- Kerberos Version 5, Release 1.3
+ Kerberos Version 5, Release 1.8
- Release Notes
- The MIT Kerberos Team
+ Release Notes
+ The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.3.tar.gz. Instructions on how to extract the entire
+krb5-1.8.tar.gz. Instructions on how to extract the entire
distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- gtar zxpf krb5-1.3.tar.gz
+ gtar zxpf krb5-1.8.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- gzcat krb5-1.3.tar.gz | tar xpf -
+ gzcat krb5-1.8.tar.gz | tar xpf -
-Both of these methods will extract the sources into krb5-1.3/src and
-the documentation into krb5-1.3/doc.
+Both of these methods will extract the sources into krb5-1.8/src and
+the documentation into krb5-1.8/doc.
Building and Installing Kerberos 5
----------------------------------
and logging in as "guest" with password "guest".
-Notes, Major Changes, and Known Bugs for 1.3
---------------------------------------------
-
-* We now install the compile_et program, so other packages can use the
- installed com_err library with their own error tables. (If you use
- our com_err code, that is; see below.)
-
-* The header files we install now assume ANSI/ISO C ('89, not '99).
- We have stopped testing on SunOS 4, even with gcc. Some of our code
- now has C89-based assumptions, like free(NULL) being well defined,
- that will probably frustrate any attempts to run this code under SunOS
- 4 or other pre-C89 systems.
-
-* Some new code, bug fixes, and cleanup for IPv6 support. Most of the
- code should support IPv6 transparently now. The RPC code (and
- therefore the admin system, which is based on it) does not yet
- support IPv6. The support for Kerberos 4 may work with IPv6 in very
- limited ways, if the address checking is turned off. The FTP client
- and server do not have support for the new protocol messages needed
- for IPv6 support (RFC 2428).
-
-* We have upgraded to autoconf 2.52 (or later), and the syntax for
- specifying certain configuration options have changed. For example,
- autoconf 2.52 configure scripts let you specify command-line options
- like "configure CC=/some/path/foo-cc", so we have removed some of
- our old options like --with-cc in favor of this approach.
-
-* The client libraries can now use TCP to connect to the KDC. This
- may be necessary when talking to Microsoft KDCs (domain controllers),
- if they issue you tickets with lots of PAC data.
-
-* If you have versions of the com_err or ss installed locally, you can
- use the --with-system-et and --with-system-ss configure options to
- use them rather than using the versions supplied here. Note that
- the interfaces are assumed to be similar to those we supply; in
- particular, some older, divergent versions of the com_err library
- may not work with the krb5 sources. Many configure-time variables
- can be used to help the compiler and linker find the installed
- packages; see the build documentation for details.
-
-* The AES cryptosystem has been implemented. However, support in the
- Kerberos GSSAPI mechanism has not been written (or even fully
- specified), so it's not fully enabled. See the documentation for
- details.
-
-Major changes listed by ticket ID
----------------------------------
+DES transition
+--------------
-* [492] PRNG breakage on 64-bit platforms no longer an issue due to
- new PRNG implementation.
+The Data Encryption Standard (DES) is widely recognized as weak. The
+krb5-1.7 release contains measures to encourage sites to migrate away
+from using single-DES cryptosystems. Among these is a configuration
+variable that enables "weak" enctypes, which defaults to "false"
+beginning with krb5-1.8.
-* [523] Client library is now compatible with the RC4-based
- cryptosystem used by Windows 2000.
+Major changes in 1.8
+--------------------
-* [709] krb4 long lifetime support has been implemented.
+The krb5-1.8 release contains a large number of changes, featuring
+improvements in the following broad areas:
-* [880] krb5_gss_register_acceptor_identity() implemented (is called
- gsskrb5_register_acceptor_identity() by Heimdal).
+* Code quality
+* Modularity
+* Performance
+* End-user experience
+* Administrator experience
+* Protocol evolution
-* [1087] ftpd no longer requires channel bindings, allowing easier use
- of ftp from behind a NAT.
+Code quality:
-* [1156, 1209] It is now possible to use the system com_err to build
- this release.
+* Move toward test-driven development -- new features have test code,
+ or at least written testing procedures.
-* [1174] TCP support added to client library.
+* Increase conformance to coding style
-* [1175] TCP support added to the KDC, but is disabled by default.
+ + "The great reindent"
-* [1176] autoconf-2.5x is now required by the build system.
+ + Selective refactoring
-* [1184] It is now possible to use the system Berkeley/Sleepycat DB
- library to build this release.
+Modularity:
-* [1189, 1251] The KfM krb4 library source base has been merged.
+* Crypto modularity -- vendors can more easily substitute their own
+ crypto implementations, which might be hardware-accelerated or
+ validated to FIPS 140, for the builtin crypto implementation that
+ has historically shipped as part of MIT Kerberos. Currently, only
+ an OpenSSL provider is included, but others are possible.
