Tryag File Manager
Home
-
Turbo Force
Current Path :
/
proc
/
self
/
root
/
usr
/
share
/
doc
/
pkinit-nss-0.7.6
/
Upload File :
New :
File
Dir
//proc/self/root/usr/share/doc/pkinit-nss-0.7.6/ChangeLog
commit f346647f10773a4e9a07c4ea0bb1c44f7d72a4b2 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 15:56:24 2008 -0400 - fix distdir - add a LINGUAS file - update the .pot file M Makefile.am A po/LINGUAS M po/pkinit-nss.pot commit 88cc292a69b644cb29921850b4b24bec1eddc43c Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 15:51:17 2008 -0400 fix tag name generation M Makefile.am commit c26afaeedde2aa22cf5ef81c7e7a62ecf3be1534 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 15:46:44 2008 -0400 - try to get the tagging/release targets to work right now that we've moved to git as the SCM M Makefile.am commit 66227fc86891cebe49e419c0f49fe44492ff10a1 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 15:42:09 2008 -0400 - accept and parse a set of whitespace-separated rules for "pkinit_cert_match" M doc/CONFIGURATION M src/certs.c commit 54c3c05bad1ef922956caa279fbd183a2492811a Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 15:14:08 2008 -0400 - warn if no rules match M src/certs.c commit 11585520a307192e01174834f685f2e92405612e Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 14:47:24 2008 -0400 - change the order of things so that we search for matches for all rules in a particular slot or bag before moving on to another slot or bag, instead of searching all slots and bags for the first rule before searching all slots and bags for the second rule M src/certs.c commit 5387a2d103f38eb0f03f2c516f32c204e466437e Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 14:38:51 2008 -0400 - start on support for handling lists of matching rules M src/certs.c commit 908805648540ac2b1fe696334e0ee106c385dd7e Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Fri Aug 22 12:30:15 2008 -0400 - add more detail about when things match or don't match matching rules M src/certs.c commit bd2560642efc3c6d56e5a22514f4b4f51afd4dea Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 21 20:13:48 2008 -0400 - free extension values when we finish examining them - free rules retrieved from appdefaults when we finish parsing them M src/certs.c commit 81592c1841a372ed93bfcb6a5eb5d2a30f776e2f Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 21 20:10:15 2008 -0400 - also free the draft PA-PK-AS-REQ, and both when retrying M src/pkinit.c commit abeaf0ae351393a44f8c079cd22869e7b52e5fe4 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 21 20:07:25 2008 -0400 - free preauth arguments when we're finished with them - don't leak our local copies of configuration settings - free the PA-PK-AS-REQ after we've copied it into the preauth structure M src/pkinit.c commit d9c3de79c2316a703fc881d6bc85ab9c40ccaf82 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 21 20:06:51 2008 -0400 - free the keys in the list of keys M src/aabag.c commit c5f4855fdb10b6c90035f09dd41e74edbb267e8e Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 21 20:06:25 2008 -0400 - move the value of a signature from the heap into a pool so that we don't leak M src/bcmst.c commit eaee97a7d6f34c47f7058d8408187445fb640c3b Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 18:11:30 2008 -0400 - doc updates on fixes and new additions M NEWS M configure.ac M doc/CONFIGURATION M doc/README commit 70665e622f6c55e67898b2faacbd4909821090e2 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 18:11:05 2008 -0400 - stop reversing subject names M doc/openssl/make-certs.sh commit 1f91effea75db74bdcba6e05c69f51cea5ea9b27 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 17:37:01 2008 -0400 - tweak some debugging log messages M src/certs.c commit b7e3dc53ab5cf998aef20ea3a4bc96a4521093c7 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 17:27:59 2008 -0400 - change certificate selection so that we look for acceptable certificates in * the preferred slot * the bag * each logged-in slot * each not-logged-in slot and if we find exactly one right certificate in any of these places, we use it M src/certs.c commit bc2b033c79d069f6659987cd1568ba730d7c8dc0 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 17:27:36 2008 -0400 - try to avoid holding more than one copy of a given key or certificate M src/aabag.c commit eb294d2d8c9884a775f1762bbd7774ada3fceda8 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 20 17:26:58 2008 -0400 - heed a request for a minimum DH prime size more than a preferred group number M src/oakley.c M src/oakley.h M src/pkinitt.c commit 95573e8271763181cdc9855579e181e819731d2b Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Aug 19 18:52:11 2008 -0400 - add logic for certificate matching using "pkinit_cert_match" M src/certs.c commit 09e6b9e7c5c5e7f66600880769880c5ff8303d74 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Aug 19 18:51:09 2008 -0400 - provide a flag to change matching behavior to match the configuration (so that we don't make the KDC start matching based on client-only preferences) M src/certs.h M src/pkinit.c commit 62722299b1ed63f8f166055fdd3d0bedba07ea76 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Aug 19 16:19:21 2008 -0400 - add cert_eku_matches_text, for checking if a certificate contains any subset of pkinit msScLogin clientAuth emailProtection - add cert_ku_matches_text, for checking if a certificate contains any subset of digitalSignature keyEncipherment M src/certs.c commit 365cba328277153e9ab90350e6730baeb4a2e9c5 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Aug 19 15:17:38 2008 -0400 - accept "pkinit_kdc_hostname" as an alias for "trusted_hosts", as a way to specify an acceptable DNS name in a KDC's certificate's SAN list or subject name - support "pkinit_eku_checking" in combination with "pkinit_kdc_hostname" M src/certs.c commit 