pull up r23679 from trunk

[krb5.git] / README

                  Kerberos Version 5, Release 1.7.1

                            Release Notes
                        The MIT Kerberos Team

Unpacking the Source Distribution
---------------------------------

The source distribution of Kerberos 5 comes in a gzipped tarfile,
krb5-1.7.1.tar.gz.  Instructions on how to extract the entire
distribution follow.

If you have the GNU tar program and gzip installed, you can simply do:

        gtar zxpf krb5-1.7.1.tar.gz

If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:

        gzcat krb5-1.7.1.tar.gz | tar xpf -

Both of these methods will extract the sources into krb5-1.7.1/src and
the documentation into krb5-1.7.1/doc.

Building and Installing Kerberos 5
----------------------------------

The first file you should look at is doc/install-guide.ps; it contains
the notes for building and installing Kerberos 5.  The info file
krb5-install.info has the same information in info file format.  You
can view this using the GNU emacs info-mode, or by using the
standalone info file viewer from the Free Software Foundation.  This
is also available as an HTML file, install.html.

Other good files to look at are admin-guide.ps and user-guide.ps,
which contain the system administrator's guide, and the user's guide,
respectively.  They are also available as info files
kerberos-admin.info and krb5-user.info, respectively.  These files are
also available as HTML files.

If you are attempting to build under Windows, please see the
src/windows/README file.

Reporting Bugs
--------------

Please report any problems/bugs/comments using the krb5-send-pr
program.  The krb5-send-pr program will be installed in the sbin
directory once you have successfully compiled and installed Kerberos
V5 (or if you have installed one of our binary distributions).

If you are not able to use krb5-send-pr because you haven't been able
compile and install Kerberos V5 on any platform, you may send mail to
krb5-bugs@mit.edu.

Keep in mind that unencrypted e-mail is not secure; if you need to
send sensitive information, such as reporting potential security
vulnerabilities, please PGP-encrypt it to our security contact
address: krbcore-security@mit.edu.

You may view bug reports by visiting

http://krbdev.mit.edu/rt/

and logging in as "guest" with password "guest".

DES transition
--------------

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release will contain measures to encourage sites to migrate
away from using single-DES cryptosystems.  Among these is a
configuration variable that enables "weak" enctypes, but will default
to "false" in the future.  Additional migration aids are planned for
future releases.

Major changes in 1.7.1
----------------------

This is primarily a bugfix release.

* Fix vulnerabilities: MITKRB5-SA-2009-003 [CVE-2009-3295],
  MITKRB5-SA-2009-004 [CVE-2009-4212].

* Restore compatibility for talking to older kadminds and kadmin
  clients for the "addprinc -randkey" operation.

* Fix some build problems and memory leaks.

Changes in 1.7.1 by ticket ID
-----------------------------

1233    need to disable /dev/random use for testing
5668    DAL changes break --with-kdc-kdb-update build
6428    KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
6505    fix t_prf test code properly
6506    Make results of krb5_db_def_fetch_mkey more predictable
6508    kadm5int_acl_parse_restrictions could ref uninitialized variable
6509    kadmind is parsing acls good deref NULL pointer on error
6511    krb5int_rd_chpw_rep could call krb5_free_error with random value
6512    krb5int_yarrow_final could deref NULL if out of memory
6514    minor memory leak in 'none' replay cache type
6515    reduce some mutex performance problems in profile library
6519    krb5_copy_error_message() calls krb5int_clear_error() incorrectly
6530    check for slogin failure in setup_root_shell
6532    (1.7.x) include win-mac.h in gssftp/ftp/cmds.c for HAVE_STDLIB_H
6533    krb5-1.7 cannot be compiled on Debian stable (5.0.2)
6534    getaddrinfo in src/util/support/fake-addrinfo.c causes leak
6536    C++ compatibility for Windows compilation
6540    memory leak in test code t_authdata
6541    Fix memory leak in k5_pac_verify_server_checksum
6542    Check for null characters in pkinit cert fields
6543    Reply message ordering bug in ftpd
6551    Memory leak in spnego accept_sec_context error path
6552    Document kinit -C and -E options
6553    use perror instead of error in kadm5 test suite
6556    Supply LDAP service principal aliases to non-referrals clients
6557    Supply canonical name if present in LDAP iteration
6558    Fix memory leak in gss_krb5int_copy_ccache
6559    Fix parsing of GSS exported names
6568    Fix addprinc -randkey when policy requires multiple character classes
6571    krb5 1.7 memory leak
6573    Fix preauth looping in krb5_get_init_creds
6579    quoting bug causes solaris pre-10 thread handling bugs
6584    crypto modularity work r22778 broke MD4-DES, MD5-DES cksums
6585    KDC MUST NOT accept ap-request armor in FAST TGS
6587    pkinit-obtained tickets can't make TGS requests
6588    Fix ivec chaining for DES iov encryption
6589    Fix AES IOV decryption of small messages
6594    gss_krb5_copy_ccache() doesn't work with spnego delegation
6608    MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
6633    Use keyed checksum type for DES FAST
6635    Restore interoperability with 1.6 addprinc -randkey
6637    MITKRB5-SA-2009-004 [CVE-2009-4212] integer underflow in AES
        and RC4 decryption

Major changes in 1.7
--------------------

The krb5-1.7 release contains a large number of changes, featuring
improvements in the following broad areas:

* Compatibility with Microsoft Windows

* Administrator experience

* User experience

* Code quality

* Protocol evolution

Compatibility with Microsoft Windows:

* Follow client principal referrals in the client library when
  obtaining initial tickets.