-* [1190] The default KDC master key type is now triple-DES. KDCs
- being updated may need their config files updated if they are not
- already specifying the master key type.
+* Move toward improved KDB interface
-* [1190] The default ticket lifetime and default maximum renewable
- ticket lifetime have been extended to one day and one week,
- respectively.
+* Improved API for verifying and interrogating authorization data
-* [1191] A new script, k5srvutil, may be used to manipulate keytabs in
- ways similar to the krb4 ksrvutil utility.
+Performance:
-* [1281] The "fakeka" program, which emulates the AFS kaserver, has
- been integrated. Thanks to Ken Hornstein.
+* Investigate and remedy repeatedly-reported performance bottlenecks.
-* [1343] The KDC now defaults to not answering krb4 requests.
+* Encryption performance -- new crypto API with opaque key structures,
+ to allow for optimizations such as caching of derived keys
-* [1344] Addressless tickets are requested by default now.
+End-user experience:
-* [1372] There is no longer a need to create a special keytab for
- kadmind. The legacy administration daemons "kadmind4" and
- "v5passwdd" will still require a keytab, though.
+* Reduce DNS dependence by implementing an interface that allows
+ client library to track whether a KDC supports service principal
+ referrals.
-* [1377, 1442, 1443] The Microsoft set-password protocol has been
- implemented. Thanks to Paul Nelson.
+Administrator experience:
-* [1385, 1395, 1410] The krb4 protocol vulnerabilities
- [MITKRB5-SA-2003-004] have been worked around. Note that this will
- disable krb4 cross-realm functionality, as well as krb4 triple-DES
- functionality. Please see doc/krb4-xrealm.txt for details of the
- patch.
+* Disable DES by default -- this reduces security exposure from using
+ an increasingly insecure cipher.
-* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
- been fixed.
+* More versatile crypto configuration, to simplify migration away from
+ DES -- new configuration syntax to allow inclusion and exclusion of
+ specific algorithms relative to a default set.
-* [1397] The krb5_principal buffer bounds problems
- [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
+* Account lockout for repeated login failures -- mitigates online
+ password guessing attacks, and helps with some enterprise regulatory
+ compliance.
-* [1415] Subsession key negotiation has been fixed to allow for
- server-selected subsession keys in the future.
+Protocol evolution:
-* [1418, 1429, 1446, 1484, 1486, 1487, 1535, 1621] The AES
- cryptosystem has been implemented. It is not usable for GSSAPI,
- though.
+* FAST enhancements -- preauthentication framework enhancements
-* [1491] The client-side functionality of the krb524 library has been
- moved into the krb5 library.
+* Microsoft Services for User (S4U) compatibility: S4U2Self, also
+ known as "protocol transition", allows for service to ask a KDC for
+ a ticket to themselves on behalf of a client authenticated via a
+ different means; S4U2Proxy allows a service to ask a KDC for a
+ ticket to another service on behalf of a client.
-* [1550] SRV record support exists for Kerberos v4.
+* Anonymous PKINIT -- allows the use of public-key cryptography to
+ anonymously authenticate to a realm
-* [1551] The heuristic for locating the Kerberos v4 KDC by prepending
- "kerberos." to the realm name if no config file or DNS information
- is available has been removed.
+krb5-1.8 changes by ticket ID
+-----------------------------
-* [1568, 1067] A krb524 stub library is built on Windows.
+5468 delete kadmin v1 support
+6206 new API for storing extra per-principal data in ccache
+6434 krb5_cc_resolve() will crash if a null name param is provided
+6454 Make krb5_mkt_resolve error handling work
+6510 Restore limited support for static linking
+6539 Enctype list configuration enhancements
+6547 Modify kadm5 initializers to accept krb5 contexts
+6563 Implement s4u extensions
+6564 s4u extensions integration broke test suite...
+6565 HP-UX IA64 wrong endian
+6572 Implement GSS naming extensions and authdata verification
+6576 Implement new APIs to allow improved crypto performance
+6577 Account lockout for repeated login failures
+6578 Heimdal DB bridge plugin for KDC back end
+6580 Constrained delegation without PAC support
+6582 Memory leak in _kadm5_init_any introduced with ipropd
+6583 Unbundle applications into separate repository
+6586 libkrb5 support for non-blocking AS requests
+6590 allow testing even if name->addr->name mapping doesn't work
+6591 fix slow behavior on Mac OS X with link-local addresses
+6593 Remove dependency on /bin/csh in test suite
+6595 FAST (preauth framework) negotiation
+6597 Add GSS extensions to store credentials, generate random bits
+6605 PKINIT client should validate SAN for TGS, not service principal
+6606 allow testing when offline
+6607 anonymous PKINIT
+6616 Fix spelling and hyphen errors in man pages
+6618 Support optional creation of PID files for krb5kdc and kadmind
+6620 kdc_supported_enctypes does nothing; eradicate mentions thereof
+6621 disable weak crypto by default
-Minor changes listed by ticket ID
+Copyright and Other Legal Notices
---------------------------------
-* [90] default_principal_flags documented.