29bd5a6182c55306671641924981ccebf7a962e6 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Aug 19 15:15:46 2008 -0400 - accept "pkinit_require_ocsp_checking" as an alias for "ocsp_checking", to more closely mimic the "pkinit_require_crl_checking" option - accept "pkinit_dh_min_bits" as an alias for "minimum_dh_prime_size" M src/pkinit.c commit 2186f7616938cf938c99bc0224547474ef57b274 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Mon Aug 18 19:28:03 2008 -0400 - update copyright date M src/bcmst.c commit 161fd438aa4f7767ba66784b51f1d44f623281c6 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Mon Aug 18 19:23:16 2008 -0400 - decode server_dh_nonce correctly - add rsa-with-sha256/384/512 signature types to what we advertise being able to cope with - add rsa as a public encryption type we advertise supporting - add aes/des/rc2 as symmetric encryption types we advertise supporting - handle encapsulated signed-data wrapped in ANY rather than OctetString M src/pkinitt.c commit 10052c429bb95380f0f76f86910e0abc068b5823 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Mon Aug 18 19:22:47 2008 -0400 - generate signed-data items with version=3 rather than version=1, which WS2008 seems to prefer M src/bcmst.c commit 2d7c3188e16b10ad810e2431f4b7d8d136a52e9f Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 14 17:30:00 2008 -0400 - up the default key size - generate an ocsp signing cert - allow keyusage "all" - mark keyusage and ca extensions as critical M doc/openssl/make-certs.sh commit 919f4acc7560e5ade3c7a9cf8272ed756ba7f755 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Aug 14 17:28:28 2008 -0400 - accept either "pkinit-rkey-data" or "data" as signed payload when we're expecting reply data data M src/pkinitt.c commit bf391d429ea6033e42f5743d4dc14876f00bddba Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Wed Aug 13 19:03:02 2008 -0400 - handle cases where the signed data in an enveloped data item is encoded as a ANY rather than as an OctetString, which is what we'd expected, by rewrapping data ourselves and attempting to parse it as a ContentInfo before falling back on our previous behavior M src/pkinitt.c commit 5e2a037b2b1dafcd0a65e7f6ffe3159933e1e595 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Jul 29 17:56:17 2008 -0400 - add certificate policies M doc/openssl/make-certs.sh commit 256ae33c6afd34fd7b8a058c1ec45ae997c23ff6 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Jul 29 17:35:35 2008 -0400 - advertise that we know about sha256/384/512 M src/pkinitt.c commit 0e251eb25dc5437f5b065209f274c5df55bc953e Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Jul 29 17:35:15 2008 -0400 - add the LINGUAS file M po/Makefile.in.in commit 31f2cf0278ceb14077a5a653104fa2fb00aba68f Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Tue Jul 29 17:33:10 2008 -0400 - build the CA cert after we've parsed arguments for ocsp and crl locations - generate an empty crl whenever we run M doc/openssl/make-certs.sh commit ffba4dea43dd901aa9497e27c9d622ff9eede574 Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com> Date: Thu Jul 24 14:42:37 2008 -0400 - fix an error decoding a kdc request M src/pkinitt.c commit 2f8ffb6a16e9d8d145601ebc2d4fe1aa6eb11f07 Author: Peter Sulyok <peti@sulyok.hu> Date: Wed Apr 30 05:15:28 2008 +0000 2008-04-30 Peter Sulyok <peti@sulyok.hu> (via peti@fedoraproject.org) * po/hu.po: Initial Hungarian translation A po/hu.po commit a852f5ff42394e3298517f7fce7ae8cee2988acf Author: Miloš Komarčević <kmilos@gmail.com> Date: Fri Apr 4 09:06:00 2008 +0000 2008-04-04 Miloš Komarčević <kmilos@gmail.com> (via kmilos@fedoraproject.org) * po/sr@latin.po: Initial commit of Serbian Latin translation A po/sr@latin.po commit 5fd4f24cfd2e35e64671f241bec4dfe7725badcd Author: Miloš Komarčević <kmilos@gmail.com> Date: Fri Apr 4 09:03:58 2008 +0000 2008-04-04 Miloš Komarčević <kmilos@gmail.com> (via kmilos@fedoraproject.org) * po/sr.po: Initial commit of Serbian translation A po/sr.po commit a7da3416a361f2ac1794414569a090913746800d Author: Diego Búrigo Zacarão <diegobz@gmail.com> Date: Sat Mar 22 18:30:06 2008 +0000 2008-03-22 Diego Búrigo Zacarão <diegobz@gmail.com> (via diegobz@fedoraproject.org) * po/pt_BR.po: Added initial pt_BR translation A po/pt_BR.po commit dfa948a997884986f4745d21d84d83595cdae756 Author: Rondeau Matt <rondeau.matthieu.r@gmail.com> Date: Fri Mar 21 14:44:02 2008 +0000 2008-03-21 Rondeau Matt <rondeau.matthieu.r@gmail.com> (via mattr@fedoraproject.org) * po/fr.po: Updated french translation A po/fr.po commit 2a1b6b09807086fd08a3e69713bf9d807761ab59 Author: Francesco Tombolini <tombo@adamantio.net> Date: Fri Mar 21 02:05:54 2008 +0000 2008-03-21 Francesco Tombolini <tombo@adamantio.net> (via tombo@fedoraproject.org) * po/it.po: first it trans A po/it.po commit 9ddda0794efc38c9d05077be25f4423d8dfd51f8 Author: Mostafa Daneshvar <mostafa@daneshvar.org.uk> Date: Thu Mar 20 10:42:38 2008 +0000 2008-03-20 Mostafa Daneshvar <mostafa@daneshvar.org.uk> (via lashar@fedoraproject.org) * po/bal.po: Balochi A po/bal.po commit ab94c971380d746885773323050ff5e6e35a27d0 Author: Alexander Todorov <atodorov@redhat.com> Date: Thu Mar 20 09:49:17 2008 +0000 2008-03-20 Alexander Todorov <atodorov@redhat.com> (via atodorov@fedoraproject.org) * po/bg.po: Added Bulgarian translation A po/bg.po commit e8d4e98b86599c6a92277c8d3efb5bfd0a8901e6 Author: Piotr Drąg <piotrdrag@gmail.com> Date: Wed Mar 19 17:51:10 2008 +0000 2008-03-19 Piotr Drąg <piotrdrag@gmail.com> (via raven@fedoraproject.org) * po/pl.po: Initial Polish translation A po/pl.po commit 73f25bb51e75f487fa5fdf126faae57ffff10899 Author: Fabian Affolter <fabian@bernewireless.net> Date: Tue Mar 18 00:07:23 2008 +0000 2008-03-18 Fabian Affolter <fabian@bernewireless.net> (via fab@fedoraproject.org) * po/de.po: Initial German version A po/de.po commit cbf8bfa18032e5211605ab5604d10344515f58a4 Author: Miloslav Trmac <mitr@redhat.com> Date: Mon Mar 17 21:23:17 2008 +0000 2008-03-17 Miloslav Trmac <mitr@redhat.com> (via mitr@fedoraproject.org) * po/cs.po: Add Czech translation. A po/cs.po commit c92d317ba378aeee4b1b95e6c700fabc384479c7 Author: nalin <nalin> Date: Tue Oct 23 21:03:02 2007 +0000 update NEWS M NEWS commit 89f903534f1b518be6a2c1f5542e76ab57e86137 Author: nalin <nalin> Date: Tue Oct 23 20:58:56 2007 +0000 - whoops, add a missing header file to the tarball M Makefile.am M po/pkinit-nss.pot 2007-10-22 nalin * configure.ac: check for 1.6.3. * backport-1.6.3: add. 2007-07-11 nalin * src/pkinit.c: initialize "name" to avoid displaying a garbage pointer when using software certs (#247889) * configure.ac: bump version to 0.7.3, tag 2007-06-21 nalin * configure.ac: bump version to 0.7.2, tag 2007-06-21 nalin * src/pkinit.c: don't leak appdefault strings. 