2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>

	* kerberos5.c (kerberos5_is): Check principal name length before
	examining components.

2002-03-29  Tom Yu  <tlyu@mit.edu>

	* kerberos5.c, kerberos.c (Data): Don't overflow
	buffer. [telnet/1073] [pullup and reindent from trunk]

2001-02-21  Tom Yu  <tlyu@mit.edu>

	* configure.in: Check for setenv, unsetenv, and getenv.  Compile
	setenv.c if at least of these is undefined.

	* setenv.c: Add conditionals for compilation of setenv, unsetenv,
	and getenv such that they only get compiled if they don't already
	exist.

2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>

	* gettytab.c (nchktc): Don't overflow tcname if tty type name is too
	long
	* kerberos.c (kerberos4_status): Make sure "UserNameRequested" is
	always properly terminated.
	* kerberos5.c (kerberos5_is): If bad principal name is too long to fit
	in "errbuf", don't print it.
	(kerberos5_status): Make sure "UserNameRequested" is always properly
	terminated.
	* spx.c (spx_status): Ditto.

2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>

	* kerberos5.c (kerberos5_is): Don't overflow buffer "errbuf".
	* spx.c (spx_init, spx_send, spx_is): Don't overflow buffer
	"targ_printable".
	(spx_status): Don't overflow buffer "acl_file".

1999-10-26  Tom Yu  <tlyu@mit.edu>

	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
	LOCAL_INCLUDES such that one can override CFLAGS from the command
	line without losing CPP search patchs and defines. Some associated
	Makefile cleanup. [from wsanchez@apple.com]

1999-08-31 17:28   Jeffrey Altman <jaltman@columbia.edu>

        * kerberos5.c: Ensure that only "host" service tickets are accepted.

Wed Feb  3 22:59:27 1999  Theodore Y. Ts'o  <tytso@mit.edu>

	* kerberos5.c: Increase size of str_data so that we can accept
		mongo-gram tickets from Microsoft.  [telnet/686]

1998-11-13  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* Makefile.in: Set the myfulldir and mydir variables (which are
		relative to buildtop and thisconfigdir, respectively.)

1998-10-26  Marc Horowitz  <marc@mit.edu>

	* enc_des.c, kerberos.c: the ECB des functions don't exist
	anymore, but telnet always encrypted/decrypted one block.  Convert
	to calls to the new crypto api, with des-cbc-raw, using a single
	block.

Tue Mar  3 14:43:30 1998  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* configure.in: Change test for cgetent to use HAVE_ instead
		of HAS_, and add a test for gettosbyname().

	* getent.c: Use HAVE_CGETENT instead of HAS_CGETENT

	* parsetos.c: Use HAVE_GETTOSBYNAME instead of HAS_GETTOS

1998-05-06  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* getopt.c (getopt): POSIX states that getopt returns -1 when it
		is done parsing options, not EOF.

Wed Feb 18 15:37:20 1998  Tom Yu  <tlyu@mit.edu>

	* Makefile.in: Remove trailing slash from thisconfigdir.  Fix up
	BUILDTOP for new conventions.

Thu Feb 12 10:23:28 1998  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* configure.in: Remove obsolete USE_KRB4_LIBRARY macro

Mon Feb  2 17:02:29 1998  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile

Thu Nov 20 17:13:42 1997  Tom Yu  <tlyu@mit.edu>

	* forward.c (rd_and_store_for_creds): Fix up to no longer do the
	chown [krb5-appl/502]

	* kerberos5.c (kerberos5_is): Fix up call to
	rd_and_store_for_creds. [krb5-appl/502]

Tue Oct 21 10:54:22 1997  Ezra Peisach  <epeisach@mit.edu>

	* enc_des.c: Include string.h/strings.h for memcpy prototype

Thu Jul 31 14:57:05 1997  Ezra Peisach  <epeisach@mit.edu>

	* Makefile.in (SRCS): Fix typo s/scrdir/srcdir/

Thu Feb  6 00:14:50 1997  Richard Basch  <basch@lehman.com>

	* kerberos5.c (kerberos5_is): First argument to
		krb5_verify_checksum is a krb5_context!!!

