2007-10-22 nalin
	* configure.ac: check for 1.6.3.
	* backport-1.6.3: add.

2007-07-11 nalin
	* src/pkinit.c: initialize "name" to avoid displaying a garbage pointer
	when using software certs (#247889)
	* configure.ac: bump version to 0.7.3, tag

2007-06-21 nalin
	* configure.ac: bump version to 0.7.2, tag

2007-06-21 nalin
	* src/pkinit.c: don't leak appdefault strings.

2007-06-21 nalin
	* src/pkinit.c(struct module_context): add locations to store typed
	data which we get back from the KDC during try-again processing.  A
	KDC is only expected to hand back one type of data per error, but in
	case we get multiple errors back (for example, unacceptable DH
	parameters AND unverifiable certificates), we need to keep track of
	things it's told us before.
	* src/pkinit.c(client_gic_opts,client_try_again): note which
	parameters we currently ignore.
	* src/pkinit.c(client_process): let "minimum_dh_prime_size" be
	specified on the command line as well.
	* src/pkinit.c(client_try_again): store typed-data which we get as
	edata for possible use in future iterations.

2007-06-20 nalin
	* src/pkinit.c: learn to spew debug at stdout, and to pick up debug
	settings from the command line

2007-06-20 nalin
	* src/aabag.c: rework caching of encrypted items so that we don't
	spew confusing error messages, and so that we prompt using the
	filename.

2007-06-20 nalin
	* src/aabag.c(aa_item_copy,aa_item_in_list): add, to avoid attempts
	to decrypt any given chunk of encrypted data more than once.

2007-06-08 nalin
	* src/pkinit.c: un-"const" a couple of initialization data lists,
	to quiet some compiler warnings which showed up when they were made
	const.

2007-06-08 nalin
	* src/pkinit.c: add CMS enctypes to our requests to be helpful.

2007-06-08 nalin
	* src/pkinitt.c(pkinit_create_auth_pack): pass a NULL item in as the
	algorithm parameters for the supportedCMStypes algorithmInfo list for
	SEC_OID_CMS_3DES_KEY_WRAP and SEC_OID_MD5, instead of just omitting
	them as we had been doing.

2007-06-08 nalin
	* src/bcmst.c,src/certs.c: move find_key_for_cert to certs and make
	it non-static.
	* src/certs.c(cert_ku_matches_mask): remove; should have just been
	using CERT_CheckCertUsage(), which does the same thing.
	* src/certs.c(cert_validate_kdc_certificate,
	cert_validate_client_certificate): call out
	SEC_ERROR_INADEQUATE_CERT_TYPE as a known error, log a debug message
	when we reject a certificate because it can't be used for signing.
	* src/certs.c(cert_have_key_for_cert): add.
	* src/certs.c(cert_verify_cert_for_encryption): don't leak a ref
	to the cert when the certificate passes the check.

2007-06-08 nalin
	* doc/openssl/make-certs.sh: be able to make DSA certs, even if we
	mightn't support them just yet.

2007-06-05 nalin
	* configure.ac: bump version to 0.7.1, tag

2007-05-31 nalin
	* src/get-pkinit-san.c(pkinit_from_other_names): expand the list of
	returned values correctly.

2007-05-31 nalin
	* src/aabag.c(PKINIT_CA_TRUST_FLAGS): add CERTDB_VALID_PEER to the
	list of flags we add to CA certificates.

2007-05-30 nalin
	* src/certs.c(cert_find_preferred_cert_using_slot_or_bag): don't barf
	on empty certificate lists.

2007-05-30 nalin
	* src/pkinit.c(server_verify): load text certs and keys before
	verifying the client's request, not before generating our response
	when it might be too late for the client.

2007-05-30 nalin
	* src/bcmst.c: handle the should-never-happen list-with-nothing-in-it
	case.

2007-05-30 nalin
	* src/aacat.c: handle the should-never-happen list-with-nothing-in-it
	case.

2007-05-30 nalin
	* src/aabag.c(aa_bag_find_cert_by_subject): don't barf on empty lists.

2007-05-30 nalin
	* configure.ac: bump version to 0.7.0, tag.

2007-05-30 nalin
	* src/pkinit.c(pkinit_init): read locations of cert and key files
	from the configuration.
	* src/pkinit.c(client_gic_opt): add, for scanning options.
	* src/pkinit.c(client_process): override locations of cert and key
	files from options, load up the bag.
	* src/pkinit.c(server_get_edata,server_return): load up the bag.