2007-06-21 nalin * src/pkinit.c(struct module_context): add locations to store typed data which we get back from the KDC during try-again processing. A KDC is only expected to hand back one type of data per error, but in case we get multiple errors back (for example, unacceptable DH parameters AND unverifiable certificates), we need to keep track of things it's told us before. * src/pkinit.c(client_gic_opts,client_try_again): note which parameters we currently ignore. * src/pkinit.c(client_process): let "minimum_dh_prime_size" be specified on the command line as well. * src/pkinit.c(client_try_again): store typed-data which we get as edata for possible use in future iterations. 2007-06-20 nalin * src/pkinit.c: learn to spew debug at stdout, and to pick up debug settings from the command line 2007-06-20 nalin * src/aabag.c: rework caching of encrypted items so that we don't spew confusing error messages, and so that we prompt using the filename. 2007-06-20 nalin * src/aabag.c(aa_item_copy,aa_item_in_list): add, to avoid attempts to decrypt any given chunk of encrypted data more than once. 2007-06-08 nalin * src/pkinit.c: un-"const" a couple of initialization data lists, to quiet some compiler warnings which showed up when they were made const. 2007-06-08 nalin * src/pkinit.c: add CMS enctypes to our requests to be helpful. 2007-06-08 nalin * src/pkinitt.c(pkinit_create_auth_pack): pass a NULL item in as the algorithm parameters for the supportedCMStypes algorithmInfo list for SEC_OID_CMS_3DES_KEY_WRAP and SEC_OID_MD5, instead of just omitting them as we had been doing. 2007-06-08 nalin * src/bcmst.c,src/certs.c: move find_key_for_cert to certs and make it non-static. * src/certs.c(cert_ku_matches_mask): remove; should have just been using CERT_CheckCertUsage(), which does the same thing. * src/certs.c(cert_validate_kdc_certificate, cert_validate_client_certificate): call out SEC_ERROR_INADEQUATE_CERT_TYPE as a known error, log a debug message when we reject a certificate because it can't be used for signing. * src/certs.c(cert_have_key_for_cert): add. * src/certs.c(cert_verify_cert_for_encryption): don't leak a ref to the cert when the certificate passes the check. 2007-06-08 nalin * doc/openssl/make-certs.sh: be able to make DSA certs, even if we mightn't support them just yet. 2007-06-05 nalin * configure.ac: bump version to 0.7.1, tag 2007-05-31 nalin * src/get-pkinit-san.c(pkinit_from_other_names): expand the list of returned values correctly. 2007-05-31 nalin * src/aabag.c(PKINIT_CA_TRUST_FLAGS): add CERTDB_VALID_PEER to the list of flags we add to CA certificates. 2007-05-30 nalin * src/certs.c(cert_find_preferred_cert_using_slot_or_bag): don't barf on empty certificate lists. 2007-05-30 nalin * src/pkinit.c(server_verify): load text certs and keys before verifying the client's request, not before generating our response when it might be too late for the client. 2007-05-30 nalin * src/bcmst.c: handle the should-never-happen list-with-nothing-in-it case. 2007-05-30 nalin * src/aacat.c: handle the should-never-happen list-with-nothing-in-it case. 2007-05-30 nalin * src/aabag.c(aa_bag_find_cert_by_subject): don't barf on empty lists. 2007-05-30 nalin * configure.ac: bump version to 0.7.0, tag. 2007-05-30 nalin * src/pkinit.c(pkinit_init): read locations of cert and key files from the configuration. * src/pkinit.c(client_gic_opt): add, for scanning options. * src/pkinit.c(client_process): override locations of cert and key files from options, load up the bag. * src/pkinit.c(server_get_edata,server_return): load up the bag. 2007-05-30 nalin * src/certs.c(cert_find_cert_issuer): search the bag, too. * src/certs.c(cert_find_preferred_cert_using_slot_or_bag): rename from cert_find_preferred_cert_using_slot, search the bag if there's no slot provided. * src/certs.c(cert_find_preferred_cert): search bags, too. 2007-05-30 nalin * src/bcmsutil.c: prescreen certificates. Use the right list of directories for loading CA certificates. 2007-05-30 nalin * src/bcmst.c: dump trust values when we walk the certifying chain. 2007-05-30 nalin * src/aabag.c: don't use glob(), which doesn't pick up symlinks. Fix reference counting of keys and certificates. Fix trust flags given to certificates we read. 2007-05-30 nalin * src/get-pkinit-san.c: add. 2007-05-30 nalin * doc/openssl/make-certs.sh: add dataEncipherment when encryption is requested. 2007-05-30 nalin * configure.ac: fix checking for working --as-needed flag, avoid pulling in libkrb5 more than once when checking if certain functions are provided. 2007-05-29 nalin * doc/openssl/make-certs.sh: always create a ca.client.crt file, 2007-05-28 nalin * doc/openssl/make-certs.sh: move subordinate CAs into subdirectories, add nsComment to the top-level CA, create certificate chain files. 2007-05-28 nalin * autogen: pick up $CFLAGS from the environment, too 2007-05-28 nalin * src/pkinit.c: create bags. 2007-05-28 nalin * src/pkinitt.c: update for API changes elsewhere. 