671 and Zephyr are trademarks of the Massachusetts Institute of Technology
672 (MIT). No commercial use of these trademarks may be made without
673 prior written permission of MIT.
675 "Commercial use" means use of a name in a product or other for-profit
676 manner. It does NOT prevent a commercial firm from referring to the
677 MIT trademarks in order to convey information (although in doing so,
678 recognition of their trademark status should be given).
682 Portions of src/lib/crypto have the following copyright:
684 Copyright (C) 1998 by the FundsXpress, INC.
688 Export of this software from the United States of America may require
689 a specific license from the United States Government. It is the
690 responsibility of any person or organization contemplating export to
691 obtain such a license before exporting.
693 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
694 distribute this software and its documentation for any purpose and
695 without fee is hereby granted, provided that the above copyright
696 notice appear in all copies and that both that copyright notice and
697 this permission notice appear in supporting documentation, and that
698 the name of FundsXpress. not be used in advertising or publicity pertaining
699 to distribution of the software without specific, written prior
700 permission. FundsXpress makes no representations about the suitability of
701 this software for any purpose. It is provided "as is" without express
704 THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
705 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
706 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
711 The following copyright and permission notice applies to the
712 OpenVision Kerberos Administration system located in kadmin/create,
713 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
716 Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
718 WARNING: Retrieving the OpenVision Kerberos Administration system
719 source code, as described below, indicates your acceptance of the
720 following terms. If you do not agree to the following terms, do not
721 retrieve the OpenVision Kerberos administration system.
723 You may freely use and distribute the Source Code and Object Code
724 compiled from it, with or without modification, but this Source
725 Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
726 INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
727 FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
728 EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
729 FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
730 SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
731 CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
732 WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
733 CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
736 OpenVision retains all copyrights in the donated Source Code. OpenVision
737 also retains copyright to derivative works of the Source Code, whether
738 created by OpenVision or by a third party. The OpenVision copyright
739 notice must be preserved if derivative works are made based on the
742 OpenVision Technologies, Inc. has donated this Kerberos
743 Administration system to MIT for inclusion in the standard
744 Kerberos 5 distribution. This donation underscores our
745 commitment to continuing Kerberos technology development
746 and our gratitude for the valuable work which has been
747 performed by MIT and the Kerberos community.
751 Portions contributed by Matt Crawford <crawdad@fnal.gov> were
752 work performed at Fermi National Accelerator Laboratory, which is
753 operated by Universities Research Association, Inc., under
754 contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
758 The implementation of the Yarrow pseudo-random number generator in
759 src/lib/crypto/yarrow has the following copyright:
761 Copyright 2000 by Zero-Knowledge Systems, Inc.
763 Permission to use, copy, modify, distribute, and sell this software
764 and its documentation for any purpose is hereby granted without fee,
765 provided that the above copyright notice appear in all copies and that
766 both that copyright notice and this permission notice appear in
767 supporting documentation, and that the name of Zero-Knowledge Systems,
768 Inc. not be used in advertising or publicity pertaining to
769 distribution of the software without specific, written prior
770 permission. Zero-Knowledge Systems, Inc. makes no representations
771 about the suitability of this software for any purpose. It is
772 provided "as is" without express or implied warranty.
774 ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
775 THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
776 FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
777 ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
778 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
779 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
780 OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
784 The implementation of the AES encryption algorithm in
785 src/lib/crypto/aes has the following copyright:
787 Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
792 The free distribution and use of this software in both source and binary
793 form is allowed (with or without changes) provided that:
795 1. distributions of this source code include the above copyright
796 notice, this list of conditions and the following disclaimer;
798 2. distributions in binary form include the above copyright
799 notice, this list of conditions and the following disclaimer
800 in the documentation and/or other associated materials;
802 3. the copyright holder's name is not used to endorse products
803 built using this software without specific written permission.