Thu Nov  7 15:29:09 1996  Theodore Ts'o  <tytso@rsts-11.mit.edu>

	* kerberos5.c (kerberos5_init): Check the error return from
 		krb5_init_context(), and print an error message if
 		necessary.

Fri Nov  1 20:32:12 1996  Sam Hartman  <hartmans@mit.edu>

	* parsetos.c (proto;): Add parsetos support on all platforms which
 	support TOS[57]

Thu Oct 31 18:29:08 1996  Sam Hartman  <hartmans@mit.edu>

	* auth.h: Move constants for ticket forwarding here.

	* kerberos5.c : Clarify what errors come from what programs
 	(telnetd|telnet); patch by John Hawkinson <jhawk@bbnplanet.com>
 	[77]

Mon Oct 14 00:21:08 1996  Sam Hartman  <hartmans@mit.edu>

	* Makefile.in (OBJS): Remove rsaencpwd aned krb4encpwd stuff as
 	well as associated read_password [50]

	* auth.c krb4encpwd.c Makefile.in: Remove krb4encpwd [50]
	While we're at it, remove rsaencpwd as well.

Tue Jul  9 14:59:19 1996  Marc Horowitz  <marc@mit.edu>

	* Makefile.in (LOCALINCLUDES): use @KRB4_INCLUDES@ instead of an
 	explicit path to the in-tree krb4 headers

Mon Jul  8 01:33:30 1996  Marc Horowitz  <marc@mit.edu>

	* enc-proto.h (des_new_random_key, des_set_random_generator_seed,
 	des_key_sched, des_ecb_encrypt, des_string_to_key): removed these
 	declarations.  these are kerberos/des symbols, and should not be
 	declared here.  Two of these symbols (des_key_sched and
 	des_ecb_encrypt) conflict with CNS.
	
Fri Jun 14 19:09:48 1996  Sam Hartman  <hartmans@mit.edu>
*	configure.in * Makefile.in (LOCALINCLUDES): Don't include KerberosIV; use
 	whatever is appropriate for the withval

Thu May  9 00:06:41 1996  Richard Basch  <basch@lehman.com>

	* kerberos5.c: use the default server principal name to generate
	the rcache filename

Sat Apr 27 16:09:54 1996  Richard Basch  <basch@lehman.com>

	* kerberos5.c: a host may have multiple names and multiple keys,
	so do not try to resolve the "server" principal before the rd_req

Fri Apr 12 23:36:01 1996  Richard Basch  <basch@lehman.com>

	* forward.c (rd_and_store_for_creds): Consistency with the
 	krlogind forwarded credentials cache naming scheme - krb5cc_p<pid>

Thu Apr 11 21:45:21 1996  Richard Basch  <basch@lehman.com>

	* forward.c (rd_and_store_for_creds): If we are going to use a
	ttyname based credentials file, at least compute it in a saner
	fashion (strip the /dev/ and translate remaining /'s into _, so
	the cache name looks like krb5cc_pts_4 instead of krb5cc_4).

	* kerberos5.c (kerberos5_cleanup): Cleanup the credentials cache
	that we may have created and destroy the context.

Mon Mar 18 20:56:37 1996  Theodore Y. Ts'o  <tytso@dcl>

	* kerberos5.c (kerberos5_send): Send in as input the
		authentication type pair (ap->type, ap->way) to be
		checksumed in the authenticator.
		(kerberos5_is): If the checksum is present in the
		authenticator, then validate the authentication type pair
		against the checksum.
		(kerberos5_reply): If we didn't do mutual authentication,
		and we receive a KRB_ACCEPT, then stash away the session
		key anyway.  This way we have a chance of doing encryption
		even if mutual authentication wasn't done.

	* encrypt.c (EncryptStartInput, EncryptStartOutput): Added
		conditional around printf so that these two functions can
		be called by the server.
		(encrypt_is_encrypting): New function which returns true
		only if both sides of the telnet stream is encrypted.

Fri Mar 15 18:19:44 1996  Theodore Y. Ts'o  <tytso@dcl>

	* auth.c: Added new authentication scheme for Krb5 mutual
		authentication with mandatory encryption.
		(auth_send, auth_send_retry): Split auth_send() so that
		the functionality done by auth_send_retry() is separate.
		This avoids a really dodgy pointer comparison which was
		caused by auth_send() being used for two purposes.  
		If the client has not requested encryption, then don't
		use the authentication systems which require encryption.
		(auth_must_encrypt):  New function which returns whether 
		or not encryption must be negotiated.