2007-05-28 nalin * src/bcmsutil.c: use bags. 2007-05-28 nalin * src/bcmst.c: update for API changes elsewhere. 2007-05-28 nalin * src/certs.c(cert_find_cert_issuer): add, wrapping up the internal NSS database with a bag. * src/certs.c(cert_find_preferred_cert,cert_validate_client_cert, cert_validate_kdc_cert): take a searchable bag. 2007-05-28 nalin * src/aabag.c,src/aacat.c: redesign the whole thing so that I don't end up having to cart multiple bags around later. * src/aacat.c: load non-directories as we would files. 2007-05-30 nalin * src/aabag.c: don't use glob(), which doesn't pick up symlinks. Fix reference counting of keys and certificates. Fix trust flags given to certificates we read. 2007-05-30 nalin * src/get-pkinit-san.c: add. 2007-05-30 nalin * doc/openssl/make-certs.sh: add dataEncipherment when encryption is requested. 2007-05-30 nalin * configure.ac: fix checking for working --as-needed flag, avoid pulling in libkrb5 more than once when checking if certain functions are provided. 2007-05-29 nalin * doc/openssl/make-certs.sh: always create a ca.client.crt file, 2007-05-28 nalin * doc/openssl/make-certs.sh: move subordinate CAs into subdirectories, add nsComment to the top-level CA, create certificate chain files. 2007-05-28 nalin * autogen: pick up $CFLAGS from the environment, too 2007-05-28 nalin * src/pkinit.c: create bags. 2007-05-28 nalin * src/pkinitt.c: update for API changes elsewhere. 2007-05-28 nalin * src/bcmsutil.c: use bags. 2007-05-28 nalin * src/bcmst.c: update for API changes elsewhere. 2007-05-28 nalin * src/certs.c(cert_find_cert_issuer): add, wrapping up the internal NSS database with a bag. * src/certs.c(cert_find_preferred_cert,cert_validate_client_cert, cert_validate_kdc_cert): take a searchable bag. 2007-05-28 nalin * src/aabag.c,src/aacat.c: redesign the whole thing so that I don't end up having to cart multiple bags around later. 2007-05-25 nalin * src/aacat.c(main): clean up the certificate and key lists before shutting down NSS. 2007-05-23 nalin * src/bcmsutil.c(main),src/aacat.c(main): fix "bag" being uninitialized. 2007-05-23 nalin * src/fragment/openp12.c,src/fragment/openmod.c: correct a couple of compiler warnings. 2007-05-22 nalin * src/pkinit.c: update for api changes elsewhere. 2007-05-22 nalin * src/bcmsutil.c: open a bag if we're told to open one. 2007-05-22 nalin * src/pkinitt.c(pkinit_create_draft_pa_pk_as_req, pkinit_create_pa_pk_as_req,pkinit_build_reply_key_pack, pkinit_build_dh_key_info,pkinit_create_pa_pk_as_rep, pkinit_verify_enc_key_pack_common,pkinit_verify_draft_pa_pk_as_rep, pkinit_process_enc_key_pack,pkinit_verify_pa_pk_as_rep): pass in a bag and password callback. 2007-05-22 nalin * src/bcmst.c(find_key_for_cert): search the usual locations for the private key which corresponds to a cert, and then search a passed-in bag. * src/bcmst.c(bcms_add_signer_to_signed_data,bcms_create_signed_data, bcms_recover_enveloped_data_key,bcms_extract_enveloped_data): take a certdb, a bag, and a password callback. 2007-05-22 nalin * src/certs.c(cert_find_preferred_cert): add a debug message when we determine that we need to log into a device. 2007-05-22 nalin * src/commont.c: add a comment to the location of the definition of an AES IV. Remove unused variables. 2007-05-22 nalin * src/certhash.c: read a certificate, and produce a hash of its subject. 2007-05-22 nalin * src/aacat.c: exercise the aabag APIs. 2007-05-22 nalin * src/aabag.c: add a container for holding temporary certs and keys read from flat files. 2007-05-22 nalin * src/bpk5.c(bpk5_pbkdf1): add pkcs5 password-based key derivation. 2007-05-17 nalin * tag 0.6.1 2007-05-17 nalin * src/pkinit.c(server_get_flags): if "is_hw" is true, advertise that we can do hardware preauthentication to the KDC. 2007-05-04 nalin * tag 0.6.0 * Makefile.am: define %{dist} to %{nil} before querying for the release number from the .spec file * NEWS: add. 2007-04-25 nalin * src/bcmst.c: add definition/template/encoder/decoder for EncryptedData. 2007-04-25 nalin * src/pkinitt.c: remove a few unused variables, remove an unnecessary typecast. 2007-04-25 nalin * configure.ac,src/pkinit.c: handle cases where preauth_plugin.h requires the krb5_gic_opt_pa_data data type and krb5.h didn't provide it, even as a stub, yet. 2007-04-25 nalin * src/pkinit.c: fix argument order for the client_process() function, from Jacob Berkman. Fix arguments for client_tryagain(). 2007-04-25 nalin * backport-1.6.1: actually commit the new files. 2007-04-24 nalin * configure.ac: define PKINIT_CLIENT_MISSING_GIC_OPTS instead of PKINIT_DONT_USE_GIC_OPTS. * src/pkinit.c: key off of PKINIT_CLIENT_MISSING_GIC_OPTS instead of PKINIT_DONT_USE_GIC_OPTS. 2007-04-24 nalin * Makefile.am,backport-1.6.1: add headers from 1.6.1. * configure.ac: check for 1.5/1.6/1.6.1. Provide a --with-krb5-version option to override autodetection. Define PKINIT_USE_PAL_BACKPORT and PKINIT_DONT_USE_GIC_OPTS instead of the more not namespaced USE_PAL_BACKPORT and DONT_USE_GIC_OPTS defines. * src/pkinit.c(client_gic_opts): add a stub. * src/pkinit.c(client_process): expect an "opts" argument if PKINIT_CLIENT_PROCESS_MISSING_OPT isn't defined. * src/pkinit.c(preauthentication_client_0): point to client_gic_opts if PKINIT_DONT_USE_GIC_OPTS isn't defined. 2007-04-24 nalin * autogen: drop --enable-debugging -- we're always debuggable now. 2007-04-24 nalin * src/bcmst.c(compare_issuer_and_sn,find_cert_by_issuer_and_sn): add. From Jacob Berkman. * src/bcmst.c(find_cert_from_rid): use find_cert_by_issuer_and_sn() instead of CERT_FindCertByIssuerAndSN(). From Jacob Berkman. 