-
-* [175] Docs refer to appropriate example domains/IPs now.
-
-* [299] kadmin no longer complains about missing kdc.conf parameters
- when it really means krb5.conf parameters.
-
-* [318] Run-time load path for tcl is set now when linking test
- programs.
-
-* [443] --includedir honored now.
-
-* [479] unused argument in try_krb4() in login.c deleted.
-
-* [590] The des_read_pw_string() function in libdes425 has been
- aligned with the original krb4 and CNS APIs.
-
-* [608] login.krb5 handles SIGHUP more sanely now and thus avoids
- getting the session into a weird state w.r.t. job control.
-
-* [620] krb4 encrypted rcp should work a little better now. Thanks to
- Greg Hudson.
-
-* [647] libtelnet/kerberos5.c no longer uses internal include files.
-
-* [673] Weird echoing of admin password in kadmin client worked around
- by not using buffered stdio calls to read passwords.
-
-* [677] The build system has been reworked to allow the user to set
- CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
-
-* [680] Related to [673], rewrite krb5_prompter_posix() to no longer
- use longjmp(), thus avoiding some bugs relating to non-restoration
- of terminal settings.
-
-* [697] login.krb5 no longer zeroes out the terminal window size.
-
-* [710] decomp_ticket() in libkrb4 now looks up the local realm name
- more correctly. Thanks to Booker Bense.
-
-* [771] .rconf files are excluded from the release now.
-
-* [772] LOG_AUTHPRIV syslog facility is now usable for logging on
- systems that support it.
-
-* [844] krshd now syslogs using the LOG_AUTH facility.
-
-* [850] Berekely DB build is better integrated into the krb5 library
- build process.
-
-* [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
- for local address enumeration now.
-
-* [882] gss-client now correctly deletes the context on error.
-
-* [919] kdc/network.c problems relating to SIOCGIFCONF have been
- fixed.
-
-* [922] An overflow in the string-to-time conversion routines has been
- fixed.
-
-* [933] krb524d now handles single-DES session keys other than of type
- des-cbc-crc.
-
-* [935] des-cbc-md4 now included in default enctypes.
-
-* [939] A minor grammatical error has been fixed in a telnet client
- error message.
-
-* [953] des3 no longer failing on Windows due to SHA1 implementation
- problems.
-
-* [964] kdb_init_hist() no longer fails if master_key_enctype is not
- in supported_enctypes.
-
-* [970] A minor inconsistency in ccache.tex has been fixed.
-
-* [971] option parsing bugs rendered irrelevant by removal of unused
- gss mechanism.
-
-* [976] make install mentioned in build documentation.
-
-* [986] Related to [677], problems with the ordering of LDFLAGS
- initialization rendered irrelevant by use of native autoconf
- idioms.
-
-* [992] Related to [677], quirks with --with-cc no longer relevant as
- AC_PROG_CC is used instead now.
-
-* [999] The kdc_default_options configuration variable is now honored.
- Thanks to Emily Ratliff.
-
-* [1006] Client library, as well as KDC, now perform reasonable
- sorting of ETYPE-INFO preauthentication data.
-
-* [1055] NULL pointer dereferences in code calling
- krb5_change_password() have been fixed.
-
-* [1063] Initial credentials acquisition failures related to client
- host having a large number of local network interfaces should be
- fixed now.
-
-* [1064] Incorrect option parsing in the gssapi library is no longer
- relevant due to removal of the "v2" mechanism.
-
-* [1065, 1225] krb5_get_init_creds_password() should properly warn about
- password expiration.
-
-* [1066] printf() argument mismatches in rpc unit tests fixed.
-
-* [1085] The krb5.conf manpage has been re-synchronized with other
- documentation.
-
-* [1102] gssapi_generic.h should now work with C++.
-
-* [1135] The kadm5 ACL system is better documented.
-
-* [1136] Some documentation for the setup of cross-realm
- authentication has been added.
-
-* [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
- of -1 if getpeername() fails.
-
-* [1173] Address-less forwardable tickets will remain address-less
- when forwarded.
-
-* [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
- somewhat.
-
-* [1188] As part of the modernization of our usage of autoconf,
- AC_CONFIG_FILES is now used instead of passing a list of files to
- AC_OUTPUT.
-
-* [1194] configure will no longer recurse out of the top of the source
- tree when attempting to locate the top of the source tree.
-
-* [1192] Documentation for the krb5 afs functionality of krb524d has
- been written.
-
-* [1195] Example krb5.conf file modified to include all enctypes
- supported by the release.
-
-* [1202] The KDC no longer rejects unrecognized flags.
