+2003-06-27 Tom Yu <tlyu@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Pass (void*)keytab,
+ not &keytab, to get_init_creds. Thanks to Herb Lewis.
+
+2003-06-16 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Set use_conf_ktypes to true while getting the TGT key
+
+2003-06-13 Tom Yu <tlyu@mit.edu>
+
+ * rd_rep.c (krb5_rd_rep): Free subkeys before replacing them, if
+ needed. This avoids a memory leak.
+
+2003-06-11 Tom Yu <tlyu@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Octal escapes begin with
+ hyphen now, since backslash is a pathname separator on DOS.
+
+2003-06-06 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+ request is for a renewable ticket with rtime greater than till
+
+2003-06-06 Ezra Peisach <epeisach@mit.edu>
+
+ * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
+ unsigned now.
+
+2003-05-30 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Change hardcoded default
+ ticket lifetime from 10 hours to 24 hours.
+
+ * init_ctx.c (DEFAULT_KDC_TIMESYNC): Define as 1 always.
+ (DEFAULT_CCACHE_TYPE): Define as 4 always.
+
+2003-05-30 Alexandra Ellwood <lxs@mit.edu>
+
+ * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+ of tickets whose request options included KDC_OPT_RENEWABLE_OK
+ if those options did not also include KDC_OPT_RENEWABLE. Otherwise
+ verify_as_reply() will fail for all renewable tickets.
+
+2003-05-27 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: Enable support on Windows always.
+ (krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc.
+ (krb524_convert_creds_kdc, krb524_init_ets) [!_WIN32]: Backwards
+ compatibility functions.
+
+2003-05-27 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): as below
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Store client and
+ server principals to avoid memory leak
+
+2003-05-24 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_creds.c: New file, moved from krb524/conv_creds.c and
+ krb524/encode.c. Rename exported encode routine, make other
+ encode and decode routines static. If KRB5_KRB4_COMPAT is not
+ defined, return an error.
+ * v4lifetime.c: New file, moved from lib/krb4/lifetime.c. Renamed
+ functions, changed interface to use krb5 types.
+ * Makefile.in (STLIBOBJS, OBJS, SRCS): Add them.
+
+2003-05-23 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Initialize options based on
+ context.kdc_default_options
+
+2003-05-22 Tom Yu <tlyu@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): Fix think-o on sequence
+ number mask.
+
+ * auth_con.c (krb5int_auth_con_chkseqnum): New function; implement
+ heuristic for broken Heimdal sequence number encoding.
+ (chk_heimdal_seqnum): Auxiliary function for above.
+
+ * auth_con.h: Add flags for sequence number heuristic.
+
+ * rd_priv.c: Use krb5int_auth_con_chkseqnum.
+
+ * rd_safe.c: Use krb5int_auth_con_chkseqnum.
+
+2003-05-22 Sam Hartman <hartmans@mit.edu>
+
+ * gic_pwd.c (krb5int_populate_gic_opt): returns void
+
+2003-05-21 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Set pw0.length
+ correctly if a password is passed in.
+
+2003-05-20 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in (SRCS): Remove in_ktb.c
+
+ * gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from
+ in_tkt_keytab.c and rewrite to use krb5_get_init_creds
+
+ * gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from
+ in_tkt_pwd.c so it can share code with
+ krb5_get_init_creds_password. Rewritten to call
+ krb5_get_in_tkt_password
+
+ * Makefile.in (SRCS): Delete in_tkt_pwd.c
+
+2003-05-18 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.h: Sequence numbers are now unsigned.
+
+ * gen_seqnum.c (krb5_generate_seq_number): Constrain initial
+ sequence number space to facilitate backwards compatibility.
+
+2003-05-16 Ken Raeburn <raeburn@mit.edu>
+
+ * chpw.c (krb5int_rd_chpw_rep): Allow new kpasswd error codes up
+ through _INITIAL_FLAG_NEEDED.
+
+2003-05-13 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if
+ forwarding a specific enctype fails. l
+
+ * get_in_tkt.c (krb5_get_init_creds): Free s2kparams
+
+ * preauth2.c (krb5_do_preauth): Fix memory management
+ (pa_salt): Use copy_data_contents
+
+ * copy_data.c (krb5int_copy_data_contents): New function
+
+2003-05-09 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Patch from Sun to reorganize code for handling
+ etype_info requests. More efficient and easier to implement etype_info2
+ (krb5_do_preauth): Support enctype_info2
+
+2003-05-08 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c: Add s2kparams to the declaration of a preauth
+ function, to every instance of a preauth function and to every
+ call to gak_fct
+
+ * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support
+
+ * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams
+
+ * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support
+
+2003-05-09 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): Copy tgs_ktypes array to
+ conf_tgs_ktypes. Clear use_conf_ktypes.