2007-04-23 nalin * ChangeLog: er, 2007, not 2006. * src/pkinitt.c: add routines specifically for decoding typed_data. 2007-04-23 nalin * src/pkinit.c(client_process): accept host names in various places. Rename authorization_data variables to indicate that they're really typed_data. 2007-04-23 nalin * src/certs.c(cert_get_oid_pkinit_rkey_data_oid, cert_get_oid_pkinit_auth_data_oid): add. * src/certs.c(check_item_in_list): factor out a routine for checking for a value in a list. * src/certs.c(cert_san_matches_dns_for_realm): add a check to see if the certificate in question contains a commonName in its subject or a dnsName subjectAltName with a value which matches the realm's "trusted_servers" setting. * src/certs.c(cert_is_preferred): check for a matching DNS name. * src/certs.c(cert_validate_kdc_certificate): check for a matching DNS name for the KDC in combination with SSL ServerAuth or KDC key EKU values. * doc/CONFIGURATION: note "trusted_servers" 2007-02-06 nalin * src/bcmst.c(external_principal_identifier_template): mark the subject_key_identifier as explicit, even though it's not, so that NSS will add and strip the octet-string wrapper for us, making it easier to use and compare values in CERTCertificate structures. 2007-02-06 nalin * src/commont.c(common_generate_content_encryption_key_aes): Add. * src/bcmst.c(bcms_extract_enveloped_data): Learn to parse AES parameters (an IV). * src/bcmsutil.c(main): add options for specifying use of AES128/AES256 keys for bulk encrypting the enveloped data. * src/bcmsutil.c(usage): document the new AES options, plus the old DES and RC2 options. * src/certs.c(cert_is_preferred): debug log when we find a banned cert or one which chains up to a trusted certifiers. * src/pkinit.c(client_try_again): debug log how many trusted certifiers or invalid certificates the KDC told us about. * src/pkinitt.c,src/bcmst.c: debug log key sizes when handling enveloped data. 2007-02-06 nalin * src/certs.c(bcms_extract_enveloped_data): note what the unsupported encryption algorithm is, for troubleshooting. * src/pkinitt.c(pkinit_create_trusted_certifiers_edata): fix encoding of trusted-certifiers. 2007-02-06 nalin * src/bcmst.c(bcms_add_signer_to_signed_data): insert the signing time into the list so that the encoding comes out with the items sorted, as required by CMS. * src/certs.c(cert_validate_{client,kdc}_certificate): add a specific log for unknown-issuer errors. * src/certs.c(cert_validate_client_certificate): catch and add e-data for revoked-certificate errors. Return KDC_ERR_CLIENT_NAME_MISMATCH instead of KDC_ERR_CERTIFICATE_MISMATCH in the event of name a mismatch. 2007-02-05 nalin * src/certs.c,src/pkinit.c: certificate nicknames can be NULL; guard against that. * src/pkinitt.c(pkinit_encode_authorization_data): use the right template, correctly pass the array to the encoder. * src/pkinitt.c(pkinit_create_typed_datum): return a datum structure, which the caller will have an easier time processing. * src/pkinitt.c(pkinit_create_invalid_certificates_edata, pkinit_create_trusted_certifiers_edata, pkinit_create_dh_parameters_edata): encode the error data correctly. * src/pkinitt.c(pkinit_verify_pa_pk_as_req): fix checking of the DH prime length. * src/pkinit.c(client_try_again): fix parsing of error data from the KDC: it's a sequence of typed-data, not just one. * src/certs.c(cert_validate_kdc_certificate): directly interpret some of the more expected errors for the log. * src/certs.c(cert_validate_client_certificate): directly interpret some of the more expected errors for the log. Report invalid cert with e_data for revoked certificates. * src/bcmst.c: use the subjectName, not the possibly-NULL nickname, in a debug message. * src/commont.c: take care that integers are encoded so that they come out unsigned. 2007-02-05 nalin * src/pkinit.c: make the location of the client and server key/cert/token database configurable. 2007-02-05 nalin * configure.ac: check for 1.7-specific gic_opts callback functions. * configure.ac: bump version to 0.5.0. 2007-02-05 nalin * configure.ac: fixup logic so that we can tell the difference between 1.5 without preauth_plugin.h (where the backport forces changes in the symbol names for safety's sake) and 1.6 without preauth_plugin.h. * src/bcmst.c: fix naming of sequence_of_algorithm_identifier. * src/bcmst.c(bcms_decode_sequence_of_algorithm_identifier): Add. * src/bcmst.c(bcms_get_trusted_{client_,kdc_,}certifier_list): Add. * src/certs.c(cert_matches_epi): factor this out, because it's getting too large for repeated code. * src/certs.c(cert_is_preferred): also provide an option to specify a list of banned external_principal_identifier structures, for cases where the KDC sends back info that one had an invalid signature. * src/certs.c(cert_validate_{client,kdc}_certificate): use the verify function which gives us a log, and log the failure entries. Also return the SEC_ERROR_BAD_SIGNATURE certs if we're returning a KDC_ERR_INVALID_CERTIFICATE error. * src/commont.c(common_decode_sequence_of_algorithm_identifier): Add. * src/map-file.c: log when we encounter errors opening/reading the file. * src/oakley.c(oakley_parse_group): factor this out. * src/oakley.c(oakley_get_groups): Add, for retrieving all parameters with prime at least a certain size. * src/oakley.c: return a domain_parameters structure instead of the NSS DHParamaters and an extra q, because it's less work. * src/pkinit.c: add a "minimum_dh_prime_size" option. Set the prompt callback before we attempt to open the database. * src/pkinit.c(client_try_again): add, decoding the error data and using it to guide attempts to find another certificate and generate an auth_pack. * src/pkinitt.c(pkinit_get_trusted_{client,kdc}_certifier_list): Retire. * src/pkinitt.c(pkinit_create_dh_parameters_edata): Add, for sending along with KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED errors. * src/pkinitt.c(pkinit_create_client_public_value): Allow a prescribed list of acceptable parameters from the KDC and a locally-specified minimum size. * src/pkinitt.c(pkinit_create_{draft_,}auth_pack): handle cases where pkinit_create_client_public_value() can't give us anything. * src/pkinitt.c(pkinit_verify_pa_pk_as_req): set e_data for KDC_ERR_CANT_VERIFY_CERTIFICATE, KDC_ERR_INVALID_CERTIFICATE, and KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. 