-
-* [1203] krb5_get_init_creds_keytab() no longer does a double-free.
-
-* [1211] The ASN.1 code no longer passes (harmless) uninitialized
- values around.
-
-* [1212] libkadm5 now allows for persistent exclusive database locks.
-
-* [1217] krb5_read_password() and des_read_password() are now
- implemented via krb5_prompter_posix().
-
-* [1224] For SAM challenges, omitted optional strings are no longer
- encoded as zero-length strings.
-
-* [1226] Client-side support for SAM hardware-based preauth
- implemented.
-
-* [1229] The keytab search logic no longer fails prematurely if an
- incorrect encryption type is found. Thanks to Wyllys Ingersoll.
-
-* [1232] If the master KDC cannot be resolved, but a slave is
- reachable, the client library now returns the real error from the
- slave rather than the resolution failure from the master. Thanks to
- Ben Cox.
-
-* [1234] Assigned numbers for SAM preauth have been corrected.
- sam-pk-for-sad implementation has been aligned.
-
-* [1237] Profile-sharing optimizations from KfM have been merged.
-
-* [1240] Windows calling conventions for krb5int_c_combine_keys() have
- been aligned.
-
-* [1242] Build system incompatibilities with Debian's chimeric
- autoconf installation have been worked around.
-
-* [1256] Incorrect sizes passed to memset() in combine_keys()
- operations have been corrected.
-
-* [1260] Client credential lookup now gets new service tickets in
- preference to attempting to use expired ticketes. Thanks to Ben
- Cox.
-
-* [1262, 1572] Sequence numbers are now unsigned; negative sequence
- numbers will be accepted for the purposes of backwards
- compatibility.
-
-* [1263] A heuristic for matching the incorrectly encoded sequence
- numbers emitted by Heimdal implementations has been written.
-
-* [1284] kshd accepts connections by IPv6 now.
-
-* [1292] kvno manpage title fixed.
-
-* [1293] Source files no longer explicitly attempt to declare errno.
-
-* [1304] kadmind4 no longer leaves sa_flags uninitialized.
-
-* [1305] Expired tickets now cause KfM to pop up a password dialog.
-
-* [1309] krb5_send_tgs() no longer leaks the storage associated with
- the TGS-REQ.
-
-* [1310] kadm5_get_either() no longer leaks regexp library memory.
-
-* [1311] Output from krb5-config no longer contains spurious uses of
- $(PURE).
-
-* [1324] The KDC no longer logs an inappropriate "no matching key"
- error when an encrypted timestamp preauth password is incorrect.
-
-* [1334] The KDC now returns a clockskew error when the timestamp in
- the encrypted timestamp preauth is out of bounds, rather than just
- returning a preauthentcation failure.
-
-* [1342] gawk is no longer required for building kerbsrc.zip for the
- Windows build.
-
-* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
- to freed memory.
-
-* [1351] The filename globbing vulnerability [CERT VU#258721] in the
- ftp client's handling of filenames beginning with "|" or "-"
- returned from the "mget" command has been fixed.
-
-* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
- during GSSAPI context establishment.
-
-* [1356] krb5_gss_accept_sec_context() no longer attempts to validate
- a null credential if one is passed in.
-
-* [1362] The "-a user" option to telnetd now does the right thing.
- Thanks to Nathan Neulinger.
-
-* [1363] ksu no longer inappropriately syslogs to stderr.
-
-* [1357] krb__get_srvtab_name() no longer leaks memory.
-
-* [1370] GSS_C_NO_CREDENTIAL now accepts any principal in the keytab.
-
-* [1373] Handling of SAM preauth no longer attempts to stuff a size_t
- into an unsigned int.
-
-* [1387] BIND versions later than 8 now supported.
-
-* [1392] The getaddrinfo() wrapper should work better on AIX.
-
-* [1400] If DO_TIME is not set in the auth_context, and no replay
- cache is available, no replay cache will be used.
-
-* [1406, 1108] libdb is no longer installed. If you installed
- krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
- your install tree.
-
-* [1412] ETYPE_INFO handling no longer goes into an infinite loop.
-
-* [1414] libtelnet is now built using the same library build framework
- as the rest of the tree.
-
-* [1417] A minor memory leak in krb5_read_password() has been fixed.
-
-* [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed.
-
-* [1435] inet_ntop() is now emulated when needed.
-
-* [1439] krb5_free_pwd_sequences() now correctly frees the entire
- sequence of elements.
-
-* [1440] errno is no longer explicitly declared.
-
-* [1441] kadmind should now return useful errors if an unrecognized
- version is received in a changepw request.
-
-* [1454, 1480, 1517, 1525] The etype-info2 preauth type is now
- supported.
-
-* [1459] (KfM/KLL internal) config file resolution can now be
- prevented from accessing the user's homedir.
-
-* [1463] Preauth handling in the KDC has been reorganized.