2007-05-30 nalin
	* src/certs.c(cert_find_cert_issuer): search the bag, too.
	* src/certs.c(cert_find_preferred_cert_using_slot_or_bag): rename
	from cert_find_preferred_cert_using_slot, search the bag if there's
	no slot provided.
	* src/certs.c(cert_find_preferred_cert): search bags, too.

2007-05-30 nalin
	* src/bcmsutil.c: prescreen certificates.  Use the right list of
	directories for loading CA certificates.

2007-05-30 nalin
	* src/bcmst.c: dump trust values when we walk the certifying chain.

2007-05-30 nalin
	* src/aabag.c: don't use glob(), which doesn't pick up symlinks.  Fix
	reference counting of keys and certificates.  Fix trust flags given to
	certificates we read.

2007-05-30 nalin
	* src/get-pkinit-san.c: add.

2007-05-30 nalin
	* doc/openssl/make-certs.sh: add dataEncipherment when encryption
	is requested.

2007-05-30 nalin
	* configure.ac: fix checking for working --as-needed flag, avoid
	pulling in libkrb5 more than once when checking if certain functions
	are provided.

2007-05-29 nalin
	* doc/openssl/make-certs.sh: always create a ca.client.crt file,

2007-05-28 nalin
	* doc/openssl/make-certs.sh: move subordinate CAs into subdirectories,
	add nsComment to the top-level CA, create certificate chain files.

2007-05-28 nalin
	* autogen: pick up $CFLAGS from the environment, too

2007-05-28 nalin
	* src/pkinit.c: create bags.

2007-05-28 nalin
	* src/pkinitt.c: update for API changes elsewhere.

2007-05-28 nalin
	* src/bcmsutil.c: use bags.

2007-05-28 nalin
	* src/bcmst.c: update for API changes elsewhere.

2007-05-28 nalin
	* src/certs.c(cert_find_cert_issuer): add, wrapping up the internal
	NSS database with a bag.
	* src/certs.c(cert_find_preferred_cert,cert_validate_client_cert,
	cert_validate_kdc_cert): take a searchable bag.

2007-05-28 nalin
	* src/aabag.c,src/aacat.c: redesign the whole thing so that I don't
	end up having to cart multiple bags around later.

	* src/aacat.c: load non-directories as we would files.

2007-05-30 nalin
	* src/aabag.c: don't use glob(), which doesn't pick up symlinks.  Fix
	reference counting of keys and certificates.  Fix trust flags given to
	certificates we read.

2007-05-30 nalin
	* src/get-pkinit-san.c: add.

2007-05-30 nalin
	* doc/openssl/make-certs.sh: add dataEncipherment when encryption
	is requested.

2007-05-30 nalin
	* configure.ac: fix checking for working --as-needed flag, avoid
	pulling in libkrb5 more than once when checking if certain functions
	are provided.

2007-05-29 nalin
	* doc/openssl/make-certs.sh: always create a ca.client.crt file,

2007-05-28 nalin
	* doc/openssl/make-certs.sh: move subordinate CAs into subdirectories,
	add nsComment to the top-level CA, create certificate chain files.

2007-05-28 nalin
	* autogen: pick up $CFLAGS from the environment, too

2007-05-28 nalin
	* src/pkinit.c: create bags.

2007-05-28 nalin
	* src/pkinitt.c: update for API changes elsewhere.

2007-05-28 nalin
	* src/bcmsutil.c: use bags.

2007-05-28 nalin
	* src/bcmst.c: update for API changes elsewhere.

2007-05-28 nalin
	* src/certs.c(cert_find_cert_issuer): add, wrapping up the internal
	NSS database with a bag.
	* src/certs.c(cert_find_preferred_cert,cert_validate_client_cert,
	cert_validate_kdc_cert): take a searchable bag.

2007-05-28 nalin
	* src/aabag.c,src/aacat.c: redesign the whole thing so that I don't
	end up having to cart multiple bags around later.

2007-05-25 nalin
	* src/aacat.c(main): clean up the certificate and key lists before
	shutting down NSS.

2007-05-23 nalin
	* src/bcmsutil.c(main),src/aacat.c(main): fix "bag" being uninitialized.

2007-05-23 nalin
	* src/fragment/openp12.c,src/fragment/openmod.c: correct a couple of
	compiler warnings.