2007-01-26 nalin * src/pkinitt.c(pkinit_time_from_signing_time): try to parse the raw timestamp (without the type and length) as a timestamp. * src/pkinitt.c(pkinit_time_from_utc_time): fix scanning of the time. * src/pkinitt.c(pkinit_create_trusted_certifiers_edata): add. * src/pkinitt.c(pkinit_create_invalid_certificates_edata): add. * src/pkinitt.c(pkinit_verify_pa_pk_as_req): reuse code to build the list of trusted CAs to clean this area up a bit. * src/certs.c(cert_find_preferred_cert): take the list of restricted CAs as an external_principal_identifier list instead of an array of DER-encoded certificates. 2007-01-26 nalin * src/pkinitt.c(pkinit_signing_time_from_time): add function to convert to encoded signing time to time_t, using UTC time or generalized time, as appropriate. * src/pkinitt.c(pkinit_utctime_from_time): add function to convert to raw UTC time to time_t. * src/pkinitt.c(pkinit_generalizedtime_from_time): rename, make public function to convert to raw generalized time to time_t. * src/pkinitt.c(pkinit_time_from_signing_time): add function to convert from encoded signing time to time_t. * src/pkinitt.c(pkinit_from_utctime_time): add function to convert from raw UTC time to time_t. * src/pkinitt.c(pkinit_from_generalizedtime_time): rename, make public function to convert from raw generalized time to time_t. * src/pkinitt.c(pkinit_verify_pa_pk_as_req): if the client included a signing time attribute as part of its request, check that date for clock skew as well. * src/commont.c: add encoder/decoder pairs for UTCTime and GeneralizedTime items. * src/bcmst.c(bcms_verify_signed_data): provide a way to stash the signing time as a time_t for the caller. * src/bcmst.c(bcms_make_external_principal_identifier_list): add. * src/bcmsutil.c: add a -v (verbosity) option to crank up debug logging. 2007-01-25 nalin - make pkinit_debug() take a module_context and a debug priority level - thread module_context pointers through many, many functions 2007-01-22 nalin * src/bcmst.c(bcms_make_certificate_list): take a deep copy of the certificate, in case the current origin gets pulled out from under us before we go to encode this list. * src/commont.c(common_make_algorithm_identifier_list): take a deep copy of the parameters field, in case the one we're using gets pulled out from under us before we go to encode this list. 2007-01-19 nalin * src/bcmst.c, src/certs.c: use CERT_DestroyCertArray() instead of a home-grown function which actually leaks the array pointer (oops). * src/certs.c(cert_validate_kdc_certificate, cert_validate_client_certificate): provide a way to pass in a certificate pool when we're verifying certificates, and import that pool into the temporary database to help us fill in the gaps in certificate chains. * src/pkinitt.c(pkinit_validate_kdc_certificate): provide a way to pass in the pool of certs which may include intermediate CAs. 2007-01-12 nalin * src/bcmst.c, src/certs.c: give destroy_array_of_certs() an upper-bound on the array size. 2007-01-12 nalin * backport: update to base off of the final 1.6 sources. 2007-01-12 nalin * src/pkinit.c: release slots and certificates when they're no longer going to be used. Note if NSS shutdown fails. 2007-01-12 nalin * doc/CONFIGURATION: note which Oakley groups we know about already. 2007-01-12 nalin * src/show-cert-guid.c: note if NSS shutdown fails. 2007-01-12 nalin * src/pkinitt.c: release keys, certificates, contexts, and slots. 2007-01-12 nalin * src/certs.c: release certificates when they're no longer going to be used. 2007-01-12 nalin * src/bcmsutil.c: add a -t option to allow forcing a token login. * src/bcmst.c: release keys, certificates, contexts, and slots. 2007-01-12 nalin * src/oakley.c, src/prime2sub: add q values for the rest of the DH parameter sets. 2007-01-08 nalin * src/bcmst.c(bcms_add_cert_chain_to_signed_data): walk the chain correctly (#221917). 2006-12-21 nalin * src/map-file.c: add a mapping-file module. Hopefully at some point we'll be able to just call out to something smarter, but for now this may have to do. * src/show-cert-guid.c: rename an unused parameter so that it is easy to tell that we knew it would be unused. * src/bcmst.c: rename an unused parameter so that it is easy to tell that we knew it would be unused. * src/pkinitt.c: take a flag indicating whether or not we should trust SAN values for cases where we have to find the cert by ourselves. Change create_rep to take the cert instead of searching directly. * src/certs.c: support the passing-in of additional acceptible subject DN values when we need to find a certificate. * src/pkinit.c: support mappings files, and being told to not trust SAN values. 2006-12-20 nalin * src/pkinit.c: add an "is_hw" flag to control whether or not we consider ourselves hardware preauth. * src/certs.c: make cert_certificate_is_preferred() module-local. Provide a way to require that the cert being checked is issued (at some point) by one of some provided DER certs. 2006-12-20 nalin * src/certs.c(cert_verify_cert_for_encryption): add, to check if the client's key is allowed to be used to encrypt enc-key-pack replies. * src/pkinit.c(server_return): ensure that we either have DH params or a client cert which can be used for encryption before building the reply. 2006-12-20 nalin * src/certs.c(cert_validate_kdc_certificate, cert_validate_client_certificate,cert_is_preferred): don't barf if we can't find the certificate's issuer. * src/certs.c(cert_certificate_get_is_ca): make the message about not having basicConstraints less emphatic. * src/pkinit.c,backport/: update backport to 1.6 branch, rev. 18998 2006-12-19 nalin * src/bcmst.c(bcms_add_cert_chain_to_signed_data): use CERT_FindCertIssuer() to walk the certifying chain because it's simpler and seems to work better. * src/pkinit.c(server_verify): initialize some pointers we didn't used to clear. * src/pkinitt.c(pkinit_kdc_dh_key_info_template): the nonce isn't optional. Set it correctly, too. 2006-12-18 nalin * src/pkinit.c: don't use the non-existent appdefault_integer() call, use our own. * src/commont.c: provide an alternate integer decoder. 