* KDC can issue realm referrals for service principals based on domain
  names.

* Extensions supporting DCE RPC, including three-leg GSS context setup
  and unencapsulated GSS tokens inside SPNEGO.

* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
  similar to the equivalent SSPI functionality.  This is needed to
  support some instances of DCE RPC.

* NTLM recognition support in GSS-API, to facilitate dropping in an
  NTLM implementation for improved compatibility with older releases
  of Microsoft Windows.

* KDC support for principal aliases, if the back end supports them.
  Currently, only the LDAP back end supports aliases.

* Support Microsoft set/change password (RFC 3244) protocol in
  kadmind.

* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
  allows a GSS application to request credential delegation only if
  permitted by KDC policy.

Administrator experience:

* Install header files for the administration API, allowing
  third-party software to manipulate the KDC database.

* Incremental propagation support for the KDC database.

* Master key rollover support, making it easier to change master key
  passwords or encryption types.

* New libdefaults configuration variable "allow_weak_crypto".  NOTE:
  Currently defaults to "true", but may default to "false" in a future
  release.  Setting this variable to "false" will have the effect of
  removing weak enctypes (currently defined to be all single-DES
  enctypes) from permitted_enctypes, default_tkt_enctypes, and
  default_tgs_enctypes.

User experience:

* Provide enhanced GSS-API error message including supplementary
  details about error conditions.

* In the replay cache, use a hash over the complete ciphertext to
  avoid false-positive replay indications.

Code quality:

* Replace many uses of "unsafe" string functions.  While most of these
  instances were innocuous, they impeded efficient automatic and
  manual static code analysis.

* Fix many instances of resource leaks and similar bugs identified by
  static analysis tools.

* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
  various vulnerabilities in SPNEGO and ASN.1 code.

Protocol evolution:

* Remove support for version 4 of the Kerberos protocol (krb4).

* Encryption algorithm negotiation (RFC 4537), allowing clients and
  application services to negotiate stronger encryption than their KDC
  supports.

* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
  framework that can protect the AS exchange from dictionary attacks
  on weak user passwords.

Known bugs by ticket ID
-----------------------

6481    kdb ldap integration removed rev/recurse kdb5_util dumps
6487    gss_unwrap_iov fails in stream mode
6505    fix t_prf test code properly
6506    Make results of krb5_db_def_fetch_mkey more predictable
6507    kdb5_util update_princ_encryption uses latest mkey instead of
        active mkey