-
-* [1470] Double-free in client-side preauth code fixed.
-
-* [1473] Ticket forwarding when the TGS and the end service have
- different enctypes should work somewhat better now.
-
-* [1474] ASN.1 testsuite memory management has been cleaned up a
- little to allow for memory leak checking.
-
-* [1476] Documentation updated to reflect default krb4 mode.
-
-* [1482] RFC-1964 OIDs now provided using the suggested symbolic
- names.
-
-* [1483, 1528] KRB5_DEPRECATED is now false by default on all
- platforms.
-
-* [1488] The KDC will now return integrity errors if a decryption
- error is responsible for preauthentication failure.
-
-* [1492] The autom4te.cache directories are now deleted from the
- release tarfiles.
-
-* [1501] Writable keytabs are registered by default.
-
-* [1515] The check for cross-realm TGTs no longer reads past the end
- of an array.
-
-* [1518] The kdc_default_options option is now actually honored.
-
-* [1519] The changepw protocol implementation in kadmind now logs
- password changes.
-
-* [1520] Documentation of OS-specific build options has been updated.
-
-* [1536] A missing prototype for krb5_db_iterate_ext() has been
- added.
-
-* [1537] An incorrect path to kdc.conf show in the kdc.conf manpage
- has been fixed.
-
-* [1540] verify_as_reply() will only check the "renew-till" time
- against the "till" time if the RENEWABLE is not set in the request.
-
-* [1547] gssftpd no longer uses vfork(), as this was causing problems
- under RedHat 9.
-
-* [1549] SRV records with a value of "." are now interpreted as a lack
- of support for the protocol.
-
-* [1553] The undocumented (and confusing!) kdc_supported_enctypes
- kdc.conf variable is no longer used.
-
-* [1560] Some spurious double-colons in password prompts have been
- fixed.
-
-* [1571] The test suite tries a little harder to get a root shell.
-
-* [1573] The KfM build process now sets localstatedir=/var/db.
-
-* [1576, 1575] The client library no longer requests RENEWABLE_OK if
- the renew lifetime is greater than the ticket lifetime.
-
-* [1587] A more standard autoconf test to locate the C compiler allows
- for gcc to be found by default without additional configuration
- arguments.
-
-* [1593] Replay cache filenames are now escaped with hyphens, not
- backslashes.
-
-* [1598] MacOS 9 support removed from in-tree com_err.
-
-* [1602] Fixed a memory leak in make_ap_req_v1(). Thanks to Kent Wu.
-
-* [1604] Fixed a memory leak in krb5_gss_init_sec_context(), and an
- uninitialized memory reference in kg_unseal_v1(). Thanks to Kent
- Wu.
-
-* [1607] kerberos-iv SRV records are now documented.
-
-* [1610] Fixed AES credential delegation under GSSAPI.
-
-* [1618] ms2mit no longer inserts local addresses into tickets
- converted from the MS ccache if they began as addressless tickets.
-
-* [1619] etype_info parser (once again) accepts extra field emitted by
- Heimdal.
-
-* [1643] Some typos in kdc.conf.M have been fixed.
-
-* [1648] For consistency, leading spaces before preprocessor
- directives in profile.h have been removed.
-
---[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]--
-
-* [1054] KRB-CRED messages for RC4 are encrypted now.
-
-* [1177] krb5-1-2-2-branch merged onto trunk.
-
-* [1193] Punted comment about reworking key storage architecture.
-
-* [1208] install-headers target implemented.
-
-* [1223] asn1_decode_oid, asn1_encode_oid implemented
-
-* [1248] RC4 is explicitly excluded from combine_keys.
-
-* [1276] Generated dependencies handle --without-krb4 properly now.
-
-* [1339] An inadvertent change to the krb4 get_adm_hst API (strcpy vs
- strncpy etc.) has been fixed.
-
-* [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a
- warning.
-
-* [1388] DNS support is turned on in KfM.
-
-* [1391] Fix kadmind startup failure with krb4 vuln patch.
-
-* [1409] get_ad_tkt() now prompts for password if there are no tickets
- (in KfM).
-
-* [1447] vts_long() and vts_short() work now.
-
-* [1462] KfM adds exports of set_pw calls.
-
-* [1477] compile_et output not used in err_txt.c.
-
-* [1495] KfM now exports string_to_key_with_params.
-
-* [1512, 1522] afs_string_to_key now works with etype_info2.
-
-* [1514] krb5int_populate_gic_opt returns void now.
-
-* [1521] Using an afs3 salt for an AES key no longer causes
- segfaults.
-
-* [1533] krb524.h no longer contains invalid Mac pragmas.
-
-* [1546] krb_mk_req_creds() no longer zeros the session key.
-
-* [1554] The krb4 string-to-key iteration now accounts correctly for
- the decrypt-in-place semantics of libdes425.