2006-12-18 nalin * po: refresh * src/pkinitt.c: remove redundant validation calls, since we do the same in the cert...() functions we call * src/bcmst.c: change things so that we expect constructed data as the content in content-info structures, but continue to decode both. Generate signed-attributes by default; handle signed-attributes when verifying signed messages. * src/bcmsutil.c: update for bcmst changes. * src/commont.c: update for bcmst changes. Encode the private_value_length field of DH parameters, if it's there, likewise for the validation_parms field of domain parameters. * src/pkinit.c: rework module init/cleanup to use the hooks provided by newer versions of the plugin layer, properly shut down NSS when we were the ones who initialized it. Pick up "try_dh" and "preferred_group" options to affect how the client tries to get creds from the KDC. (Note: the default modulus file distributed with Heimdal is group 2.) * src/certs.c: fail validation of either client or server certs if we can't build a chain from the cert to a "root" certificate. Assume that such a certificate is unsuitable for our use, too. * src/oakley.c: track subprime values for groups for which they are defined, and provide a way for the caller to get them, too. * src/pkinitt.c: encode the parts of a PA-PK-AS-REQ as octet strings, not structures, per the spec. 2006-11-01 nalin * src/pkinit.c: don't try to free that duplicate cert * tag 0.2.1 2006-11-01 nalin * tag 0.2.0 2006-11-01 nalin * src/certs.c: remove no-longer-used certdb parameter from find_preferred_cert. Clean up use of SAN matching flags. Use CERT_DupCertificate instead of malloc to save the certificate. 2006-10-31 Jeff Moyer <jmoyer@redhat.com> * src/certs.c, src/pkinit.c: It turns out that using CERT_FindCertByNickname is not a reliable method for listing certificates. Instead, get a list of slots, and a list of certificates for each slot. This fixes a problem with pkinit not allowing one to renew credentials after a kdestroy or expiry. 2006-10-30 nalin * src/certs.c: if the certificate we get back from CERT_FindCertByNickname() isn't the one we wanted, log a debug message. From Jeff Moyer. * backport/krb5-1.5.1-pal-18695.patch: remove * backport/krb5-1.5.1-pal-18750.patch: add updated * backport/krb5-trunk-edata.patch: add proposal for e-data changes * backport/krb5-trunk-free_plugin_dir_data.patch: add to fix a memleak * backport/krb5-trunk-module-global.patch: add to make module contexts shared across preauth systems. Placeholder until Kevin's rework is ready. * backport/krb5-trunk-preauth-sort.patch: add to fix a crasher. * doc/openssl/make-certs.sh: add, for generating test certs without a full-blown CA installation. * src/certs.c: don't bail if we don't match the Kerberos name if we're also going to try to match a UPN. * src/pkinit.c: use a single call to find the KDC's certificate. 2006-10-30 nalin * src/certs.c: use the principal name templates from pkinitt, and not the local out-of-date-and-wrong ones, so that we properly recognize the value in a certificate. * src/pkinit.c: disable ocsp in the client by default, leaving it enabled by default in the KDC. Only search for a certificate once. This means that we'll prefer a UPN cert over a KPN(?) cert if we see it first, but it cuts down on the number of prompts. * src/pkinitt.c: export only the one ASN.1 template. 2006-10-26 jmoyer * src/pkinit.c: report the error when NSS_Init() fails. 2006-10-26 nalin * doc/TODO: updates * src/bcmst.c: make the members of external_principal_identifier real OctetStrings and not pointers to Any. Provide a way for code which creates enveloped_data to specify which bulk encryption algorithm we should use. * src/bcmsutil.c: provide -D and -R, to select the enveloped-data cipher. * src/commont.c: learn to generate/encode/use 3DES parameters (the IV). * src/pkinit.c: learn how to add auth_data to the list in the ticket provided by the KDC. * src/pkinitt.c: learn to encode the initial-verified authorization data. Encode the authorization data when we verify a client's request, passing in items between the client and the end of its chain. Get the bit- vs. byte-length stuff sorted out for DH keys. * src/oakley.c: add Oakley groups 1, 2, 5, 14, 15, 16. * src/pkinitt.c: default to using Oakley group 14. 2006-10-23 nalin * src/pkinit.c: track the client DH public key and nonce in the request context as well. * src/pkinitt.c: save the client DH public key and nonce from create_client_public_value. Break KDC certificate validation into a shared subroutine. Move enc-key-pack processing into a single function, and call it from the AS-REP verification function. Try to get the client processing of a DH AS reply going. * src/certs.c: add OID information for dhPublicNumber and dhKeyAgreement * src/commont.c: add encoders/decoders for dhParameters, which might be what Windows expects. * src/pkinitt.c: follow examples more closely in calling the secret derivation functions. Interpret the results of SECITEM_ItemsAreEqual properly, because it looks like yes, I am that dumb. * src/pkinit.c: be more careful about the request context pointer. * src/pkinitt.c: be more careful about assuming that we have access to the right client state. * src/pkinit.c: assume the module context is truly global, and use that so that we can access DH keying information for non-draft requests. * src/commont.c: add dump functions. Add encoders/decoders for bit strings and integers. * src/pkinit.c: print the error message which goes with the return code. Encode the client's public value as an integer before passing it in for encoding as a bit string. Catch errors decoding DH parameters sent by the client. Encode the server's public value as an integer before passing it in for encoding as a bit string. Return the server nonce iff we have a client nonce, not the other way around. Decode the server's reply before using it as a public value. 