Changes by ticket ID
--------------------

194     a stash file is not a keytab
914     keytab add without randomizing key
1165    annoying error message from krb5_mk_priv()
1201    replay cache can produce false positive indications
1624    use more secure checksum types
2836    feature request: compile/link time warnings for deprecated functions
2939    unified CCAPI implementation
3496    krb524d should log success as well as failure
3497    problems with corrupt (truncated) ccaches
3499    race in replay cache file ownership
3737    plugins support requires a Windows equivalent to opendir and friends
3929    support lazy launching of ccapi server
3930    CCAPI server must be able to distinguish context handles from
        other server instances
3931    CCAPI context and ccache change times must be stored by the client
3932    CCAPI should use a cc_handle not implemented as a pointer
3933    CCAPI client library reconnection support
3934    Implement CCAPI blocking calls
3935    CCAPI implement locking
3936    krb5_ccache functions should use the ccapi version 3 interface
4241    Command line --version option
5411    MEMORY keytab
5425    nonce needs to be random
5427    buffer overflow in krb5_kt_get_name
5428    MEMORY keytab leaks
5429    MEMORY keytab should use krb5_copy_keyblock
5430    MEMORY keytab's get_entry should set enctypes and kvnos
5431    krb5_kt_get_type should return const char *.
5432    krb5_kt_default_name should take an unsized length
5440    sendto_kdc() not signal safe, doesn't respond well to
        staggered TCP responses.
5481    manual test of commit handler
5517    use IP(V6)_PKTINFO in KDC for UDP sockets
5545    uninitialized salt length when reading some keys
5560    threads on Solaris 10
5561    close-on-exec flags
5565    krb5kdc.M is confused about keytype
5567    don't check for readability resolving SRVTAB: keytab
5568    Move CCAPI sources to krb5 repository
5569    Fixed bugs introduced while moving to krb5 repository
5570    Only use __attribute__ on GNUC compilers
5574    Add advisory locking to CCAPI
5575    don't include time.h in CredentialsCache.h if it's not needed
5578    test commit handler
5580    provide asprintf functionality for internal use
5587    PRF for non-AES enctypes
5589    krb5 trunk no longer builds on Windows - vsnprintf
        implementation required
5590    gss krb5 mech enhanced error messages
5593    kadmind crash on Debian AMD64
5594    Work on compiling CCAPI test suite on Windows
5595    Problems with kpasswd and an IPv6 enviroment
5596    patch for providing a way to set the ok-as-delegate flag
5598    ccs_pipe_t needs copy and release functions
5599    Added new autogenerated file to generate-files-mac target
5600    provide more useful error message when running kpropd on command line
5635    need more dylib_file specs for darwin
5641    kadm5_setkey_principal_3 fix
5642    Remove unused, unlocalizable error strings
5643    Alignment fix
5649    t_ser should no longer use kdb libraries
5654    remap mechanism-specific status codes in mechglue/spnego
5655    authorization-data plugin support in KDC
5657    (Mac-specific) PROG_LIBPATH build fix
5667    listprincs *z is broken
5670    Add documentation for CCAPI
5671    cleanup src/lib/gssapi/krb5/error_map.h on Windows
5672    no unistd.h on Windows
5699    test program build problem
5754    cci_array_move should work when the source and dest positions are equal
5760    stdint.h should only be accessed if HAVE_STDINT_H defined
5771    cc_ccache_set_principal always returns error 227
5776    profile library memory leaks introduced when malloc returns 0
5786    Update Release Documentation for KFW 3.2.2
5804    cc_initalize(ccapi_version_2) should return CC_BAD_API_VERSION
        not CC_NOT_SUPP
5805    Add documentation for error codes used for flow control.
5806    Removed NOP line of code from krb5_fcc_next_cred()
5807    can't store delegated krb5 creds when using spnego
5813    cc_ccache_store_credentials should return ccErrBadCredentialsVersion
5814    cci_array_move not returning correct new position
5815    ccs_lock_status_grant_lock granting wrong lock
5822    fixed mispelling in kadmin error message
5828    Include time.h for time()
5835    Kerberos with apple leopard
5863    [no subject]
5864    improve debugging of ticket verification in ksu
5867    krb-priv sequence numbers don't match up in retransmitted requests
5872    Add ccs_pipe_compare
5884    Need CCAPI v2 support for Windows
5885    Remove AppleConnect workaround
5894    krb5int_arcfour_string_to_key does not support utf-8 strings
5899    Compiling krb5-1.6.3 on FreeBSD 7.0-RELEASE
5900    ccs_ccache_reset should check all arguments for NULL
5901    CCAPI v2 support crash when client or server strings are NULL
5902    cci_cred_union_compare_to_credentials_union doesn't work for v5 creds
5903    Fix pointer cast in cc_seq_fetch_NCs_end
5904    cc_set_principal should return error on bad cred version
5905    cc_remove_cred should only remove one cred
5906    Fixed error code remapping
5907    Removed tests for check_cc_context_get_version
5908    Remove C warnings from CCAPI tests
5909    Add CCAPI v2 tests
5911    removed unused header file inclusion CoreFoundation.h
5912    Invalid assignment while trying to set input to NULL
5915    cc_ccache_iterator_release, cc_credentials_iterator_release
        leak server memory
5920    CCacheServer should track client iterators
5923    Protect CFBundle calls with mutexes
5925    Windows socket(...) returns SOCKET, not file handle
5926    Added prototype to test function to remove warning.
5943    db creation creates a kadmin/hostname princ but doesn't fix case
5947    krb5_walk_realm_tree broken substring logic
5948    error in filebase+suffix list generation in plugin code
5949    Don't leak memory when multiple arguments are NULL
5954    ksu fails without domain_realm mapping for local host
5960    Move KIM implementation to the krb5 repository
5962    unchecked calls to k5_mutex_lock() interact poorly with finalizers
5963    Profile library should not call rw_access earlier than needed
5964    Re: Fwd: [modauthkerb] [SOLVED] 'Request is a replay' + Basic auth
5966    signed vs unsigned char * warnings in kdb_xdr.c
5967    No prototype when building kdb5_util without krb4 support
5969    Add header for kill() in USE_PASSWORD_SERVER case
5982    cci_credentials_iterator_release using wrong message ID
5989    Add new launchd flags to CCacheServer plist file
5990    kadm5_setkey_principal_3 not copying key_data_ver and key_data_kvno
5993    Masterkey Keytab Stash
5999    fix ktutil listing with timestamp
6000    misc uninitialized-storage accesses
6001    Big endian stash file support
6002    krb5_rc_io_creat should use mkstemp