-
-* [1557] KerberosLoginPrivate.h is now correctly included for the use
- of __KLAllowHomeDirectoryAccess() in init_os_ctx.c (for KfM).
-
-* [1558] KfM exports the new krb524 interface.
-
-* [1563] krb__get_srvtaname() no longer returns a pointer that is
- free()d upon a subsequent call.
-
-* [1569] A debug statement has been removed from krb524init.
-
-* [1592] Document possible file rename lossage when building against
- system libdb.
-
-* [1594] Darwin gets an explicit dependency of err_txt.o on
- krb_err.c.
-
-* [1596] Calling conventions, etc. tweaked for KfW build of
- krb524.dll.
-
-* [1600] Minor tweaks to README to improve notes on IPv6, etc.
-
-* [1605] Fixed a leak of subkeys in krb5_rd_rep().
-
-* [1630] krb5_get_in_tkt_with_keytab() works now; previously borken by
- reimplementation in terms of krb5_get_init_creds().
-
-* [1642] KfM build now inherits CFLAGS and LDFLAGS from parent project.
-
-Copyright Notice and Legal Administrivia
-----------------------------------------
-
-Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
All rights reserved.
for any purpose. It is provided "as is" without express or implied
warranty.
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
-OpenVision, Oracle, Sun Soft, FundsXpress, and others.
+Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
+FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
-----
+ --------------------
+
+Portions of src/lib/crypto have the following copyright:
+
+ Copyright (C) 1998 by the FundsXpress, INC.
+
+ All rights reserved.
+
+ Export of this software from the United States of America may require
+ a specific license from the United States Government. It is the
+ responsibility of any person or organization contemplating export to
+ obtain such a license before exporting.
+
+ WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ distribute this software and its documentation for any purpose and
+ without fee is hereby granted, provided that the above copyright
+ notice appear in all copies and that both that copyright notice and
+ this permission notice appear in supporting documentation, and that
+ the name of FundsXpress. not be used in advertising or publicity pertaining
+ to distribution of the software without specific, written prior
+ permission. FundsXpress makes no representations about the suitability of
+ this software for any purpose. It is provided "as is" without express
+ or implied warranty.
+
+ THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+
+ --------------------
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:
- Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
-
- WARNING: Retrieving the OpenVision Kerberos Administration system
- source code, as described below, indicates your acceptance of the
- following terms. If you do not agree to the following terms, do not
- retrieve the OpenVision Kerberos administration system.
-
- You may freely use and distribute the Source Code and Object Code
- compiled from it, with or without modification, but this Source
- Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
- INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
- FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
- EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
- FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
- CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
- WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
- CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
- OTHER REASON.
-
- OpenVision retains all copyrights in the donated Source Code. OpenVision
- also retains copyright to derivative works of the Source Code, whether
- created by OpenVision or by a third party. The OpenVision copyright
- notice must be preserved if derivative works are made based on the
- donated Source Code.
-
- OpenVision Technologies, Inc. has donated this Kerberos
- Administration system to MIT for inclusion in the standard
- Kerberos 5 distribution. This donation underscores our
- commitment to continuing Kerberos technology development
- and our gratitude for the valuable work which has been
- performed by MIT and the Kerberos community.
-
-----
-
- Portions contributed by Matt Crawford <crawdad@fnal.gov> were
- work performed at Fermi National Accelerator Laboratory, which is
- operated by Universities Research Association, Inc., under
- contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
----- The implementation of the Yarrow pseudo-random number generator
-in src/lib/crypto/yarrow has the following copyright:
-
-Copyright 2000 by Zero-Knowledge Systems, Inc.
-
-Permission to use, copy, modify, distribute, and sell this software
-and its documentation for any purpose is hereby granted without fee,
-provided that the above copyright notice appear in all copies and that
-both that copyright notice and this permission notice appear in
-supporting documentation, and that the name of Zero-Knowledge Systems,
-Inc. not be used in advertising or publicity pertaining to
-distribution of the software without specific, written prior
-permission. Zero-Knowledge Systems, Inc. makes no representations
-about the suitability of this software for any purpose. It is
-provided "as is" without express or implied warranty.
-
-ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
-THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
-ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
----- The implementation of the AES encryption algorithm in
+ Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
+
+ WARNING: Retrieving the OpenVision Kerberos Administration system
+ source code, as described below, indicates your acceptance of the
+ following terms. If you do not agree to the following terms, do not
+ retrieve the OpenVision Kerberos administration system.
+
+ You may freely use and distribute the Source Code and Object Code
+ compiled from it, with or without modification, but this Source
+ Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
+ INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
+ FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
+ EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
+ FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
+ CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
+ WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
+ CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
+ OTHER REASON.
+
+ OpenVision retains all copyrights in the donated Source Code. OpenVision
+ also retains copyright to derivative works of the Source Code, whether
+ created by OpenVision or by a third party. The OpenVision copyright
+ notice must be preserved if derivative works are made based on the
+ donated Source Code.