+ (krb5_free_context): Free conf_tgs_ktypes.
+ (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+ tgs_ktypes and conf_tgs_ktypes.
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+ in context to 1 for all operations except the acquisition of the
+ desired service ticket.
+
+2003-05-09 Tom Yu <tlyu@mit.edu>
+
+ * auth_con.c (krb5_auth_con_setsendsubkey)
+ (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey)
+ (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve
+ subkeys from an auth_context.
+ (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey):
+ Reimplement in terms of the above.
+
+ * auth_con.h, ser_actx.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey.
+
+ * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep;
+ use saved send_subkey to smash recv_subkey obtained from rd_rep.
+
+ * mk_req_ext.c (krb5_mk_req_extended): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ subkey generation is requested.
+
+ * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either send_subkey or keyblock, in that
+ order.
+
+ * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Use either recv_subkey or keyblock, in that
+ order.
+
+ * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey ->
+ {send,recv}_subkey. Set both subkeys if a subkey is present in
+ the AP-REP message.
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename
+ {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if
+ a subkey is present in the AP-REQ message.
+
+2003-05-06 Sam Hartman <hartmans@mit.edu>
+
+ * kfree.c (krb5_free_etype_info): Free s2kparams
+
+2003-04-27 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_setpw_result_code_string): Make internal
+
+2003-04-25 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow
+ krberrors to be read correctly; fix memory alloctaion so that
+ allocated structures are freed.
+
+2003-04-24 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Correction to previous
+ fix. Free contents of krb5_data - not just the pointer.
+
+2003-04-23 Ezra Peisach <epeisach@mit.edu>
+
+ * kfree.c (krb5_free_pwd_sequences): Actually free the entire
+ sequence of passwd_phase_elements and not just the first one.
+
+2003-04-16 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix
+ memory handling to free data that is allocated
+
+2003-04-15 Sam Hartman <hartmans@mit.edu>
+
+ * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function
+
+2003-04-13 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the
+ front of the list. No 128-bit support by defaut.
+
+2003-04-01 Nalin Dahyabhai <nalin@redhat.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+ length before examining components.
+
+ * parse.c (krb5_parse_name): Double-check principal name length
+ before filling in components.
+
+ * srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+ supplied in place of name.
+
+ * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+ backwards if nothing has been put into the buffer yet.
+
+2003-04-01 Sam Hartman <hartmans@mit.edu>
+
+ * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared,
+ don't set up a replay cache.
+
+2003-03-08 Ezra Peisach <epeisach@mit.edu>
+
+ * t_kerb.c: Only include krb.h if krb4 support compiled in,
+ otherwise define ANAME_SZ, INST_SZ and REALM_SZ.
+
+2003-03-06 Tom Yu <tlyu@mit.edu>
+
+ * preauth2.c (pa_sam_2): Add intermediate size_t variable to hold
+ output of krb5_c_encrypt_length().
+
+2003-03-06 Alexandra Ellwood <lxs@mit.edu>
+
+ * appdefault.c: Fix constness to avoid warning.
+
+ * init_ctx.c: Do the same stuff on the Mac as on Unix.
+
+ * preauth2.c: Added cast to fix warning.
+
+2003-03-04 Tom Yu <tlyu@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Fix missed
+ isinvalidrcname -> isvalidrcname.
+
+2003-03-02 Sam Hartman <hartmans@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): If punctuation or graphic characters in replay ccache name then use escaping
+
+ * rd_req.c (krb5_rd_req): Allow initializing the replay cache from the ticket
+
+2003-02-25 Tom Yu <tlyu@mit.edu>
+
+ * gic_pwd.c (krb5_get_init_creds_password): Don't pass a NULL
+ pointer to sprintf().
+
+2003-02-14 Sam Hartman <hartmans@mit.edu>
+
+ * preauth2.c (krb5_do_preauth): Sort incoming etype info based on
+ preference order in request
+
+2003-02-13 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_as_key_keytab): Nathan Neulinger points
+ out that the AS key is double freed; fix.
+
+2003-02-11 Sam Hartman <hartmans@mit.edu>
+
+ * rd_cred.c (krb5_rd_cred): Free creds using krb5_free_tgt_creds
+ and make sure they are set to null in case of error.
+
+2003-02-07 Sam Hartman <hartmans@mit.edu>
+
+ * rd_cred.c (krb5_rd_cred): Allow the tickets to be encrypted the
+ session key as well as the subsession key; for GSSAPI this tends
+ to be what happens.