6005    krb5_get_error_message returns const char *
6009    kdc does not compile with glibc 2.8
6010    krb5int_gic_opte_copy should copy elements individually
6011    Add EnableTransactions launchd option to CCacheServer
6012    Add EnableTransactions  launchd option to KerberosAgent
6013    Stop building Kerberos.app as part of KfM.
6015    gss_export_lucid_sec_context support for SPNEGO
6016    SPNEGO workaround for SAMBA mech OID quirks
6017    KDC virtual address support
6019    Add signal to force KDC to check for changed interfaces
6024    Don't use "ccache" in error string printed to user
6025    Add macro so we don't print deprecated warnings while building KfM
6026    CCacheServer crashes iterating over creds which have been destroyed
6029    kadmind leaks error strings on failures
6031    krb needs better realm lookup logic
6032    test commit handler change
6044    Add Apple Inc. to copyright lists.
6052    Return extended krb5 error strings
6055    KIM API
6066    turn off thread-support debugging code
6070    update DES code copyright notices
6074    Use a valid UTF8 password for randkey password
6075    Open log file for appending only, not also reading
6076    Don't build PKINIT ASN.1 support code if not building PKINIT plugin
6077    krb5_fcc_resolve file locking error on malloc failuer
6080    mac port of kim should not depend on kipc
6081    Conditionalize building of CCAPI ccache type on USE_CCAPI
6083    profile write code should only quote empty strings
6087    Notify clients on ccache deletion
6088    Add support to send CFNotifications on ccache and cache
        collection changes
6090    k5_mutex_destroy calls pthread_mutex_destroy with mutex locked
6091    lean client changes
6093    KIM should not provide keytab functions when building lite framework
6094    CCAPI is leaking mach ports
6101    compile-time flag to disable iprop
6103    fix resource leak in USE_PASSWORD_SERVER code
6108    A client can fail to get initial creds if it changes the
        password while doing so.
6111    CCAPI should only use one pthread key
6120    increase rpc timeout
6121    dead code in lib/rpc/clnt_udp.c
6131    Removed argument from kipc_client_lookup_server
6133    don't do C99-style mixing declarations with code
6138    Switch KfM back to error tables
6140    CCAPI should use common ipc and stream code
6142    KerberosAgent dialogs jump around the screen
6143    KerberosAgent: Enter Identity text field shouldn't be clear
        automatically
6144    KerberosAgent: ignore user interaction while busy
6145    KerberosAgent attach associated dialogs to Select Identity dialog
6146    Client name passed by KIM is incorrect
6147    KerberosAgent Use Defaults button doesn't work
6151    Don't touch keychain if home directory access is disabled
6153    Add KLL error table
6154    Hinge building KLL shim off KIM_TO_KLL_SHIM, not LEAN_CLIENT
6155    KLLastChangedTime should return current time, not 0
6156    KLL shim layer does not correctly handle options
6157    KIM should remember options and identity if prefs indicate
6158    KerberosAgent should handle multiple clients simultaneously
6159    KerberosAgent should handle zoom button better
6160    KLL should use __attribute ((deprecated))
6162    kim_options_copy should allow in_options to be KIM_OPTIONS_DEFAULT
6163    Crash in kim_credential_create_from_keytab
6164    KL APIs which take a NULL principal return klParameterErr
6165    kim_options_create sometimes returns KIM_OPTIONS_DEFAULT
6166    preferences should handle KIM_OPTIONS_DEFAULT
6168    prefs should not create empty dictionary for KIM_OPTIONS_DEFAULT
6169    Missing keys in KerberosAgent Info.plist
6170    change password should always reprompt on error
6171    allow kim ui plugins to have any name
6172    kim_ui_plugin_fini sends pointer to context instead of context.
6175    always zero out authentication strings
6176    Test KIM plugin
6179    kim_os_string_create_localized leaks CFStringRef
6181    Free error message returned by krb5_get_error_message
6182    kim test suite reports error messages incorrectly
6183    KerberosAgent enter identity dialog should use default
6184    handle stash file names with missing keytab type spec and colon in path
6185    Merge KerberosIPC into k5_mig support
6186    Move GUI/CLI detection from KerberosIPC into KIM
6187    use KIM_BUILTIN_UI instead of LEAN_CLIENT for builtin UI
6189    remove unused variable in kim_ui_cli_ask_change_password
6190    Use a context to store error table info
6192    Treat unreadable terminal as user cancelled so regression tests work
6193    Remap some of the more confusing krb5 errors
6194    Double free and leak in kim_os_library_get_application_path
6195    Added back KLL test programs
6197    KLCreatePrincipalFromTriplet should work with empty instance
6198    KerberosAgent continues to ignore mouse events after error
6199    don't include "WRFILE:" in call to mktemp
6201    small leak in KDC authdata plugins
6202    kadmind leaks extended error strings
6203    DELEG_POLICY_FLAG for GSS
6210    pa_sam leaks parts of krb5_sam_challenge
6211    pam_sam leaking outer krb5_data created by encode_krb5_sam_response
6214    krb5_change_set_password not freeing chpw_rep contents
6216    Free data in tests so leaks checking is easier
6217    kim_preferences should free old identity before overwriting
6218    kim_ccache_iterator_next leaks principal
6219    kim_os_library_get_caller_name leaks file path
6220    kim_identity_change_password_with_credential leaks krb5_creds
6221    KerberosAgent should clear generic auth prompt
6222    KerberosAgent enter dialog should add entered identities to favorites
6224    KerberosAgent 'no selection' placeholder in ticket options
6225    Remove ipc message sent on cc_context_release
6226    KIM should only display error dialogs if it has displayed UI already
6227    Apple LW_net_trans.patch make KDC rescan network after 30 seconds
6231    Apple split build support
6247    Apple patch: null out pointer in string_to_key after free
6248    Apple patch: destroy Mach ports on unload
6250    Use CFStringGetCStringPtr when possible
6251    Add test for kim_identity_create_from_components
6252    krb5_build_principal_va does not allocate krb5_principal
6254    krb5_build_principal_ext walks off beginning of array
6255    partial rewrite of the ASN.1 encoders
6256    localize format strings, not final error string
6260    KerberosAgent hangs changing pw for passwordless identities
6261    Remove saved password if it fails to get tickets
6262    Only prompt automatically from GUI apps
6264    Avoid duplicate identical dialogs in KIM
6265    KerberosAgent bindings causing crashes
6266    BIND_8_COMPAT no longer needed in Leopard