807 This software is provided 'as is' with no explcit or implied warranties
808 in respect of any properties, including, but not limited to, correctness
809 and fitness for purpose.
813 Portions contributed by Red Hat, including the pre-authentication
814 plug-ins framework, contain the following copyright:
816 Copyright (c) 2006 Red Hat, Inc.
817 Portions copyright (c) 2006 Massachusetts Institute of Technology
820 Redistribution and use in source and binary forms, with or without
821 modification, are permitted provided that the following conditions
824 * Redistributions of source code must retain the above copyright
825 notice, this list of conditions and the following disclaimer.
827 * Redistributions in binary form must reproduce the above
828 copyright notice, this list of conditions and the following
829 disclaimer in the documentation and/or other materials provided
830 with the distribution.
832 * Neither the name of Red Hat, Inc., nor the names of its
833 contributors may be used to endorse or promote products derived
834 from this software without specific prior written permission.
836 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
837 IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
838 TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
839 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
840 OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
841 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
842 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
843 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
844 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
845 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
846 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
850 The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
851 src/lib/gssapi, including the following files:
853 lib/gssapi/generic/gssapi_err_generic.et
854 lib/gssapi/mechglue/g_accept_sec_context.c
855 lib/gssapi/mechglue/g_acquire_cred.c
856 lib/gssapi/mechglue/g_canon_name.c
857 lib/gssapi/mechglue/g_compare_name.c
858 lib/gssapi/mechglue/g_context_time.c
859 lib/gssapi/mechglue/g_delete_sec_context.c
860 lib/gssapi/mechglue/g_dsp_name.c
861 lib/gssapi/mechglue/g_dsp_status.c
862 lib/gssapi/mechglue/g_dup_name.c
863 lib/gssapi/mechglue/g_exp_sec_context.c
864 lib/gssapi/mechglue/g_export_name.c
865 lib/gssapi/mechglue/g_glue.c
866 lib/gssapi/mechglue/g_imp_name.c
867 lib/gssapi/mechglue/g_imp_sec_context.c
868 lib/gssapi/mechglue/g_init_sec_context.c
869 lib/gssapi/mechglue/g_initialize.c
870 lib/gssapi/mechglue/g_inquire_context.c
871 lib/gssapi/mechglue/g_inquire_cred.c
872 lib/gssapi/mechglue/g_inquire_names.c
873 lib/gssapi/mechglue/g_process_context.c
874 lib/gssapi/mechglue/g_rel_buffer.c
875 lib/gssapi/mechglue/g_rel_cred.c
876 lib/gssapi/mechglue/g_rel_name.c
877 lib/gssapi/mechglue/g_rel_oid_set.c
878 lib/gssapi/mechglue/g_seal.c
879 lib/gssapi/mechglue/g_sign.c
880 lib/gssapi/mechglue/g_store_cred.c
881 lib/gssapi/mechglue/g_unseal.c
882 lib/gssapi/mechglue/g_userok.c
883 lib/gssapi/mechglue/g_utils.c
884 lib/gssapi/mechglue/g_verify.c
885 lib/gssapi/mechglue/gssd_pname_to_uid.c
886 lib/gssapi/mechglue/mglueP.h
887 lib/gssapi/mechglue/oid_ops.c
888 lib/gssapi/spnego/gssapiP_spnego.h
889 lib/gssapi/spnego/spnego_mech.c
891 and the initial implementation of incremental propagation, including
892 the following new or changed files:
895 kadmin/server/ipropd_svc.c
897 lib/kdb/kdb_convert.c
900 lib/krb5/error_tables/kdb5_err.et
904 and marked portions of the following files:
906 lib/krb5/os/hst_realm.c
908 are subject to the following license:
910 Copyright (c) 2004 Sun Microsystems, Inc.
912 Permission is hereby granted, free of charge, to any person obtaining a
913 copy of this software and associated documentation files (the
914 "Software"), to deal in the Software without restriction, including
915 without limitation the rights to use, copy, modify, merge, publish,
916 distribute, sublicense, and/or sell copies of the Software, and to
917 permit persons to whom the Software is furnished to do so, subject to
918 the following conditions:
920 The above copyright notice and this permission notice shall be included
921 in all copies or substantial portions of the Software.