+
+2003-02-04 Sam Hartman <hartmans@mit.edu>
+
+ * get_in_tkt.c (krb5_get_init_creds): Default to addressless tickets
+
+2003-01-12 Ezra Peisach <epeisach@bu.edu>
+
+ * send_tgs.c (krb5_send_tgs): Free memory leak of TGS_REQ.
+
+2003-01-10 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in: Add AC_SUBST_FILE marker for libobj_frag.
+
+2003-01-09 Sam Hartman <hartmans@mit.edu>
+
+ * get_creds.c (krb5_get_credentials_core): Patch from Ben Cox
+ <cox-work@djehuti.com> to not use expired service credentials if
+ the endtime is null but instead to search for unexpired
+ credentials. If none are found, get new credentials.
+
+
+2003-01-08 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Don't require hostname to be supplied unless you are using addresses in the ticket.
+
+2003-01-07 Ken Raeburn <raeburn@mit.edu>
+
+ * appdefault.c (conf_yes, conf_no): Now const.
+
+2003-01-07 Sam Hartman <hartmans@mit.edu>
+
+ * mk_req_ext.c (krb5_mk_req_extended): Fix logic error in checksum function handling
+ (krb5_mk_req_extended): For consistency with Microsoft, never use a subkey before calling the checksum callback
+
+2003-01-06 Sam Hartman <hartmans@mit.edu>
+
+ * mk_req_ext.c (krb5_mk_req_extended): Inf no in_data is provided
+ but krb5_auth_con_set_checksum_func has been called, then use that
+ callback to generate the in_data.
+
+ * auth_con.c (krb5_auth_con_init): Initialize checksum_func fields
+ (krb5_auth_con_set_checksum_func): new function-- set the mk_req
+ checksum function
+ (krb5_auth_con_get_checksum_func): return the same
+
+ * auth_con.h: Add checksum_func and checksum_func_data
+
+2002-12-23 Ezra Peisach <epeisach@bu.edu>
+
+ * t_kerb.c: Include string.h for strcmp prototype.
+
+2002-12-19 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_princ.c (krb5_524_conv_principal): Clean up use of "const"
+ in API.
+
+2002-11-14 Ezra Peisach <epeisach@bu.edu>
+
+ * get_in_tkt.c (krb5_get_in_tkt): Do not pass NULL when an
+ integer 0 is intended to send_as_request().
+
+2002-11-07 Ezra Peisach <epeisach@bu.edu>
+
+ * conv_princ.c (strnchr): Make length argument unsigned int.
+
+ * preauth2.c: Add parentheses around assignment used as truth
+ value. Cleanup unused variable.
+
+
+2002-10-30 Tom Yu <tlyu@mit.edu>
+
+ * chk_trans.c (krb5_check_transited_list): Style nit: check
+ character against '\0' not NULL.
+
+2002-10-30 Sam Hartman <hartmans@mit.edu>
+
+ * chk_trans.c: Ignore trailing null in transited encoding; older
+ versions of MIT code included this.
+
+2002-10-28 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (conf_yes, conf_no): Now const. References
+ updated.
+ * preauth.c (preauth_systems): Now const. References updated.
+ * preauth2.c (pa_types): Now const.
+ (krb5_do_preauth): Local array paorder now const.
+
+2002-10-28 Sam Hartman <hartmans@mit.edu>
+
+ * gic_keytab.c (krb5_get_init_creds_keytab): Don't allow failure
+ to resolve master KDC to mask error from a slave we did talk to.
+
+2002-10-24 Ken Hornstein <kenh@cmf.nrl.navy.mil>
+
+ * gic_pwd.c (krb5_get_init_creds_password): Exit out of the loop
+ when preauth fails.
+
+ * kfree.c: Add various free functions for new preauth
+ data structures.
+
+ * preauth2.c (pa_sam): Fix up support for "old" hardware preauth.
+ Also implement new hardware preauth in pa_sam2().
+
+2002-10-23 Ken Hornstein <kenh@cmf.nrl.navy.mil>
+
+ * gic_pwd.c (krb5_get_init_creds_password): Fix bug in previous
+ password expiration warning; also, check for password expiration
+ warnings via LRQ type from krb-clarifications.
+
+2002-09-11 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): If our initial tickets don't
+ have addresses, neither should forwarded tickets. Also, noticed
+ that cc was being used before initialized in some cases; fixed.