2007-05-22 nalin
	* src/pkinit.c: update for api changes elsewhere.

2007-05-22 nalin
	* src/bcmsutil.c: open a bag if we're told to open one.

2007-05-22 nalin
	* src/pkinitt.c(pkinit_create_draft_pa_pk_as_req,
	pkinit_create_pa_pk_as_req,pkinit_build_reply_key_pack,
	pkinit_build_dh_key_info,pkinit_create_pa_pk_as_rep,
	pkinit_verify_enc_key_pack_common,pkinit_verify_draft_pa_pk_as_rep,
	pkinit_process_enc_key_pack,pkinit_verify_pa_pk_as_rep): pass in a
	bag and password callback.

2007-05-22 nalin
	* src/bcmst.c(find_key_for_cert): search the usual locations for the
	private key which corresponds to a cert, and then search a passed-in
	bag.
	* src/bcmst.c(bcms_add_signer_to_signed_data,bcms_create_signed_data,
	bcms_recover_enveloped_data_key,bcms_extract_enveloped_data): take a
	certdb, a bag, and a password callback.

2007-05-22 nalin
	* src/certs.c(cert_find_preferred_cert): add a debug message when
	we determine that we need to log into a device.

2007-05-22 nalin
	* src/commont.c: add a comment to the location of the definition of
	an AES IV. Remove unused variables.

2007-05-22 nalin
	* src/certhash.c: read a certificate, and produce a hash of its
	subject.

2007-05-22 nalin
	* src/aacat.c: exercise the aabag APIs.

2007-05-22 nalin
	* src/aabag.c: add a container for holding temporary certs and keys
	read from flat files.

2007-05-22 nalin
	* src/bpk5.c(bpk5_pbkdf1): add pkcs5 password-based key derivation.

2007-05-17 nalin
	* tag 0.6.1

2007-05-17 nalin
	* src/pkinit.c(server_get_flags): if "is_hw" is true, advertise that
	we can do hardware preauthentication to the KDC.

2007-05-04 nalin
	* tag 0.6.0
	* Makefile.am: define %{dist} to %{nil} before querying for the
	release number from the .spec file
	* NEWS: add.

2007-04-25 nalin
	* src/bcmst.c: add definition/template/encoder/decoder for
	EncryptedData.

2007-04-25 nalin
	* src/pkinitt.c: remove a few unused variables, remove an unnecessary
	typecast.

2007-04-25 nalin
	* configure.ac,src/pkinit.c: handle cases where preauth_plugin.h
	requires the krb5_gic_opt_pa_data data type and krb5.h didn't provide
	it, even as a stub, yet.

2007-04-25 nalin
	* src/pkinit.c: fix argument order for the client_process() function,
	from Jacob Berkman.  Fix arguments for client_tryagain().

2007-04-25 nalin
	* backport-1.6.1: actually commit the new files.

2007-04-24 nalin
	* configure.ac: define PKINIT_CLIENT_MISSING_GIC_OPTS instead of
	PKINIT_DONT_USE_GIC_OPTS.
	* src/pkinit.c: key off of PKINIT_CLIENT_MISSING_GIC_OPTS instead
	of PKINIT_DONT_USE_GIC_OPTS.

2007-04-24 nalin
	* Makefile.am,backport-1.6.1: add headers from 1.6.1.
	* configure.ac: check for 1.5/1.6/1.6.1.  Provide a --with-krb5-version
	option to override autodetection.  Define PKINIT_USE_PAL_BACKPORT
	and PKINIT_DONT_USE_GIC_OPTS instead of the more not namespaced
	USE_PAL_BACKPORT and DONT_USE_GIC_OPTS defines.
	* src/pkinit.c(client_gic_opts): add a stub.
	* src/pkinit.c(client_process): expect an "opts" argument if
	PKINIT_CLIENT_PROCESS_MISSING_OPT isn't defined.
	* src/pkinit.c(preauthentication_client_0): point to client_gic_opts
	if PKINIT_DONT_USE_GIC_OPTS isn't defined.

2007-04-24 nalin
	* autogen: drop --enable-debugging -- we're always debuggable now.

2007-04-24 nalin
	* src/bcmst.c(compare_issuer_and_sn,find_cert_by_issuer_and_sn): add.
	From Jacob Berkman.
	* src/bcmst.c(find_cert_from_rid): use find_cert_by_issuer_and_sn()
	instead of CERT_FindCertByIssuerAndSN().  From Jacob Berkman.