6267    Add _with_password credential acquisition functions to KIM API
6274    Crypto IOV API per Projects/AEAD encryption API
6282    krb5kdc deref uninit memory on the stack on unknown principal (pk-init)
6285    Provide SPI to switch the mach port lookup for kipc
6286    Allow kerberos configuration files fail with EPERM
6289    replay cache is insecurely handled
6290    KIM: Pushing authentication login window do application
6291    Using referrals fills the the credentials cache more entries
        of the same name
6294    lib/gssapi/krb5/init_sec_context.c: don't leak on mutex_lock failure
6295    Memory leak in KIM identity object
6297    "make check" fails due to krb5_cc_new_unique() on 64-bit
        Solaris SPARC under Sun Studio
6302    kadmind mem leaks [rdar 6358917]
6303    Remove krb4 support
6308    Alignment problem in resolver test
6309    update ldap plugin Makefile for krb4 removal
6315    move generated dependencies out of Makefile.in
6316    KIM GC problem on 64-bit
6335    test failures in password changing
6336    enctype negotiation - etype list
6337    kadmin should force non-forwardable tickets
6339    Fwd: krb5_sendauth vs NAGLE vs DelayedAck
6342    hash db2 code breaks if st_blksize > 64k
6348    kadmin and ktutil installed in sbin, should be bin
6349    lib/rpc tests should not fail if portmap/rpcbind not running
6351    gss_header|trailerlen should be unsigned int
6352    return correct kvno in TGS case
6354    Master Key Migration Project
6355    use t_inetd with a ready message and avoid waiting a lot in
        non-root tests
6356    small storage leak in KDC startup
6357    address lib/kadm5 test suite slowness
6358    speed up kpasswd tests
6360    utf8_conv.c: wrong level of indirection in free()
6361    new multi-masterkey support doesn't work well when system
        clock is set back
6362    don't do arithmetic on void pointers
6363    int/ptr bug in gssapi code
6364    declare replacement [v]asprintf functions
6365    include omitted system header string.h
6367    Fix a memory leak in krb5_kt_resolve
6368    chpw.c: missing break in switch statement
6370    Fix assertion in gc_frm_kdc.c
6371    deal with memleaks in migrate mkey project
6372    Fix memory handling bug in mk_req_ext
6373    remove some redundant or useless qualifiers
6374    Do not assume sizeof(bool_t) == sizeof(krb5_boolean)
6375    Fix error handling in krb5_walk_realm_tree
6376    Memory handling fixes in walk_rtree
6377    make krb5_free_* functions ignore NULL
6378    Change contract of krb5int_utf8_normalize and fix memory leaks
6379    Fix possible free of uninitialized value in walk_rtree
6390    --disable-rpath is not working
6392    Fix allocation failure check in walk_rtree
6393    Implement TGS authenticator subkey support
6397    use macros for config parameter strings
6398    remove obsolete GNU.ORG realm info
6400    GSSAPI authdata extraction should merge ticket and
        authenticator authdata
6401    send_as_req re-encodes the request
6402    CVE-2009-0845 SPNEGO can dereference a null pointer
6403    kdb5_ldap_util create segfaults when
        krb5_dbekd_encrypt_key_data() called
6405    fixing several bugs relating to the migrate mkey project using
        a LDAP KDB
6407    Make a working krb5_copy_error_message
6408    Report verbose error messages from KDC
6412    crash using library-allocated storage for header in wrap_iov
6415    Use correct salt for canonicalized principals
6418    Improve LDAP admin documentation
6419    Document alias support in LDAP back end
6420    Add LDAP back end support for canonical name attribute
6421    Implement KRB-FX_CF2
6422    Implement krb5int_find_authdata
6423    krb5_auth_con_free should support freeing a null auth_context
        without segfault.
6424    Call kdb_set_mkey_list from the KDC
6425    Memory leak cleanup in ASN.1
6427    Fix error handling issue in ASN.1 decoder
6431    Install kadmin and kdb headers
6432    Update kdb5_util man page for mkey migration project
6435    Add PAC and principal parsing test cases
6436    Implement FAST from draft-ietf-krb-wg-preauth-framework
6437    mark export grade RC4 as weak
6438    Handle authdata encrypted in subkey
6439    Implement KDC side of TGS FAST
6442    Null pointer defref in adding info
6443    CVE-2009-0844 SPNEGO can read beyond buffer end
6444    CVE-2009-0847 asn1buf_imbed incorrect length validation
6445    CVE-2009-0846 asn1_decode_generaltime can free uninitialized pointer
6449    Fall through on error return
6450    kdc: handle_referral_params does not return ENOMEM errors
6451    Update defaults in documentation
6452    Document allow_weak_crypto
6456    fix memory management in handle_referral_params
6457    KDC realm referral test
6458    use isflagset correctly in TGS referrals
6459    Update kdb5_util man page with missing purge_mkeys command
6460    Implement kinit option for FAST armor ccache
6461    Require fast_req checksum to be keyed
6462    clean up KDC realm referrals error handling
6463    realm referral test cases forcing KRB5_NT_UNKNOWN
6464    verify return code from krb5_db_set_mkey_list
6465    send_tgs.c static analyzer friendliness
6466    check encode_krb5_ap_req return in send_tgs.c
6467    new copy_data_contents variant that null-terminates
6468    k5_utf8s_to_ucs2s could deref NULL pointer...
6469    fcc_generate_new destroys locked mutex on error
6470    Send explicit salt for SALTTYPE_NORMAL keys
6472    typo in ksu error message
6473    strip ok-as-delegate if not in cross-realm TGT chain
6474    move kadmin, ktutil, k5srvutil man pages to man1
6475    Adding keys to malformed keytabs can infinitely extend the file
6477    make installed headers C++-safe
6478    Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred
6479    Add DEBUG_ERROR_LOCATIONS support
6480    Do not return PREAUTH_FAILED on unknown preauth
6482    Allow more than 10 past keys to be stored by a policy
6483    man1 in title header for man1 manpages
6484    work around Heimdal not using subkey in TGS-REP
6485    document ok_as_delegate in admin.texinfo
6486    t_pac fails on SPARC Solaris
6488    NFS fails to work with KRB5 1.7
6489    UCS2 support doesn't handle upper half of BMP
6490    Windows interop with RC4 TGS-REQ subkeys
6492    Remove spurious assertion in handle_authdata
6493    some fixes for 1.7
6495    Fix test rules for non-gmake make versions
6496    Fix vector initialization error in KDC preauth code
6497    kinit/fast usage message
6498    spnego_mech.c syntax error under _GSS_STATIC_LINK
6499    use printf format attribute only with gcc
6500    use correct type for krb5_c_prf_length length arg
6501    Temporarily disable FAST PKINIT for 1.7 release
6502    typo in doc/api/krb5.tex
6503    typo in admin.texinfo