+
+2002-09-02 Ken Raeburn <raeburn@mit.edu>
+
+ * addr_comp.c, addr_order.c, addr_srch.c, appdefault.c,
+ auth_con.c, bld_princ.c, chpw.c, cleanup.h, conv_princ.c,
+ copy_addrs.c, copy_athctr.c, copy_auth.c, copy_cksum.c,
+ copy_creds.c, copy_data.c, copy_key.c, copy_princ.c, copy_tick.c,
+ cp_key_cnt.c, decode_kdc.c, decrypt_tk.c, enc_helper.c,
+ encode_kdc.c, encrypt_tk.c, free_rtree.c, fwd_tgt.c, gc_frm_kdc.c,
+ gc_via_tkt.c, gen_seqnum.c, gen_subkey.c, get_creds.c,
+ get_in_tkt.c, gic_keytab.c, gic_opt.c, gic_pwd.c, in_tkt_ktb.c,
+ in_tkt_pwd.c, in_tkt_sky.c, init_ctx.c, kdc_rep_dc.c, kfree.c,
+ mk_cred.c, mk_error.c, mk_priv.c, mk_rep.c, mk_req.c,
+ mk_req_ext.c, mk_safe.c, parse.c, pr_to_salt.c, preauth.c,
+ preauth2.c, princ_comp.c, rd_cred.c, rd_error.c, rd_priv.c,
+ rd_rep.c, rd_req.c, rd_req_dec.c, rd_safe.c, recvauth.c,
+ send_tgs.c, sendauth.c, ser_actx.c, ser_adata.c, ser_addr.c,
+ ser_auth.c, ser_cksum.c, ser_ctx.c, ser_key.c, ser_princ.c,
+ serialize.c, set_realm.c, srv_rcache.c, str_conv.c, t_deltat.c,
+ t_kerb.c, t_ser.c, t_walk_rtree.c, tgtname.c, unparse.c,
+ valid_times.c, vfy_increds.c, vic_opt.c, walk_rtree.c,
+ x-deltat.y: Use prototype style function definitions.
+ * deltat.c: Regenerated.
+ * bld_princ.c: Include stdarg.h before k5-int.h.
+ * cleanup.h (struct cleanup): Include prototype for function
+ pointer field 'func'.
+
+2002-08-29 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in: Revert $(S)=>/ change, for Windows support.
+
+2002-08-23 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
+
+2002-08-22 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): Initialize udp_pref_limit field.
+
+2002-08-15 Tom Yu <tlyu@mit.edu>
+
+ * t_ser.c (ser_ccache_test): Remove references to STDIO ccaches.
+
+2002-08-01 Tom Yu <tlyu@mit.edu>
+
+ * unparse.c (krb5_unparse_name_ext): Error out if passed a NULL
+ pointer. Patch from Mark Levinson; fixes [krb5-admin/1140].
+
+2002-06-26 Ezra Peisach <epeisach@bu.edu>
+
+ * appdefault.c (conf_boolean): Change variable from char ** to
+ const char ** to prevent warning of const to non-const.
+
+ * get_in_tkt.c (_krb5_conf_boolean): Same
+
+2002-06-25 Alexandra Ellwood <lxs@mit.edu>
+
+ * appdefault.c, get_in_tkt.c: made conf_yes and conf_no const to
+ improve load time on Mach-O
+
+ * init_ctx: fixed Mac OS macros
+
+ [pullups from 1-2-2-branch]
+
+2001-06-25 Miro Jurisic <meeroh@mit.edu>
+
+ * rd_safe.c, rd_priv.c, rd_cred.c, preauth.c, mk_safe.c,
+ mk_cred.c, appdefault.c: use "" includes for krb5.h, k5-int.h and
+ syslog.h
+ [pullup from 1-2-2-branch]
+
+2002-06-18 Ken Raeburn <raeburn@mit.edu>
+
+ * sendauth.c (ECONNABORTED): Don't define here now that it's
+ defined in port-sockets.h.
+
+2002-06-18 Danilo Almeida <dalmeida@mit.edu>
+
+ * princ_comp.c (krb5_realm_compare), auth_con.c
+ (krb5_auth_con_setports, krb5_auth_con_getaddrs,
+ krb5_auth_con_initivector), addr_order.c (krb5_address_order),
+ addr_comp.c (krb5_address_compare): Make KRB5_CALLCONV.
+ [pullup from 1-2-2-branch]
+
+2002-06-18 Danilo Almeida <dalmeida@mit.edu>
+
+ * bld_princ.c (krb5_build_principal_va): Make
+ krb5_build_principal_va() KRB5_CALLCONV.
+ [pullup from 1-2-2-branch]
+
+2002-06-12 Ken Raeburn <raeburn@mit.edu>
+
+ * preauth.c: Don't include syslog.h.
+
+2002-06-10 Ken Raeburn <raeburn@mit.edu>
+
+ * get_in_tkt.c (send_as_request): Update arg list for
+ sendto_kdc. If a RESPONSE_TOO_BIG error is returned from the KDC,
+ use a TCP connection.