2007-04-23 nalin
	* ChangeLog: er, 2007, not 2006.
	* src/pkinitt.c: add routines specifically for decoding typed_data.

2007-04-23 nalin
	* src/pkinit.c(client_process): accept host names in various places.
	Rename authorization_data variables to indicate that they're really
	typed_data.

2007-04-23 nalin
	* src/certs.c(cert_get_oid_pkinit_rkey_data_oid,
	cert_get_oid_pkinit_auth_data_oid): add.
	* src/certs.c(check_item_in_list): factor out a routine for checking
	for a value in a list.
	* src/certs.c(cert_san_matches_dns_for_realm): add a check to see if
	the certificate in question contains a commonName in its subject or a
	dnsName subjectAltName with a value which matches the realm's
	"trusted_servers" setting.
	* src/certs.c(cert_is_preferred): check for a matching DNS name.
	* src/certs.c(cert_validate_kdc_certificate): check for a matching
	DNS name for the KDC in combination with SSL ServerAuth or KDC key
	EKU values.
	* doc/CONFIGURATION: note "trusted_servers"

2007-02-06 nalin
	* src/bcmst.c(external_principal_identifier_template): mark the
	subject_key_identifier as explicit, even though it's not, so that
	NSS will add and strip the octet-string wrapper for us, making it
	easier to use and compare values in CERTCertificate structures.

2007-02-06 nalin
	* src/commont.c(common_generate_content_encryption_key_aes): Add.
	* src/bcmst.c(bcms_extract_enveloped_data): Learn to parse AES
	parameters (an IV).
	* src/bcmsutil.c(main): add options for specifying use of
	AES128/AES256 keys for bulk encrypting the enveloped data.
	* src/bcmsutil.c(usage): document the new AES options, plus the old
	DES and RC2 options.
	* src/certs.c(cert_is_preferred): debug log when we find a banned cert
	or one which chains up to a trusted certifiers.
	* src/pkinit.c(client_try_again): debug log how many trusted
	certifiers or invalid certificates the KDC told us about.
	* src/pkinitt.c,src/bcmst.c: debug log key sizes when handling
	enveloped data.

2007-02-06 nalin
	* src/certs.c(bcms_extract_enveloped_data): note what the unsupported
	encryption algorithm is, for troubleshooting.
	* src/pkinitt.c(pkinit_create_trusted_certifiers_edata): fix encoding
	of trusted-certifiers.

2007-02-06 nalin
	* src/bcmst.c(bcms_add_signer_to_signed_data): insert the signing time
	into the list so that the encoding comes out with the items sorted, as
	required by CMS.
	* src/certs.c(cert_validate_{client,kdc}_certificate): add a specific
	log for unknown-issuer errors.
	* src/certs.c(cert_validate_client_certificate): catch and add e-data
	for revoked-certificate errors.  Return KDC_ERR_CLIENT_NAME_MISMATCH
	instead of KDC_ERR_CERTIFICATE_MISMATCH in the event of name a mismatch.

2007-02-05 nalin
	* src/certs.c,src/pkinit.c: certificate nicknames can be NULL; guard
	against that.
	* src/pkinitt.c(pkinit_encode_authorization_data): use the right
	template, correctly pass the array to the encoder.
	* src/pkinitt.c(pkinit_create_typed_datum): return a datum structure,
	which the caller will have an easier time processing.
	* src/pkinitt.c(pkinit_create_invalid_certificates_edata,
	pkinit_create_trusted_certifiers_edata,
	pkinit_create_dh_parameters_edata): encode the error data correctly.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_req): fix checking of the DH
	prime length.
	* src/pkinit.c(client_try_again): fix parsing of error data from the
	KDC: it's a sequence of typed-data, not just one.
	* src/certs.c(cert_validate_kdc_certificate): directly interpret some
	of the more expected errors for the log.
	* src/certs.c(cert_validate_client_certificate): directly interpret
	some of the more expected errors for the log.  Report invalid cert
	with e_data for revoked certificates.
	* src/bcmst.c: use the subjectName, not the possibly-NULL nickname, in
	a debug message.
	* src/commont.c: take care that integers are encoded so that they come
	out unsigned.

2007-02-05 nalin
	* src/pkinit.c: make the location of the client and server
	key/cert/token database configurable.