Copyright and Other Legal Notices
---------------------------------

Copyright (C) 1985-2009 by the Massachusetts Institute of Technology.

All rights reserved.

Export of this software from the United States of America may require
a specific license from the United States Government.  It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission.  Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original MIT software.
M.I.T. makes no representations about the suitability of this software
for any purpose.  It is provided "as is" without express or implied
warranty.

THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Individual source code files are copyright MIT, Cygnus Support,
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT).  No commercial use of these trademarks may be made without
prior written permission of MIT.

"Commercial use" means use of a name in a product or other for-profit
manner.  It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).

                         --------------------

Portions of src/lib/crypto have the following copyright:

  Copyright (C) 1998 by the FundsXpress, INC.

  All rights reserved.

  Export of this software from the United States of America may require
  a specific license from the United States Government.  It is the
  responsibility of any person or organization contemplating export to
  obtain such a license before exporting.

  WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  distribute this software and its documentation for any purpose and
  without fee is hereby granted, provided that the above copyright
  notice appear in all copies and that both that copyright notice and
  this permission notice appear in supporting documentation, and that
  the name of FundsXpress. not be used in advertising or publicity pertaining
  to distribution of the software without specific, written prior
  permission.  FundsXpress makes no representations about the suitability of
  this software for any purpose.  It is provided "as is" without express
  or implied warranty.

  THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.


                         --------------------

The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:

  Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved

  WARNING: Retrieving the OpenVision Kerberos Administration system 
  source code, as described below, indicates your acceptance of the 
  following terms.  If you do not agree to the following terms, do not 
  retrieve the OpenVision Kerberos administration system.

  You may freely use and distribute the Source Code and Object Code
  compiled from it, with or without modification, but this Source
  Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
  INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
  FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
  EXPRESS OR IMPLIED.  IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
  FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF 
  SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
  CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, 
  WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE 
  CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY 
  OTHER REASON.

  OpenVision retains all copyrights in the donated Source Code. OpenVision
  also retains copyright to derivative works of the Source Code, whether
  created by OpenVision or by a third party. The OpenVision copyright 
  notice must be preserved if derivative works are made based on the 
  donated Source Code.