+ * send_tgs.c (krb5_send_tgs): Update arg list for sendto_kdc. If
+ a RESPONSE_TOO_BIG error is returned from the KDC, use a TCP
+ connection.
+
+2002-04-12 Ezra Peisach <epeisach@bu.edu>
+
+ * Makefile.in (clean): Remove t_expand and t_expand.o
+
+2002-04-12 Ken Raeburn <raeburn@mit.edu>
+
+ * conv_princ.c (struct krb_convert): Add new field 'len'.
+ (RC, R, NR): New macros.
+ (sconv_list): Use them.
+ (krb5_524_conv_principal): Compare lengths and then use memcmp.
+
+ * recvauth.c (sendauth_version): Now a const array.
+ * sendauth.c (sendauth_version): Now a const array.
+ (krb5_sendauth): Cast address when assigning to outbuf data
+ field.
+
+2002-04-05 Ken Raeburn <raeburn@mit.edu>
+
+ * decrypt_tk.c (krb5_decrypt_tkt_part): Call krb5_c_valid_enctype
+ instead of valid_enctype.
+ * encode_kdc.c (krb5_encode_kdc_rep): Likewise.
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Likewise.
+ * gic_keytab.c (krb5_get_as_key_keytab): Likewise.
+ * in_tkt_ktb.c (keytab_keyproc): Likewise.
+ * in_tkt_sky.c (skey_keyproc): Likewise.
+ * init_ctx.c (krb5_set_default_in_tkt_ktypes,
+ krb5_set_default_tgs_enctypes): Likewise.
+ * send_tgs.c (krb5_send_tgs): Likewise.
+
+ * mk_safe.c (krb5_mk_safe_basic): Call krb5_c_valid_cksumtype,
+ krb5_c_is_coll_proof_cksum, krb5_c_is_keyed_cksum instead of
+ non-prefixed forms.
+ * rd_safe.c (krb5_rd_safe_basic): Likewise.
+
+2002-03-28 Sam Hartman <hartmans@mit.edu>
+
+ * Makefile.in : New file init_keyblock.c
+
+ * init_keyblock.c (krb5_init_keyblock): New function
+
+2002-03-16 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Fix merge of patch from 1.2.2
+ back to mainline.
+
+2002-03-14 Sam Hartman <hartmans@mit.edu>
+
+ * walk_rtree.c (krb5_walk_realm_tree): Fix handling of null client or server realm
+
+2002-03-06 Ken Raeburn <raeburn@mit.edu>
+
+ * ser_actx.c (krb5_auth_context_externalize): Do bounds checking
+ on converted size value.
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): If no session key has been set,
+ try getting credentials and use the session key type as a hint
+ for the enctype to use for the forwarded credentials.
+
+2002-02-27 Sam Hartman <hartmans@mit.edu>
+
+ * rd_cred.c (krb5_rd_cred_basic): Don't check IP addresses; if
+ someone knows the key and wants to give us credentials, that's OK.
+ No reflection attack is possible in most protocols since krb_cred
+ is almost always client->server. Address checking created
+ significant problems for NATs. We also ran into problems
+ getting our code to work with Heimdal and removing checking was
+ easier than a staged upgrade to fix the problems.
+ (krb5_rd_cred): Don't pass in addresses
+
+2002-02-22 Ken Raeburn <raeburn@mit.edu>
+
+ * addr_comp.c, addr_order.c, addr_srch.c, bld_pr_ext.c,
+ bld_princ.c, enc_helper.c, encrypt_tk.c, gen_seqnum.c,
+ gen_subkey.c, preauth.c: Use const instead of krb5_const.
+ * bld_pr_ext.c, bld_princ.c: Always use stdarg macros and not
+ varargs.
+
+2002-01-08 Sam Hartman <hartmans@mit.edu>
+
+ * gen_subkey.c (krb5_generate_subkey): Label entropy sources
+
+ * init_ctx.c (init_common): Use /dev/urandom if present for random data
+
+2001-12-05 Ezra Peisach <epeisach@mit.edu>
+
+ * t_ser.c (main): Free context on failure exit route.
+
+ 2001-11-24 Sam Hartman <hartmans@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Get a session key for the
+ forwarded tgt that is the same as the session key for the
+ auth_context. This is an enctype we know the remote side
+ supports.
+
+2001-11-26 Sam Hartman <hartmans@mit.edu>
+
+ * gen_seqnum.c (krb5_generate_seq_number): add entropy source id
+
+ * sendauth.c (krb5_sendauth): Add entropy source ID
+
+ * mk_req_ext.c (krb5_mk_req_extended): Add entropy source ID to random seed call
+
+ * init_ctx.c (init_common): Specify entropy source for random seed
+
+2001-11-16 Sam Hartman <hartmans@mit.edu>
+
+ * init_ctx.c (krb5_set_default_tgs_enctypes): rename from
+ set_default_ktypes; old function provided as APIA
+
+2001-11-16 Ezra Peisach <epeisach@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Ensure space present after
+ arcfour-hmac-md5 entry for when ANSI strings concatenated the
+ des-cbc-crc entry was dropped.