923 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
924 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
925 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
926 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
927 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
928 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
929 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
933 MIT Kerberos includes documentation and software developed at the
934 University of California at Berkeley, which includes this copyright
937 Copyright (C) 1983 Regents of the University of California.
940 Redistribution and use in source and binary forms, with or without
941 modification, are permitted provided that the following conditions
944 1. Redistributions of source code must retain the above copyright
945 notice, this list of conditions and the following disclaimer.
947 2. Redistributions in binary form must reproduce the above
948 copyright notice, this list of conditions and the following
949 disclaimer in the documentation and/or other materials provided
950 with the distribution.
952 3. Neither the name of the University nor the names of its
953 contributors may be used to endorse or promote products derived
954 from this software without specific prior written permission.
956 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
957 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
958 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
959 ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
960 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
961 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
962 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
963 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
964 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
965 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
970 Portions contributed by Novell, Inc., including the LDAP database
971 backend, are subject to the following license:
973 Copyright (c) 2004-2005, Novell, Inc.
976 Redistribution and use in source and binary forms, with or without
977 modification, are permitted provided that the following conditions are met:
979 * Redistributions of source code must retain the above copyright notice,
980 this list of conditions and the following disclaimer.
981 * Redistributions in binary form must reproduce the above copyright
982 notice, this list of conditions and the following disclaimer in the
983 documentation and/or other materials provided with the distribution.
984 * The copyright holder's name is not used to endorse or promote products
985 derived from this software without specific prior written permission.
987 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
988 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
989 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
990 ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
991 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
992 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
993 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
994 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
995 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
996 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
997 POSSIBILITY OF SUCH DAMAGE.
1001 Portions funded by Sandia National Laboratory and developed by the
1002 University of Michigan's Center for Information Technology
1003 Integration, including the PKINIT implementation, are subject to the
1006 COPYRIGHT (C) 2006-2007
1007 THE REGENTS OF THE UNIVERSITY OF MICHIGAN
1010 Permission is granted to use, copy, create derivative works
1011 and redistribute this software and such derivative works
1012 for any purpose, so long as the name of The University of
1013 Michigan is not used in any advertising or publicity
1014 pertaining to the use of distribution of this software
1015 without specific, written prior authorization. If the
1016 above copyright notice or any other identification of the
1017 University of Michigan is included in any copy of any
1018 portion of this software, then the disclaimer below must
1021 THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
1022 FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
1023 PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
1024 MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
1025 WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
1026 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
1027 REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
1028 FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
1029 CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
1030 OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
1031 IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
1034 --------------------
1036 The pkcs11.h file included in the PKINIT code has the following
1039 Copyright 2006 g10 Code GmbH
1040 Copyright 2006 Andreas Jellinghaus
1042 This file is free software; as a special exception the author gives
1043 unlimited permission to copy and/or distribute it, with or without
1044 modifications, as long as this notice is preserved.
1046 This file is distributed in the hope that it will be useful, but
1047 WITHOUT ANY WARRANTY, to the extent permitted by law; without even
1048 the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
1051 --------------------
1053 Portions contributed by Apple Inc. are subject to the following license:
1055 Copyright 2004-2008 Apple Inc. All Rights Reserved.
1057 Export of this software from the United States of America may require
1058 a specific license from the United States Government. It is the
1059 responsibility of any person or organization contemplating export to
1060 obtain such a license before exporting.