2007-02-05 nalin
	* configure.ac: check for 1.7-specific gic_opts callback functions.
	* configure.ac: bump version to 0.5.0.

2007-02-05 nalin
	* configure.ac: fixup logic so that we can tell the difference between
	1.5 without preauth_plugin.h (where the backport forces changes in the
	symbol names for safety's sake) and 1.6 without preauth_plugin.h.
	* src/bcmst.c: fix naming of sequence_of_algorithm_identifier.
	* src/bcmst.c(bcms_decode_sequence_of_algorithm_identifier): Add.
	* src/bcmst.c(bcms_get_trusted_{client_,kdc_,}certifier_list): Add.
	* src/certs.c(cert_matches_epi): factor this out, because it's getting
	too large for repeated code.
	* src/certs.c(cert_is_preferred): also provide an option to specify a
	list of banned external_principal_identifier structures, for cases
	where the KDC sends back info that one had an invalid signature.
	* src/certs.c(cert_validate_{client,kdc}_certificate): use the verify
	function which gives us a log, and log the failure entries.  Also
	return the SEC_ERROR_BAD_SIGNATURE certs if we're returning a
	KDC_ERR_INVALID_CERTIFICATE error.
	* src/commont.c(common_decode_sequence_of_algorithm_identifier): Add.
	* src/map-file.c: log when we encounter errors opening/reading the file.
	* src/oakley.c(oakley_parse_group): factor this out.
	* src/oakley.c(oakley_get_groups): Add, for retrieving all parameters
	with prime at least a certain size.
	* src/oakley.c: return a domain_parameters structure instead of the
	NSS DHParamaters and an extra q, because it's less work.
	* src/pkinit.c: add a "minimum_dh_prime_size" option.  Set the
	prompt callback before we attempt to open the database.
	* src/pkinit.c(client_try_again): add, decoding the error data and
	using it to guide attempts to find another certificate and generate
	an auth_pack.
	* src/pkinitt.c(pkinit_get_trusted_{client,kdc}_certifier_list): Retire.
	* src/pkinitt.c(pkinit_create_dh_parameters_edata): Add, for sending
	along with KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED errors.
	* src/pkinitt.c(pkinit_create_client_public_value): Allow a prescribed
	list of acceptable parameters from the KDC and a locally-specified
	minimum size.
	* src/pkinitt.c(pkinit_create_{draft_,}auth_pack): handle cases where
	pkinit_create_client_public_value() can't give us anything.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_req): set e_data for
	KDC_ERR_CANT_VERIFY_CERTIFICATE, KDC_ERR_INVALID_CERTIFICATE, and
	KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED.

2007-01-26 nalin
	* src/pkinitt.c(pkinit_time_from_signing_time): try to parse the raw
	timestamp (without the type and length) as a timestamp.
	* src/pkinitt.c(pkinit_time_from_utc_time): fix scanning of the time.
	* src/pkinitt.c(pkinit_create_trusted_certifiers_edata): add.
	* src/pkinitt.c(pkinit_create_invalid_certificates_edata): add.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_req): reuse code to build the
	list of trusted CAs to clean this area up a bit.
	* src/certs.c(cert_find_preferred_cert): take the list of restricted
	CAs as an external_principal_identifier list instead of an array of
	DER-encoded certificates.

2007-01-26 nalin
	* src/pkinitt.c(pkinit_signing_time_from_time): add function to
	convert to encoded signing time to time_t, using UTC time or
	generalized time, as appropriate.
	* src/pkinitt.c(pkinit_utctime_from_time): add function to
	convert to raw UTC time to time_t.
	* src/pkinitt.c(pkinit_generalizedtime_from_time): rename, make public
	function to convert to raw generalized time to time_t.
	* src/pkinitt.c(pkinit_time_from_signing_time): add function to
	convert from encoded signing time to time_t.
	* src/pkinitt.c(pkinit_from_utctime_time): add function to
	convert from raw UTC time to time_t.
	* src/pkinitt.c(pkinit_from_generalizedtime_time): rename, make public
	function to convert from raw generalized time to time_t.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_req): if the client included a
	signing time attribute as part of its request, check that date for
	clock skew as well.
	* src/commont.c: add encoder/decoder pairs for UTCTime and
	GeneralizedTime items.
	* src/bcmst.c(bcms_verify_signed_data): provide a way to stash the
	signing time as a time_t for the caller.
	* src/bcmst.c(bcms_make_external_principal_identifier_list): add.
	* src/bcmsutil.c: add a -v (verbosity) option to crank up debug
	logging.