	* auth-proto.h: Added prototype for new option
		auth_must_encrypt().

	* Makefile.in (ENCRYPTION, DES_ENCRYPTION): Added defines to turn
	        on encryption and des encryption.

Fri Jan 26 01:05:46 1996  Sam Hartman  <hartmans@tertius.mit.edu>

	* kerberos5.c (kerberos5_send): Get DES_CBC-CRC credentials.

Tue Jan  9 22:53:58 1996  Theodore Y. Ts'o  <tytso@dcl>

	* forward.c (get_for_creds): Removed no longer used function.

	* kerberos5.c (kerberos5_forward): Convert from using
		get_for_creds() from forward.c to using the official
		library routine, krb5_fwd_tgt_creds().  Misc. lint
		cleanups. 

Sun Nov 12 04:48:41 1995  Mark W. Eichin  <eichin@cygnus.com>

	* forward.c: set KRB5_DEFAULT_LIFE to 10 hours, not 8.
	* forward.c (rd_and_store_for_creds): construct correct cache name
	for forwarded tickets (based on tty name if available) and drop it
	into the environment so login notices it.

Mon Oct  9 23:03:48 1995  Sam Hartman  <hartmans@tertius.mit.edu>

	* kerberos5.c: make session_key a pointer, and use
        krb5_copy_keyblock not krb5_copy_keyblock_contents; there was no
        reason to violate this abstraction.

Sun Sep 24 12:33:03 1995  Sam Hartman  <hartmans@tertius.mit.edu>

	* kerberos5.c: Initialize session key from the subsession key we get from krb5_mk_req_extended, using ticket key as a fallback.
	(kerberos5_send): Use appropriate enctypes when encryption defined.

Wed Sep 06 14:20:57 1995   Chris Provenzano (proven@mit.edu)

        * encrypt.h, kerberos5.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g

Tue Sep 05 22:10:34 1995   Chris Provenzano (proven@mit.edu)

        * kerberos5.c : Remove krb5_enctype references, and replace with
                krb5_keytype where appropriate.

Thu Aug 3 11:36:15 EDT 1995	Paul Park	(pjpark@mit.edu)
	* kerberos.c - Give the compiler something to compile when K4 disabled.


Tue Jun 27 16:16:18 EDT 1995	Paul Park	(pjpark@mit.edu)
	* enc_des.c, encrypt.c, krb4encpwd.c, read_password.c, rsaencpwd.c,
		spx.c - Give the compiler something to compile when these
		modules are essentially disabled.  Some compilers choke when
		there's nothing to compile.
	* setenv.c - Change prototype for __findenv to be static since it's
		really static.

Tue Jun 20 13:59:43 1995  Tom Yu  (tlyu@dragons-lair)

	* configure.in: fix typo

	* strrchr.c: NO_STRING_H -> HAVE_STRING_H

	* strftime.c: NO_STRING_H -> HAVE_STRING_H

	* strerror.c: NO_STRING_H -> HAVE_STRING_H

	* strdup.c: NO_STRING_H -> HAVE_STRING_H

	* strchr.c: NO_STRING_H -> HAVE_STRING_H

	* strcasecmp.c: NO_STRING_H -> HAVE_STRING_H

	* spx.c: NO_STRING_H -> HAVE_STRING_H

	* rsaencpwd: NO_STRING_H -> HAVE_STRING_H

	* read_password.c: NO_STRING_H -> HAVE_STRING_H

	* mem.c: NO_STRING_H -> HAVE_STRING_H

	* krb4encpwd.c: NO_STRING_H -> HAVE_STRING_H

	* kerberos5.c: NO_STRING_H -> HAVE_STRING_H

	* kerberos.c: NO_STRING_H -> HAVE_STRING_H

	* encrypt.c: NO_STRING_H -> HAVE_STRING_H

	* auth.c: NO_STRING_H -> HAVE_STRING_H for consistency

	* configure.in: added missing tests for string.h, stdlib.h

Sat Jun 10 22:59:42 1995  Tom Yu  (tlyu@dragons-lair)

	* forward.c, kerberos5.c: krb5_auth_context redefinitions

Fri Jun  9 18:30:02 1995    <tytso@rsx-11.mit.edu>

	* configure.in: Remove standardized set of autoconf macros, which
		are now handled by CONFIG_RULES.