1062 WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1063 distribute this software and its documentation for any purpose and
1064 without fee is hereby granted, provided that the above copyright
1065 notice appear in all copies and that both that copyright notice and
1066 this permission notice appear in supporting documentation, and that
1067 the name of Apple Inc. not be used in advertising or publicity pertaining
1068 to distribution of the software without specific, written prior
1069 permission. Apple Inc. makes no representations about the suitability of
1070 this software for any purpose. It is provided "as is" without express
1071 or implied warranty.
1073 THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
1074 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
1075 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
1077 --------------------
1079 The implementations of strlcpy and strlcat in
1080 src/util/support/strlcat.c have the following copyright and permission
1083 Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
1085 Permission to use, copy, modify, and distribute this software for any
1086 purpose with or without fee is hereby granted, provided that the above
1087 copyright notice and this permission notice appear in all copies.
1089 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
1090 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
1091 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
1092 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
1093 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
1094 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1095 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1097 --------------------
1099 The implementations of UTF-8 string handling in src/util/support and
1100 src/lib/krb5/unicode are subject to the following copyright and
1103 The OpenLDAP Public License
1104 Version 2.8, 17 August 2003
1106 Redistribution and use of this software and associated documentation
1107 ("Software"), with or without modification, are permitted provided
1108 that the following conditions are met:
1110 1. Redistributions in source form must retain copyright statements
1113 2. Redistributions in binary form must reproduce applicable copyright
1114 statements and notices, this list of conditions, and the following
1115 disclaimer in the documentation and/or other materials provided
1116 with the distribution, and
1118 3. Redistributions must contain a verbatim copy of this document.
1120 The OpenLDAP Foundation may revise this license from time to time.
1121 Each revision is distinguished by a version number. You may use
1122 this Software under terms of this license revision or under the
1123 terms of any subsequent revision of the license.
1125 THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
1126 CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
1127 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
1128 AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
1129 SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
1130 OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
1131 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
1132 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1133 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
1134 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1135 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
1136 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
1137 POSSIBILITY OF SUCH DAMAGE.
1139 The names of the authors and copyright holders must not be used in
1140 advertising or otherwise to promote the sale, use or other dealing
1141 in this Software without specific, written prior permission. Title
1142 to copyright in this Software shall at all times remain with copyright
1145 OpenLDAP is a registered trademark of the OpenLDAP Foundation.
1147 Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
1148 California, USA. All Rights Reserved. Permission to copy and
1149 distribute verbatim copies of this document is granted.
1151 --------------------
1153 Marked test programs in src/lib/krb5/krb have the following copyright:
1155 Copyright (c) 2006 Kungliga Tekniska Högskolan
1156 (Royal Institute of Technology, Stockholm, Sweden).
1157 All rights reserved.
1159 Redistribution and use in source and binary forms, with or without
1160 modification, are permitted provided that the following conditions
1163 1. Redistributions of source code must retain the above copyright
1164 notice, this list of conditions and the following disclaimer.
1166 2. Redistributions in binary form must reproduce the above copyright
1167 notice, this list of conditions and the following disclaimer in the
1168 documentation and/or other materials provided with the distribution.
1170 3. Neither the name of KTH nor the names of its contributors may be
1171 used to endorse or promote products derived from this software without
1172 specific prior written permission.
1174 THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
1175 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1176 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1177 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
1178 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
1179 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
1180 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
1181 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
1182 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
1183 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
1184 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1189 Thanks to Red Hat for donating the pre-authentication plug-in
1192 Thanks to Novell for donating the KDB abstraction layer and the LDAP
1193 database plug-in, and also code implementing the Microsoft protocol
1196 Thanks to Sun Microsystems for donating their implementations of
1197 mechglue, SPNEGO, master key rollover, and incremental propagation.
1199 Thanks to Dennis Ferguson for donating the DES implementation.
1201 Thanks to the members of the Kerberos V5 development team at MIT, both
1202 past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
1203 Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
1204 Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
1205 Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
1206 Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
1207 Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
1208 Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
1209 Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
1210 Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.