+
+2001-11-07 Sam Hartman <hartmans@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): Add arcfour-hmac-md5; it really
+ is probably at least as good as DES
+
+2001-10-10 Danilo Almeida <dalmeida@mit.edu>
+
+ * gic_pwd.c (krb5_get_as_key_password),
+ gic_keytab.c (krb5_get_as_key_keytab): Use ANSI-style
+ declaration in definition.
+
+2001-10-09 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (init_common): After fetching kdc_default_options
+ value from krb5.conf, actually use that value. Pointed out by
+ Emily Ratliff, <ratliff@austin.ibm.com>.
+
+ * get_in_tkt.c, in_tkt_ktb.c, in_tkt_pwd.c, in_tkt_sky.c,
+ int-proto.h, mk_req_ext.c, pr_to_salt.c, rd_req_dec.c, ser_actx.c,
+ ser_adata.c, ser_addr.c, ser_auth.c, ser_cksum.c, ser_ctx.c,
+ ser_eblk.c, ser_key.c, ser_princ.c, t_kerb.c: Make prototypes
+ unconditional.
+
+2001-10-05 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c, preauth.c: Drop _MSDOS support.
+
+2001-10-03 Ken Raeburn <raeburn@mit.edu>
+
+ * appdefault.c, auth_con.c, bld_pr_ext.c, bld_princ.c, chpw.c,
+ conv_princ.c, copy_addrs.c, copy_athctr.c, copy_auth.c,
+ copy_cksum.c, copy_creds.c, copy_data.c, copy_key.c, copy_princ.c,
+ copy_tick.c, cp_key_cnt.c, decrypt_tk.c, fwd_tgt.c, get_creds.c,
+ get_in_tkt.c, gic_keytab.c, gic_opt.c, gic_pwd.c, in_tkt_ktb.c,
+ in_tkt_pwd.c, in_tkt_sky.c, init_ctx.c, kfree.c, mk_cred.c,
+ mk_error.c, mk_priv.c, mk_rep.c, mk_req.c, mk_req_ext.c,
+ mk_safe.c, parse.c, princ_comp.c, rd_cred.c, rd_error.c,
+ rd_priv.c, rd_rep.c, rd_req.c, rd_safe.c, recvauth.c, sendauth.c,
+ ser_actx.c, ser_ctx.c, serialize.c, set_realm.c, srv_rcache.c,
+ str_conv.c, unparse.c, vfy_increds.c, vic_opt.c, x-deltat.y: Don't
+ use KRB5_DLLIMP. Don't explicitly declare pointers FAR any more.
+
+2001-09-07 Ken Raeburn <raeburn@mit.edu>
+
+ * t_expand.c: New file.
+ * Makefile.in (SRCS): Add test-case source files; rebuilt
+ dependencies.
+ (t_expand.o): Build from t_expand.c now, no special build rule.
+
+2001-09-07 Ken Raeburn <raeburn@mit.edu>
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): Pass server realm to
+ transited-list check, not local realm, in case they're different.
+
+2001-08-21 Ken Raeburn <raeburn@mit.edu>
+
+ * walk_rtree.c (krb5_walk_realm_tree): Initialize slen to silence
+ compiler warning.
+
+2001-08-08 <epeisach@mit.edu>
+
+ * walk_rtree.c (krb5_walk_realm_tree): Do not try to free const char *.
+
+ * mk_safe.c (krb5_mk_safe_basic): Do not declare local_addr and
+ remote_addr const and then cast the attribute away.
+
+ * mk_req_ext.c (krb5_generate_authenticator): Static function -
+ remove const attribute from cksum pointer.
+
+ * gc_via_tkt.c (krb5_get_cred_via_tkt): Cast unsigned integer
+ krb5_error error_value to signed before adding
+ ERROR_TABLE_BASE_krb5.
+
+2001-07-31 Ken Raeburn <raeburn@mit.edu>
+
+ * chk_trans.c (krb5_check_transited_list): Pointer args now point
+ to const.
+
+2001-07-31 Ezra Peisach <epeisach@mit.edu>
+
+ * get_in_tkt.c: Cast to unsigned krb5_error error value to
+ krb5_error_code before trying to add to ERROR_TABLE_BASE_krb5.