+
+ OpenVision Technologies, Inc. has donated this Kerberos
+ Administration system to MIT for inclusion in the standard
+ Kerberos 5 distribution. This donation underscores our
+ commitment to continuing Kerberos technology development
+ and our gratitude for the valuable work which has been
+ performed by MIT and the Kerberos community.
+
+ --------------------
+
+ Portions contributed by Matt Crawford <crawdad@fnal.gov> were
+ work performed at Fermi National Accelerator Laboratory, which is
+ operated by Universities Research Association, Inc., under
+ contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
+
+ --------------------
+
+The implementation of the Yarrow pseudo-random number generator in
+src/lib/crypto/yarrow has the following copyright:
+
+ Copyright 2000 by Zero-Knowledge Systems, Inc.
+
+ Permission to use, copy, modify, distribute, and sell this software
+ and its documentation for any purpose is hereby granted without fee,
+ provided that the above copyright notice appear in all copies and that
+ both that copyright notice and this permission notice appear in
+ supporting documentation, and that the name of Zero-Knowledge Systems,
+ Inc. not be used in advertising or publicity pertaining to
+ distribution of the software without specific, written prior
+ permission. Zero-Knowledge Systems, Inc. makes no representations
+ about the suitability of this software for any purpose. It is
+ provided "as is" without express or implied warranty.
+
+ ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
+ ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
+ OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ --------------------
+
+The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:
- Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
- All rights reserved.
+ Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+ 1. distributions of this source code include the above copyright
+ notice, this list of conditions and the following disclaimer;
+
+ 2. distributions in binary form include the above copyright
+ notice, this list of conditions and the following disclaimer
+ in the documentation and/or other associated materials;
+
+ 3. the copyright holder's name is not used to endorse products
+ built using this software without specific written permission.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness
+ and fitness for purpose.
+
+ --------------------
+
+Portions contributed by Red Hat, including the pre-authentication
+plug-ins framework, contain the following copyright:
+
+ Copyright (c) 2006 Red Hat, Inc.
+ Portions copyright (c) 2006 Massachusetts Institute of Technology
+ All Rights Reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ * Neither the name of Red Hat, Inc., nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
+src/lib/gssapi, including the following files:
+
+ lib/gssapi/generic/gssapi_err_generic.et
+ lib/gssapi/mechglue/g_accept_sec_context.c
+ lib/gssapi/mechglue/g_acquire_cred.c
+ lib/gssapi/mechglue/g_canon_name.c
+ lib/gssapi/mechglue/g_compare_name.c
+ lib/gssapi/mechglue/g_context_time.c
+ lib/gssapi/mechglue/g_delete_sec_context.c
+ lib/gssapi/mechglue/g_dsp_name.c
+ lib/gssapi/mechglue/g_dsp_status.c
+ lib/gssapi/mechglue/g_dup_name.c
+ lib/gssapi/mechglue/g_exp_sec_context.c
+ lib/gssapi/mechglue/g_export_name.c
+ lib/gssapi/mechglue/g_glue.c
+ lib/gssapi/mechglue/g_imp_name.c
+ lib/gssapi/mechglue/g_imp_sec_context.c
+ lib/gssapi/mechglue/g_init_sec_context.c
+ lib/gssapi/mechglue/g_initialize.c
+ lib/gssapi/mechglue/g_inquire_context.c
+ lib/gssapi/mechglue/g_inquire_cred.c
+ lib/gssapi/mechglue/g_inquire_names.c
+ lib/gssapi/mechglue/g_process_context.c
+ lib/gssapi/mechglue/g_rel_buffer.c
+ lib/gssapi/mechglue/g_rel_cred.c
+ lib/gssapi/mechglue/g_rel_name.c
+ lib/gssapi/mechglue/g_rel_oid_set.c
+ lib/gssapi/mechglue/g_seal.c
+ lib/gssapi/mechglue/g_sign.c
+ lib/gssapi/mechglue/g_store_cred.c
+ lib/gssapi/mechglue/g_unseal.c
+ lib/gssapi/mechglue/g_userok.c
+ lib/gssapi/mechglue/g_utils.c
+ lib/gssapi/mechglue/g_verify.c
+ lib/gssapi/mechglue/gssd_pname_to_uid.c
+ lib/gssapi/mechglue/mglueP.h
+ lib/gssapi/mechglue/oid_ops.c
+ lib/gssapi/spnego/gssapiP_spnego.h
+ lib/gssapi/spnego/spnego_mech.c
+
+and the initial implementation of incremental propagation, including
+the following new or changed files:
+
+ include/iprop_hdr.h
+ kadmin/server/ipropd_svc.c
+ lib/kdb/iprop.x
+ lib/kdb/kdb_convert.c
+ lib/kdb/kdb_log.c
+ lib/kdb/kdb_log.h
+ lib/krb5/error_tables/kdb5_err.et
+ slave/kpropd_rpc.c
+ slave/kproplog.c
+
+and marked portions of the following files:
+
+ lib/krb5/os/hst_realm.c
+
+are subject to the following license:
+
+ Copyright (c) 2004 Sun Microsystems, Inc.