  OpenVision Technologies, Inc. has donated this Kerberos 
  Administration system to MIT for inclusion in the standard 
  Kerberos 5 distribution.  This donation underscores our 
  commitment to continuing Kerberos technology development 
  and our gratitude for the valuable work which has been 
  performed by MIT and the Kerberos community.

                         --------------------

  Portions contributed by Matt Crawford <crawdad@fnal.gov> were
  work performed at Fermi National Accelerator Laboratory, which is
  operated by Universities Research Association, Inc., under
  contract DE-AC02-76CHO3000 with the U.S. Department of Energy.

                         --------------------

The implementation of the Yarrow pseudo-random number generator in
src/lib/crypto/yarrow has the following copyright:

  Copyright 2000 by Zero-Knowledge Systems, Inc.

  Permission to use, copy, modify, distribute, and sell this software
  and its documentation for any purpose is hereby granted without fee,
  provided that the above copyright notice appear in all copies and that
  both that copyright notice and this permission notice appear in
  supporting documentation, and that the name of Zero-Knowledge Systems,
  Inc. not be used in advertising or publicity pertaining to
  distribution of the software without specific, written prior
  permission.  Zero-Knowledge Systems, Inc. makes no representations
  about the suitability of this software for any purpose.  It is
  provided "as is" without express or implied warranty.

  ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
  THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
  FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
  ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
  OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

                         --------------------

The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:

  Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
  All rights reserved.

  LICENSE TERMS

  The free distribution and use of this software in both source and binary 
  form is allowed (with or without changes) provided that:

    1. distributions of this source code include the above copyright 
       notice, this list of conditions and the following disclaimer;

    2. distributions in binary form include the above copyright
       notice, this list of conditions and the following disclaimer
       in the documentation and/or other associated materials;

    3. the copyright holder's name is not used to endorse products 
       built using this software without specific written permission. 

  DISCLAIMER

  This software is provided 'as is' with no explcit or implied warranties
  in respect of any properties, including, but not limited to, correctness 
  and fitness for purpose.

                         --------------------

Portions contributed by Red Hat, including the pre-authentication
plug-ins framework, contain the following copyright:

  Copyright (c) 2006 Red Hat, Inc.
  Portions copyright (c) 2006 Massachusetts Institute of Technology
  All Rights Reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:

  * Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.

  * Redistributions in binary form must reproduce the above
    copyright notice, this list of conditions and the following
    disclaimer in the documentation and/or other materials provided
    with the distribution.

  * Neither the name of Red Hat, Inc., nor the names of its
    contributors may be used to endorse or promote products derived
    from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
  IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
  PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
  OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

                         --------------------

The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
src/lib/gssapi, including the following files:

  lib/gssapi/generic/gssapi_err_generic.et
  lib/gssapi/mechglue/g_accept_sec_context.c
  lib/gssapi/mechglue/g_acquire_cred.c
  lib/gssapi/mechglue/g_canon_name.c
  lib/gssapi/mechglue/g_compare_name.c
  lib/gssapi/mechglue/g_context_time.c
  lib/gssapi/mechglue/g_delete_sec_context.c
  lib/gssapi/mechglue/g_dsp_name.c
  lib/gssapi/mechglue/g_dsp_status.c
  lib/gssapi/mechglue/g_dup_name.c
  lib/gssapi/mechglue/g_exp_sec_context.c
  lib/gssapi/mechglue/g_export_name.c
  lib/gssapi/mechglue/g_glue.c
  lib/gssapi/mechglue/g_imp_name.c
  lib/gssapi/mechglue/g_imp_sec_context.c
  lib/gssapi/mechglue/g_init_sec_context.c
  lib/gssapi/mechglue/g_initialize.c
  lib/gssapi/mechglue/g_inquire_context.c
  lib/gssapi/mechglue/g_inquire_cred.c
  lib/gssapi/mechglue/g_inquire_names.c
  lib/gssapi/mechglue/g_process_context.c
  lib/gssapi/mechglue/g_rel_buffer.c
  lib/gssapi/mechglue/g_rel_cred.c
  lib/gssapi/mechglue/g_rel_name.c
  lib/gssapi/mechglue/g_rel_oid_set.c
  lib/gssapi/mechglue/g_seal.c
  lib/gssapi/mechglue/g_sign.c
  lib/gssapi/mechglue/g_store_cred.c
  lib/gssapi/mechglue/g_unseal.c
  lib/gssapi/mechglue/g_userok.c
  lib/gssapi/mechglue/g_utils.c
  lib/gssapi/mechglue/g_verify.c
  lib/gssapi/mechglue/gssd_pname_to_uid.c
  lib/gssapi/mechglue/mglueP.h
  lib/gssapi/mechglue/oid_ops.c
  lib/gssapi/spnego/gssapiP_spnego.h
  lib/gssapi/spnego/spnego_mech.c

and the initial implementation of incremental propagation, including
the following new or changed files:

  include/iprop_hdr.h
  kadmin/server/ipropd_svc.c
  lib/kdb/iprop.x
  lib/kdb/kdb_convert.c
  lib/kdb/kdb_log.c
  lib/kdb/kdb_log.h
  lib/krb5/error_tables/kdb5_err.et
  slave/kpropd_rpc.c
  slave/kproplog.c

and marked portions of the following files:

  lib/krb5/os/hst_realm.c

are subject to the following license:

  Copyright (c) 2004 Sun Microsystems, Inc.