2007-01-25 nalin
	- make pkinit_debug() take a module_context and a debug priority level
	- thread module_context pointers through many, many functions

2007-01-22 nalin
	* src/bcmst.c(bcms_make_certificate_list): take a deep copy of the
	certificate, in case the current origin gets pulled out from under
	us before we go to encode this list.
	* src/commont.c(common_make_algorithm_identifier_list): take a deep
	copy of the parameters field, in case the one we're using gets pulled
	out from under us before we go to encode this list.

2007-01-19 nalin
	* src/bcmst.c, src/certs.c: use CERT_DestroyCertArray() instead of
	a home-grown function which actually leaks the array pointer (oops).
	* src/certs.c(cert_validate_kdc_certificate,
	cert_validate_client_certificate): provide a way to pass in a
	certificate pool when we're verifying certificates, and import that
	pool into the temporary database to help us fill in the gaps in
	certificate chains.
	* src/pkinitt.c(pkinit_validate_kdc_certificate): provide a way to
	pass in the pool of certs which may include intermediate CAs.

2007-01-12 nalin
	* src/bcmst.c, src/certs.c: give destroy_array_of_certs() an
	upper-bound on the array size.

2007-01-12 nalin
	* backport: update to base off of the final 1.6 sources.

2007-01-12 nalin
	* src/pkinit.c: release slots and certificates when they're no longer
	going to be used. Note if NSS shutdown fails.

2007-01-12 nalin
	* doc/CONFIGURATION: note which Oakley groups we know about already.

2007-01-12 nalin
	* src/show-cert-guid.c: note if NSS shutdown fails.

2007-01-12 nalin
	* src/pkinitt.c: release keys, certificates, contexts, and slots.

2007-01-12 nalin
	* src/certs.c: release certificates when they're no longer going to be
	used.

2007-01-12 nalin
	* src/bcmsutil.c: add a -t option to allow forcing a token login.
	* src/bcmst.c: release keys, certificates, contexts, and slots.

2007-01-12 nalin
	* src/oakley.c, src/prime2sub: add q values for the rest of the DH
	parameter sets.

2007-01-08 nalin
	* src/bcmst.c(bcms_add_cert_chain_to_signed_data): walk the chain
	correctly (#221917).

2006-12-21 nalin
	* src/map-file.c: add a mapping-file module.  Hopefully at some point
	we'll be able to just call out to something smarter, but for now this
	may have to do.
	* src/show-cert-guid.c: rename an unused parameter so that it is easy
	to tell that we knew it would be unused.
	* src/bcmst.c: rename an unused parameter so that it is easy
	to tell that we knew it would be unused.
	* src/pkinitt.c: take a flag indicating whether or not we should trust
	SAN values for cases where we have to find the cert by ourselves.
	Change create_rep to take the cert instead of searching directly.
	* src/certs.c: support the passing-in of additional acceptible
	subject DN values when we need to find a certificate.
	* src/pkinit.c: support mappings files, and being told to not trust
	SAN values.

2006-12-20 nalin
	* src/pkinit.c: add an "is_hw" flag to control whether or not we
	consider ourselves hardware preauth.
	* src/certs.c: make cert_certificate_is_preferred() module-local.
	Provide a way to require that the cert being checked is issued (at
	some point) by one of some provided DER certs.

2006-12-20 nalin
	* src/certs.c(cert_verify_cert_for_encryption): add, to check if the
	client's key is allowed to be used to encrypt enc-key-pack replies.
	* src/pkinit.c(server_return): ensure that we either have DH params or
	a client cert which can be used for encryption before building the
	reply.

2006-12-20 nalin
	* src/certs.c(cert_validate_kdc_certificate,
	cert_validate_client_certificate,cert_is_preferred): don't barf if we
	can't find the certificate's issuer.
	* src/certs.c(cert_certificate_get_is_ca): make the message about not
	having basicConstraints less emphatic.
	* src/pkinit.c,backport/: update backport to 1.6 branch, rev. 18998

2006-12-19 nalin
	* src/bcmst.c(bcms_add_cert_chain_to_signed_data): use
	CERT_FindCertIssuer() to walk the certifying chain because it's
	simpler and seems to work better.
	* src/pkinit.c(server_verify): initialize some pointers we didn't
	used to clear.
	* src/pkinitt.c(pkinit_kdc_dh_key_info_template): the nonce isn't
	optional.  Set it correctly, too.