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ --------------------
+
+MIT Kerberos includes documentation and software developed at the
+University of California at Berkeley, which includes this copyright
+notice:
+
+ Copyright (C) 1983 Regents of the University of California.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ 3. Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+ --------------------
+
+Portions contributed by Novell, Inc., including the LDAP database
+backend, are subject to the following license:
+
+ Copyright (c) 2004-2005, Novell, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * The copyright holder's name is not used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+Portions funded by Sandia National Laboratory and developed by the
+University of Michigan's Center for Information Technology
+Integration, including the PKINIT implementation, are subject to the
+following license:
+
+ COPYRIGHT (C) 2006-2007
+ THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ ALL RIGHTS RESERVED
+
+ Permission is granted to use, copy, create derivative works
+ and redistribute this software and such derivative works
+ for any purpose, so long as the name of The University of
+ Michigan is not used in any advertising or publicity
+ pertaining to the use of distribution of this software
+ without specific, written prior authorization. If the
+ above copyright notice or any other identification of the
+ University of Michigan is included in any copy of any
+ portion of this software, then the disclaimer below must
+ also be included.
+
+ THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
+
+ --------------------
+
+The pkcs11.h file included in the PKINIT code has the following
+license:
+
+ Copyright 2006 g10 Code GmbH
+ Copyright 2006 Andreas Jellinghaus
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.
+
+ --------------------
+
+Portions contributed by Apple Inc. are subject to the following license:
+
+Copyright 2004-2008 Apple Inc. All Rights Reserved.
+
+Export of this software from the United States of America may require
+a specific license from the United States Government. It is the
+responsibility of any person or organization contemplating export to
+obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of Apple Inc. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission. Apple Inc. makes no representations about the suitability of
+this software for any purpose. It is provided "as is" without express
+or implied warranty.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- LICENSE TERMS
+ --------------------
- The free distribution and use of this software in both source and binary
- form is allowed (with or without changes) provided that:
+The implementations of strlcpy and strlcat in
+src/util/support/strlcat.c have the following copyright and permission
+notice:
- 1. distributions of this source code include the above copyright
- notice, this list of conditions and the following disclaimer;
+Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- 2. distributions in binary form include the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other associated materials;
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
- 3. the copyright holder's name is not used to endorse products
- built using this software without specific written permission.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- DISCLAIMER
+ --------------------
- This software is provided 'as is' with no explcit or implied warranties
- in respect of any properties, including, but not limited to, correctness
- and fitness for purpose.
+The implementations of UTF-8 string handling in src/util/support and
+src/lib/krb5/unicode are subject to the following copyright and
+permission notice:
+The OpenLDAP Public License
+ Version 2.8, 17 August 2003
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
-Acknowledgements
-----------------
+1. Redistributions in source form must retain copyright statements
+ and notices,
-Appreciation Time!!!! There are far too many people to try to thank
-them all; many people have contributed to the development of Kerberos
-V5. This is only a partial listing....
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
-Thanks to Paul Vixie and the Internet Software Consortium for funding
-the work of Barry Jaspan. This funding was invaluable for the OV
-administration server integration, as well as the 1.0 release
-preparation process.
+3. Redistributions must contain a verbatim copy of this document.
-Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
-Technologies, Inc., who donated their administration server for use in
-the MIT release of Kerberos.
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
-Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
-Raeburn, and all of the folks at Cygnus Support, who provided
-innumerable bug fixes and portability enhancements to the Kerberos V5
-tree. Thanks especially to Jeff Bigler, for the new user and system
-administrator's documentation.
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
-Thanks to Doug Engert from ANL for providing many bug fixes, as well
-as testing to ensure DCE interoperability.
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All Rights Reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
+ --------------------
+
+Marked test programs in src/lib/krb5/krb have the following copyright:
+
+Copyright (c) 2006 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
-Thanks to Ken Hornstein at NRL for providing many bug fixes and
-suggestions, and for working on SAM preauthentication.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
-Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
-Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
-their many suggestions and bug fixes.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
-Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
-providing patches for numerous buffer overruns.
+3. Neither the name of KTH nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
-Thanks to Christopher Thompson and Marcus Watts for discovering the
-ftpd security bug.
+THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-Thanks to Paul Nelson of Thursby Software Systems for implementing the
-Microsoft set password protocol.
+Acknowledgements for krb5-1.8
+-----------------------------
Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt,
-Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood,
-Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva
-Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, John Kohl,
+past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
+Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
+Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
+Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
+Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
-Vale, Tom Yu.
+Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
+Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.