2006-10-19 nalin * src/pkinit.c: track the client's private DH keying info in the client context. * src/pkinitt.c: add first pass at having the client supply DH parameters and keying data to the KDC. * src/commont.c: fix the template for the subject_public_key so that we encode it correctly. * src/pkinit.c: debug log when we save DH-related information in the server verify callback. * src/pkinitt.c: make the client's public key info in the auth_pack structures opaque at this level. Forcibly disable DH in the draft version -- Windows either doesn't like it at all, or just this implementation. Use CKM_DH_PKCS_KEY_PAIR_GEN instead of CKM_X9_42_DH_KEY_PAIR_GEN for generating DH keying data. Call PK11_ExtractKeyValue before PK11_GetKeyData so that we actually get the keying data back. * src/pkinitt.c: catch a problem in my implementation. 2006-10-18 nalin * backport/backport-errors.h: wrap definitions of errors in #ifndef * src/commont.c: remove duplicate "j" reference in the template for domain parameters. Add encode/decode function for domain_parameter structures. Add common_make_random_item() for generating DH nonces. * src/pkinitt.c: correct the offset of client_public_value in the template for auth_pack. Change client_dh_nonce in auth_pack to a pointer. Change server_dh_nonce in dh_rep_info to a pointer. Move create_auth_pack and create_draft_auth_pack to the right namespace. Teach pkinit_octet_string_to_aeskey() about the client and server nonces. Flesh out pkinit_build_dh_key_info() implementation. 2006-10-16 nalin * src/pkinit.c(server_return): don't crash if the client didn't provide subject_public_key_info. 2006-10-16 nalin * src/pkinitt.c(kerberos_time_from_time): factor this out. 2006-10-16 nalin * src/bcmst.c(bcms_create_signed_data): the encapsulated content OID can be const. * src/commont.c: add encode/decode functions for subject_public_key_info * src/pkinit.c: store the pkauthenticator nonce, a re-encoded copy of the client's DH subject_public_key_info, and the DH nonce in the server- side context. * src/pkinitt.c: add encode/decode functions for kdc_dh_key_info. Save the nonces and DH info when verifying a client AS_REQ, and if we have them when we go to create an AS_REQ, try to use DH first, failing miserably (for now). 2006-10-16 nalin * configure.ac: adjust status output to note that support != 1 header. * doc/README: don't use me as an example * src/certs.c(oid_pkinit_dhkey_data,oid_pkinit_dhkey, cert_get_oid_pkinit_dhkey_data): add. * commont.c: add templates and definitions for validation_parms and domain_parameters * pkinitt.c: add templates and definitions for kdc_dh_key_info. The server_dh_nonce isn't ANY, it's an OctetString. Add an AES-specific pkinit_octet_string_to_aeskey() for converting a DH key to an AES key. 2006-10-13 nalin * backport/krb5-1.5.1-pal-18687.patch: remove. * backport/krb5-1.5.1-pal-18695.patch: add. * src/pkinit.c: update for changes in trunk version of module interface. * backport/krb5/preauth_plugin.h: update to latest from trunk. * Makefile.am: add backport/backport-errors.h to dist files. * src/pkinit.c: use the right symbol names for backports. 2006-10-12 nalin * backport/backport-errors.h: add. * src/certs.c(cert_ku_matches_mask): add. * src/certs.c(cert_validate_kdc_certificate): return a Kerberos error code. * src/certs.c(cert_validate_client_certificate): return a Kerberos error code. * src/pkinitt.c(pkinit_verify_pa_pk_as_rep_shared): use routines in certs for validating the response again. 2006-09-26 nalin * src/pkinit.c: flag that we replace the key on reply 2006-09-21 nalin * src/pkinit.c: turn on OCSP checking everywhere. 2006-09-20 nalin * src/bcms.c, src/pkinit.c: prototype updates for current rev of the pal patch, which is hopefully stable now 2006-09-15 nalin * configure.ac,Makefile.am,po/: add the beginnings of translation support for our one user-visible string. * src/pkinit.c: pull up the maximum allowed time skew by abusing the get-entry-data interface. * doc/krb5-1.5.1-pal.patch: add a means of querying for the maximum clock skew -- it's not per-entry, but the get-entry-data interface will do fine. Unload plugins at KDC shutdown. Skip over client modules which provide a NULL client_process() callback. 2006-09-14 nalin * doc/README.CVS: add * doc/Makefile.am: add README.CVS * doc/krb5-1.5.1-pal.patch: remove PA_VIRTUAL -- it's way more invasive to get it working right in the KDC. Client: skip preauth modules we've used more than once, and add sorting of the options the server presents, subject to the "preferred_preauth_types" setting. Document "preferred_preauth_types" in the krb5.conf man page. Fixup definitions of PADATA_PK_AS_REP_OLD, PADATA_PK_AS_REQ_OLD, and their not-old counterparts to match RFC 4120. Add a bunch of other preauth type definitions to krb5.h. * configure.ac: bump to 0.0.4 * src/pkinit.c: use symbolic names for the preauth types. Advertise PADATA_PK_AS_REQ from the server, not PADATA_PK_AS_REP. In the client, treat PADATA_PK_AS_REQ as an invitation to do PKINIT, and PADATA_PK_AS_REP as the server response. Now that we can sort out the preauth type order, don't rely on claiming to be both a PA_INFO and a PA_REAL module to get to run first. 2006-09-13 nalin * src/certs.c: don't leak the user's unparsed name * src/pkinit.c: debug-log whether or not we got a cert value from the realm database 2006-09-13 nalin * (all files) initial check-in