  Permission is hereby granted, free of charge, to any person obtaining a
  copy of this software and associated documentation files (the
  "Software"), to deal in the Software without restriction, including
  without limitation the rights to use, copy, modify, merge, publish,
  distribute, sublicense, and/or sell copies of the Software, and to
  permit persons to whom the Software is furnished to do so, subject to
  the following conditions:

  The above copyright notice and this permission notice shall be included
  in all copies or substantial portions of the Software.

  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
  CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
  TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

                         --------------------

MIT Kerberos includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:

  Copyright (C) 1983 Regents of the University of California.
  All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:

  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above
     copyright notice, this list of conditions and the following
     disclaimer in the documentation and/or other materials provided
     with the distribution.

  3. Neither the name of the University nor the names of its
     contributors may be used to endorse or promote products derived
     from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  SUCH DAMAGE.

                         --------------------

Portions contributed by Novell, Inc., including the LDAP database
backend, are subject to the following license:

  Copyright (c) 2004-2005, Novell, Inc.
  All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
        this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
        notice, this list of conditions and the following disclaimer in the
        documentation and/or other materials provided with the distribution.
    * The copyright holder's name is not used to endorse or promote products
        derived from this software without specific prior written permission.

  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  POSSIBILITY OF SUCH DAMAGE.

                         --------------------

Portions funded by Sandia National Laboratory and developed by the
University of Michigan's Center for Information Technology
Integration, including the PKINIT implementation, are subject to the
following license:

  COPYRIGHT (C) 2006-2007
  THE REGENTS OF THE UNIVERSITY OF MICHIGAN
  ALL RIGHTS RESERVED

  Permission is granted to use, copy, create derivative works
  and redistribute this software and such derivative works
  for any purpose, so long as the name of The University of
  Michigan is not used in any advertising or publicity
  pertaining to the use of distribution of this software
  without specific, written prior authorization.  If the
  above copyright notice or any other identification of the
  University of Michigan is included in any copy of any
  portion of this software, then the disclaimer below must
  also be included.

  THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
  FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
  PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
  MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
  WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
  REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
  FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
  CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
  OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
  IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
  SUCH DAMAGES.

                         --------------------

The pkcs11.h file included in the PKINIT code has the following
license:

  Copyright 2006 g10 Code GmbH
  Copyright 2006 Andreas Jellinghaus

  This file is free software; as a special exception the author gives
  unlimited permission to copy and/or distribute it, with or without
  modifications, as long as this notice is preserved.

  This file is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY, to the extent permitted by law; without even
  the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
  PURPOSE.

                         --------------------

Portions contributed by Apple Inc. are subject to the following license:

Copyright 2004-2008 Apple Inc.  All Rights Reserved.

Export of this software from the United States of America may require
a specific license from the United States Government.  It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Apple Inc. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission.  Apple Inc. makes no representations about the suitability of
this software for any purpose.  It is provided "as is" without express
or implied warranty.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

                         --------------------

The implementations of strlcpy and strlcat in
src/util/support/strlcat.c have the following copyright and permission
notice:

Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

                         --------------------

The implementations of UTF-8 string handling in src/util/support and
src/lib/krb5/unicode are subject to the following copyright and
permission notice:

The OpenLDAP Public License
  Version 2.8, 17 August 2003

Redistribution and use of this software and associated documentation
("Software"), with or without modification, are permitted provided
that the following conditions are met:

1. Redistributions in source form must retain copyright statements
   and notices,

2. Redistributions in binary form must reproduce applicable copyright
   statements and notices, this list of conditions, and the following
   disclaimer in the documentation and/or other materials provided
   with the distribution, and

3. Redistributions must contain a verbatim copy of this document.

The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number.  You may use
this Software under terms of this license revision or under the
terms of any subsequent revision of the license.

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

The names of the authors and copyright holders must not be used in
advertising or otherwise to promote the sale, use or other dealing
in this Software without specific, written prior permission.  Title
to copyright in this Software shall at all times remain with copyright
holders.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA.  All Rights Reserved.  Permission to copy and
distribute verbatim copies of this document is granted.

                         --------------------

Marked test programs in src/lib/krb5/krb have the following copyright:

Copyright (c) 2006 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

3. Neither the name of KTH nor the names of its contributors may be
   used to endorse or promote products derived from this software without
   specific prior written permission.

THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Acknowledgements
----------------

Thanks to Red Hat for donating the pre-authentication plug-in
framework.

Thanks to Novell for donating the KDB abstraction layer and the LDAP
database plug-in, and also code implementing the Microsoft protocol
extensions.

Thanks to Sun Microsystems for donating their implementations of
mechglue, SPNEGO, master key rollover, and incremental propagation.

Thanks to Dennis Ferguson for donating the DES implementation.

Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.