+
+2001-07-30 Ezra Peisach <epeisach@mit.edu>
+
+ * sendauth.c (krb5_sendauth): Instead of casting second argument
+ to getpeername() and getsockname() to "struct sockaddr *", cast to
+ system specific type as determined by autoconf.
+
+2001-07-24 Ezra Peisach <epeisach@mit.edu>
+
+ * in_tkt_sky.c (krb5_get_in_tkt_with_skey): Change cast from
+ krb5_pointer to krb5_const_pointer to ensure const integrity of
+ parameter.
+
+ * in_tkt_ktb.c (keytab_keyproc): Add const argument to cast of
+ keyseed to struct keytab_keyproc_arg to maintain const status.
+
+ * conv_princ.c (krb5_524_conv_principal): Cast argument to memcpy
+ to size_t.
+
+2001-07-06 Ezra Peisach <epeisach@mit.edu>
+
+ * conv_princ.c (krb5_425_conv_principal): Cast argument to tolower
+ to int.
+
+ * get_in_tkt.c: Include os-proto.h for _krb5_conf_boolean prototype.
+
+ * Makefile.in (LOCALINCLUDES): Add -I$(srcdir)/../os so os-proto.h
+ can be included.
+
+2001-06-29 Tom Yu <tlyu@mit.edu>
+
+ * init_ctx.c (get_profile_etype_list): Fix etype-counting loop so
+ that trailing separator characters (as in the DEFAULT_ETYPE_LIST)
+ don't cause another iteration, which was causing the following
+ loop to fall off the end of the string due to count being one too
+ great.
+
+2001-06-28 Ezra Peisach <epeisach@mit.edu>
+
+ * chk_trans.c (foreach_realm): Cleanup loal variable set but never
+ used.
+
+2001-06-21 Ezra Peisach <epeisach@mit.edu>
+
+ * chk_trans.c: Cast length arguments of %.*s in formats to int.
+
+2001-06-20 Ezra Peisach <epeisach@mit.edu>
+
+ * Makefile.in (check-unix): Add $(RUN_SETUP) before invocation of
+ transit-tests for shared library environment variables.
+
+2001-06-19 Ken Raeburn <raeburn@mit.edu>
+
+ * chk_trans.c: Reimplemented from scratch.
+ * transit-tests: New file.
+ * Makefile.in (t_expand, t_expand.o): New targets. Build test
+ program from chk_trans.c.
+ (T_EXPAND_OBJS): New variable.
+ (TEST_PROGS): Add t_expand.
+ (check-unix): Run transit-tests.
+ * t_krb5.conf: Added capaths section.
+
+2001-06-16 Ken Raeburn <raeburn@mit.edu>
+
+ * fwd_tgt.c (krb5_fwd_tgt_creds): Copy enctype for new creds from
+ tgt.
+
+2001-06-12 Ezra Peisach <epeisach@mit.edu>
+
+ * Makefile.in (t_walk_rtree, t_kerb): Do not link against kdb libraries
+ for these test executables.
+
+ * srv_rcache.c (krb5_get_server_rcache): Cast argument to
+ isgraph() to int.
+
+ * init_ctx.c: Cast arguments to isspace() to int. If unix is defined,
+ include ../krb5_libinit.h. There has to be a better was for windows.
+
+ * conv_princ.c (krb5_425_conv_principal): Cast argument to isupper().
+ to int.
+
+2001-06-11 Ezra Peisach <epeisach@mit.edu>
+
+ * str_conv.c: If strptime() is present on system without a
+ prototype, provide one.
+
+2001-06-07 Ezra Peisach <epeisach@mit.edu>
+
+ * vfy_increds.c (krb5_verify_init_creds): Get rid of a variable
+ that was set in a conditional and never used afterwards.
+
+2001-06-01 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (get_profile_etype_list): Zero out multiple separator
+ characters between tokens, so the second can be recognized
+ properly.
+
+2001-04-04 Tom Yu <tlyu@mit.edu>
+
+ * mk_safe.c (krb5_mk_safe): Only use safe_cksumtype from the
+ auth_context (derived from the config file or hardcoded default)
+ if it's suitable for the enctype of the key we're going to
+ use. [pullup from krb5-1-2-2-branch]
+
+2001-03-28 Ken Raeburn <raeburn@mit.edu>
+
+ * init_ctx.c (DEFAULT_ETYPE_LIST): New macro. Old etype list,
+ plus des-md4, with des-crc before des-mdX for now.
+ (get_profile_etype_list): Use DEFAULT_ETYPE_LIST.
+
+2001-03-10 Ezra Peisach <epeisach@mit.edu>
+
+ * init_ctx.c: Provide a full prototype for init_common().
+
+ * recvauth.c (recvauth_common): Declare recvauth_common as static.