Wed May 24 10:29:54 1995  Ezra Peisach  <epeisach@mit.edu>

	* kerberos5.c: Include string.h/strings.h. Include stdlib.h or
		declare malloc. 

Sun May  7 18:45:09 1995  Ezra Peisach  <epeisach@mit.edu>

	* kerberos5.c (kerberos5_send): Fix improperly closed comment
			krb5_get_credentials second argument is not 
				kdc_options....

	* configure.in (LIBOBJS): Removed duplicate WITH_KRB4

Fri Apr 28 11:17:16 1995  Mark Eichin  <eichin@cygnus.com>

	* configure.in: switch to WITH_KRB4 since it suffices in this case.

Thu Apr 27 17:08:16 1995  Mark Eichin  <eichin@cygnus.com>

	* configure.in: use AC_CONST since we need it for v4.

Thu Apr 27 15:52:19 1995  Chris Provenzano  (proven@mit.edu)

	* kerberos5.c (kerberos_is()) : Initialize keytabid to NULL.

Thu Apr 27 14:48:38 1995  Mark Eichin  <eichin@cygnus.com>

	* Makefile.in (LOCALINCLUDES): find kerberosIV headers.

Wed Apr 26 19:52:52 1995  Mark Eichin  <eichin@cygnus.com>

	* kerberos5.c (kerberos5_is): use kt_resolve to get keytab, to
	correspond to current interface to rd_req.

Tue Apr 25 21:23:28 1995  Chris Provenzano  (proven@mit.edu)

        * forward.c (rd_and_store_for_creds()) : Rewritten to use
                auth_context and the new krb5_rd_creds().
        * forward.c (get_for_creds()) : New function replacing
                krb5_get_for_creds() and uses auth_context and new
                krb5_mk_creds() routine.
        * kerberos5.c (kerberos5_send()): Set initial flags on auth_context
		to KRB5_AUTH_CONTEXT_RET_TIME, and use new
        	rd_and_store_for_creds() routine.
	* kerberos5.c (kerberos5_forward()): Use the new get_for_creds().

Sat Apr 22 00:50:14 1995  Theodore Y. Ts'o  (tytso@dcl)

	* kerberos5.c (kerberos5_init): Only call krb5_init_context if 
		the telnet context hasn't been initialized yet.

Thu Apr 20 20:12:32 1995  Mark Eichin  <eichin@cygnus.com>

	Changes for testsuite from Ian Taylor <ian@cygnus.com>
	* kerberos5.c (telnet_srvtab): New global variable.
	(telnet_krb5_realm): New global variable.
	(kerberos5_send): If telnet_krb5_realm is set, copy it into
	creds.server.  Pass new_creds to krb5_mk_req_extended, not &creds.
	Pass &new_creds->keyblock to krb5_copy_keyblock_contents, not
	new_creds.
	(kerberos5_is): pass telnet_srvtab in to krb_rd_req.
	(kerberos5_forward): If telnet_krb5_realm is set, copy it into
	local_creds->server.

Wed Mar 29 15:08:43 1995  Theodore Y. Ts'o  (tytso@dcl)

	* kerberos5.c: No need to have the session_key established for
		mutual authentication to work.  (That's only done if
		ENCRYPTION is defined.)

	* auth.c (authenticators): Allow mutual authentication even if the
		ENCRYPTION option is not turned on.

Mon Mar 27 07:56:26 1995 Chris Provenzano (proven@mit.edu)

        * kerberos5.c (kerberos5_is()): Use new calling convention for 
		krb5_rd_req(), and krb5_mk_rep().

Fri Mar 24 23:51:18 1995  Theodore Y. Ts'o  <tytso@dcl>

	* kerberos5.c (kerberos5_send): Initialize auth_context to zero
		before calling mk_req.

Fri Mar 10 11:09:34 1995  Chris Provenzano (proven@mit.edu)

        * kerberos5.c: Use new calling convention for krb5_mk_req_extended().