2006-12-18 nalin
	* src/pkinit.c: don't use the non-existent appdefault_integer() call,
	use our own.
	* src/commont.c: provide an alternate integer decoder.

2006-12-18 nalin
	* po: refresh
	* src/pkinitt.c: remove redundant validation calls, since we do the
	same in the cert...() functions we call
	* src/bcmst.c: change things so that we expect constructed data as
	the content in content-info structures, but continue to decode both.
	Generate signed-attributes by default; handle signed-attributes when
	verifying signed messages.
	* src/bcmsutil.c: update for bcmst changes.
	* src/commont.c: update for bcmst changes.  Encode the
	private_value_length field of DH parameters, if it's there, likewise
	for the validation_parms field of domain parameters.
	* src/pkinit.c: rework module init/cleanup to use the hooks provided
	by newer versions of the plugin layer, properly shut down NSS when
	we were the ones who initialized it.  Pick up "try_dh" and
	"preferred_group" options to affect how the client tries to get creds
	from the KDC.  (Note: the default modulus file distributed with Heimdal
	is group 2.)
	* src/certs.c: fail validation of either client or server certs if we
	can't build a chain from the cert to a "root" certificate.  Assume that
	such a certificate is unsuitable for our use, too.
	* src/oakley.c: track subprime values for groups for which they are
	defined, and provide a way for the caller to get them, too.
	* src/pkinitt.c: encode the parts of a PA-PK-AS-REQ as octet strings,
	not structures, per the spec.

2006-11-01 nalin
	* src/pkinit.c: don't try to free that duplicate cert
	* tag 0.2.1

2006-11-01 nalin
	* tag 0.2.0

2006-11-01 nalin
	* src/certs.c: remove no-longer-used certdb parameter from
	find_preferred_cert.  Clean up use of SAN matching flags.  Use
	CERT_DupCertificate instead of malloc to save the certificate.

2006-10-31  Jeff Moyer  <jmoyer@redhat.com>
	* src/certs.c, src/pkinit.c: It turns out that using
	CERT_FindCertByNickname is not a reliable method for listing
	certificates.  Instead, get a list of slots, and a list of
	certificates for each slot.  This fixes a problem with pkinit not
	allowing one to renew credentials after a kdestroy or expiry.

2006-10-30 nalin
	* src/certs.c: if the certificate we get back from
	CERT_FindCertByNickname() isn't the one we wanted, log a debug message.
	From Jeff Moyer.
	* backport/krb5-1.5.1-pal-18695.patch: remove
	* backport/krb5-1.5.1-pal-18750.patch: add updated
	* backport/krb5-trunk-edata.patch: add proposal for e-data changes
	* backport/krb5-trunk-free_plugin_dir_data.patch: add to fix a memleak
	* backport/krb5-trunk-module-global.patch: add to make module contexts
	shared across preauth systems.  Placeholder until Kevin's rework is
	ready.
	* backport/krb5-trunk-preauth-sort.patch: add to fix a crasher.
	* doc/openssl/make-certs.sh: add, for generating test certs without
	a full-blown CA installation.
	* src/certs.c: don't bail if we don't match the Kerberos name if we're
	also going to try to match a UPN.
	* src/pkinit.c: use a single call to find the KDC's certificate.

2006-10-30 nalin
	* src/certs.c: use the principal name templates from pkinitt, and not
	the local out-of-date-and-wrong ones, so that we properly recognize
	the value in a certificate.
	* src/pkinit.c: disable ocsp in the client by default, leaving it
	enabled by default in the KDC.  Only search for a certificate once.
	This means that we'll prefer a UPN cert over a KPN(?) cert if we
	see it first, but it cuts down on the number of prompts.
	* src/pkinitt.c: export only the one ASN.1 template.

2006-10-26 jmoyer
	* src/pkinit.c: report the error when NSS_Init() fails.