+
+ * parse.c, sendauth.c: Changes to prevent shadowing of local
+ variables.
+
+ * get_in_tkt.c, tgtname.c: Include int-proto.h for prototypes.
+
+2001-03-03 Ken Raeburn <raeburn@mit.edu>
+
+ * preauth2.c (pa_sam): Return an error if no prompter was
+ provided.
+
+2001-02-15 Ezra Peisach <epeisach@mit.edu>
+
+ * t_deltat.c (main): Test of overflow and underflow of krb5_int32.
+
+ * x-deltat.y: Test for over/underflow of krb5_int32 for a
+ krb5_deltat. Return EINVAL. [krb5-libs/922]
+
+ * deltat.c: Regenerated from x-deltat.y
+
+ * str_conv.c (krb5_string_to_timestamp): Do not accept a time
+ format that only partially matches the input string. [krb5-lib/922]
+
+2001-01-30 Tom Yu <tlyu@mit.edu>
+
+ * preauth.c (krb5_obtain_padata): Don't dereference a NULL pointer
+ if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+ craziboy77@hotmail.com]
+
+ * preauth2.c (krb5_do_preauth): Don't dereference a NULL pointer
+ if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+ craziboy77@hotmail.com]
+
+2001-01-30 Ezra Peisach <epeisach@mit.edu>
+
+ * rd_req_dec.c (krb5_rd_req_decrypt_tkt_part): Free
+ krb5_keytab_entry if call to krb5_decrypt_tkt_part()
+ fails. [krb5-libs/855 reported by guy@packeteer.com]
+
+2001-01-19 Ken Raeburn <raeburn@mit.edu>
+
+ * preauth.c: Don't use PROTOTYPE macro, just always use the
+ prototypes.
+
+2001-01-19 Tom Yu <tlyu@mit.edu>
+
+ * preauth.c: Remove uses of KRB5_NPROTOTYPE() macro.
+
+2000-10-26 Ezra Peisach <epeisach@mit.edu>
+
+ * t_ser.c: Cast getpid() calls to int as arguments to sprintf.
+
+ * ser_actx.c: Move prototypes (listed below) to int-proto.h
+
+ * int-proto.h: Add prototypes for krb5_ser_authdata_init,
+ krb5_ser_address_init, krb5_ser_authenticator_init,
+ krb5_ser_checksum_init, krb5_ser_keyblock_init,
+ krb5_ser_principal_init.
+
+ * ser_adata.c, ser_addr.c, ser_auth.c, ser_cksum.c, ser_key.c,
+ ser_princ.c: Include int-proto.h for prototypes.
+
+2000-10-17 Ezra Peisach <epeisach@mit.edu>
+
+ * bld_pr_ext.c, bld_princ.c (krb5_build_principal_ext,
+ krb5_build_principal_va, krb5_build_principal): Take an unsigned
+ int realm length.
+
+ * get_in_tkt.c (krb5_get_init_creds): Use SALT_TYPE_AFS_LENGTH
+ instead of -1.
+
+ * gic_pwd.c (krb5_get_as_key_password): Use SALT_TYPE_AFS_LENGTH
+ instead of -1.
+
+ * in_tkt_pwd.c (pwd_keyproc): Argument to krb5_read_password is
+ unsigned int.
+
+ * pr_to_salt.c (krb5_principal2salt_internal): Declare as
+ static. Unsigned int fix.
+
+ * preauth.c (krb5_obtain_padata): Use SALT_TYPE_AFS_LENGTH instead
+ of -1.
+
+ * preauth2.c (pa_salt): Use SALT_TYPE_AFS_LENGTH instead of -1.
+
+ * conv_princ.c, copy_auth.c, copy_princ.c, gc_frm_kdc.c, parse.c,
+ send_tgs.c, srv_rcache.c: Unsigned/signed int cleanup.
+
+ * unparse.c (krb5_unparse_name_ext): size parameter changed to
+ unsigned int *.
+
+2000-10-04 Ezra Peisach <epeisach@mit.edu>
+
+ * rd_req_dec.c (krb5_rd_req_decrypt_tkt_part): Fix memory leak if
+ krb5_decrypt_tkt_part() fails. [krb5-libs/855]
+
+2000-10-03 Ezra Peisach <epeisach@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): Signed vs unsigned int
+ warning fix.
+
+ * pr_to_salt.c (krb5_principal2salt_internal): Add prototype for
+ internal function, and declare static.
+
+ * copy_addrs.c (krb5_copy_addresses): Cleanup unsigned vs signed
+ warnings as arguments to malloc().
+
Tue Sep 26 13:00:54 2000 Ezra Peisach <epeisach@mit.edu>
* conv_princ.c (krb5_425_conv_principal): Call profile_free_list