Tue Mar  7 19:52:00 1995  Mark Eichin  <eichin@cygnus.com>

	* configure.in: take out ISODE_DEFS, ISODE_INCLUDE.

Tue Feb 28 01:48:32 1995  John Gilmore  (gnu at toad.com)

	* forward.c, kerberos5.c:  Avoid <krb5/...> includes.

Tue Feb 14 15:30:55 1995 Chris Provenzano  (proven@mit.edu)

        * kerberos5.c (kerberos5_send(), kerberos5_forward()) 
		Call krb5_get_credentials() and krb5_mk_req_extended() 
		with new calling convention.

Thu Feb  2 02:56:50 1995  John Gilmore  <gnu@cygnus.com>

	* forward.c:  Remove unused #include <krb5/crc-32.h>.
	* kerberos5.c (kerberos5_send):  Remove code for sending a checksum
	of a zero-byte string; we can just send no checksum at all.  This
	eliminates dependency on <krb5/crc-32.h>.
	(kerberos5_forward):  Remove extra parameter to krb5_get_for_creds,
	probably accidentally inserted during context changes -- which don't
	seem to be here in the ChangeLog.
	* kerberos.c:  Remove prototypes for krb4 functions, since
	some of them are wrong with CNS (u_long vs. KRB_INT32 conflicts).

Fri Nov 18 15:19:26 1994  Theodore Y. Ts'o  (tytso@dcl)

	* kerberos5.c (kerberos5_init): Initialize magic variable and
		encryption type.  

Fri Nov 18 00:37:13 1994  Mark Eichin  <eichin@cygnus.com>

	* configure.in: use WITH_KRB4. (from epeisach)

Mon Nov 14 16:27:29 1994  Theodore Y. Ts'o  (tytso@dcl)

	* kerberos.c (kerberos4_is): Initialize random number generator on
		the server side so that the encryption routines later on
		can use it. 

	* kerberos.c (kerberos4_send): Fix bug in how we pick the
		challenge for the challenge/response mutual
		authentication.

Fri Nov 11 00:55:36 1994  Theodore Y. Ts'o  (tytso@dcl)

	* forward.c (mk_cred, rd_cred): Move these routines to libkrb.a.

Tue Nov  8 01:39:50 1994  Theodore Y. Ts'o  (tytso@dcl)

	* kerberos.c (kerberos4_is): Fix bug in logic of incrementing the
		received challenge.  A ++/-- mixup means there's a 1 in
		256 chance the server will get it wrong.

	* kerberos.c: Use des_init_random_number_genator(), since that
		will result in different subsession keys on successive
		runs of telnet.

Mon Nov  7 22:36:20 1994  Theodore Y. Ts'o  (tytso@dcl)

	* auth.c (auth_status): Only print each possible authentication
		type once in the status report.

	* auth.c (auth_onoff): Remove excess call to getauthmask() which
		stomped the mask field.  Only print each possible
		authentication type once in the help message.

	* auth.c (getauthmask): Fix reversed sense of strcasecmp
		comparison.

	* auth.c (auth_enable, auth_disable): Change the input type to be
		a char *, which is what auth_onoff wants anyway.

Mon Aug  8 22:16:54 1994  Theodore Y. Ts'o  (tytso at tsx-11)

	* kerberos5.c (kerberos5_send): Whoops, mispelled
	krb5_copy_keyblock_contents().  (It was inside #ifdef
	ENCRYPTION)

Thu Aug  4 03:36:29 1994  Tom Yu  (tlyu@dragons-lair)

	* Makefile.in: add blank target for install

Tue Jul 26 18:21:29 1994  Tom Yu  (tlyu@dragons-lair)

	* Makefile.in: whoops left out some $(srcdir) stuff

Mon Jul 25 01:05:31 1994  Tom Yu  (tlyu@dragons-lair)

	* Makefile.in: remove reference to lorder (linux doesn't have
	lorder, it seems)

Fri Jul 15 23:36:50 1994  Theodore Y. Ts'o  (tytso at tsx-11)

	* kerberos5.c (kerberos5_is): Avoid coredump caused by freeing of
	an unitialized variable.  Also make sure we don't try to free name
	if it is NULL.