2006-10-26 nalin
	* doc/TODO: updates
	* src/bcmst.c: make the members of external_principal_identifier
	real OctetStrings and not pointers to Any.  Provide a way for
	code which creates enveloped_data to specify which bulk encryption
	algorithm we should use.
	* src/bcmsutil.c: provide -D and -R, to select the enveloped-data
	cipher.
	* src/commont.c: learn to generate/encode/use 3DES parameters (the IV).
	* src/pkinit.c: learn how to add auth_data to the list in the ticket
	provided by the KDC.
	* src/pkinitt.c: learn to encode the initial-verified authorization
	data.  Encode the authorization data when we verify a client's request,
	passing in items between the client and the end of its chain.  Get the
	bit- vs. byte-length stuff sorted out for DH keys.
	* src/oakley.c: add Oakley groups 1, 2, 5, 14, 15, 16.
	* src/pkinitt.c: default to using Oakley group 14.

2006-10-23 nalin
	* src/pkinit.c: track the client DH public key and nonce in the
	request context as well.
	* src/pkinitt.c: save the client DH public key and nonce from
	create_client_public_value.  Break KDC certificate validation into
	a shared subroutine.  Move enc-key-pack processing into a single
	function, and call it from the AS-REP verification function.  Try
	to get the client processing of a DH AS reply going.
	* src/certs.c: add OID information for dhPublicNumber and dhKeyAgreement
	* src/commont.c: add encoders/decoders for dhParameters, which might
	be what Windows expects.
	* src/pkinitt.c: follow examples more closely in calling the secret
	derivation functions.  Interpret the results of SECITEM_ItemsAreEqual
	properly, because it looks like yes, I am that dumb.
	* src/pkinit.c: be more careful about the request context pointer.
	* src/pkinitt.c: be more careful about assuming that we have access
	to the right client state.
	* src/pkinit.c: assume the module context is truly global, and use
	that so that we can access DH keying information for non-draft requests.
	* src/commont.c: add dump functions.  Add encoders/decoders for
	bit strings and integers.
	* src/pkinit.c: print the error message which goes with the return code.
	Encode the client's public value as an integer before passing it in
	for encoding as a bit string.  Catch errors decoding DH parameters
	sent by the client.  Encode the server's public value as an integer
	before passing it in for encoding as a bit string.  Return the server
	nonce iff we have a client nonce, not the other way around.  Decode
	the server's reply before using it as a public value.

2006-10-19 nalin
	* src/pkinit.c: track the client's private DH keying info in the client
	context.
	* src/pkinitt.c: add first pass at having the client supply DH
	parameters and keying data to the KDC.
	* src/commont.c: fix the template for the subject_public_key so that
	we encode it correctly.
	* src/pkinit.c: debug log when we save DH-related information in the
	server verify callback.
	* src/pkinitt.c: make the client's public key info in the auth_pack
	structures opaque at this level.  Forcibly disable DH in the draft
	version -- Windows either doesn't like it at all, or just this
	implementation.  Use CKM_DH_PKCS_KEY_PAIR_GEN instead of
	CKM_X9_42_DH_KEY_PAIR_GEN for generating DH keying data.  Call
	PK11_ExtractKeyValue before PK11_GetKeyData so that we actually
	get the keying data back.
	* src/pkinitt.c: catch a problem in my implementation.

2006-10-18 nalin
	* backport/backport-errors.h: wrap definitions of errors in #ifndef
	* src/commont.c: remove duplicate "j" reference in the template for
	domain parameters.  Add encode/decode function for domain_parameter
	structures.  Add common_make_random_item() for generating DH nonces.
	* src/pkinitt.c: correct the offset of client_public_value in the
	template for auth_pack.  Change client_dh_nonce in auth_pack to a
	pointer.  Change server_dh_nonce in dh_rep_info to a pointer.  Move
	create_auth_pack and create_draft_auth_pack to the right namespace.
	Teach pkinit_octet_string_to_aeskey() about the client and server
	nonces.  Flesh out pkinit_build_dh_key_info() implementation.

2006-10-16 nalin
	* src/pkinit.c(server_return): don't crash if the client didn't provide
	subject_public_key_info.

2006-10-16 nalin
	* src/pkinitt.c(kerberos_time_from_time): factor this out.

2006-10-16 nalin
	* src/bcmst.c(bcms_create_signed_data): the encapsulated content OID
	can be const.
	* src/commont.c: add encode/decode functions for subject_public_key_info
	* src/pkinit.c: store the pkauthenticator nonce, a re-encoded copy of
	the client's DH subject_public_key_info, and the DH nonce in the server-
	side context.
	* src/pkinitt.c: add encode/decode functions for kdc_dh_key_info.  Save
	the nonces and DH info when verifying a client AS_REQ, and if we have
	them when we go to create an AS_REQ, try to use DH first, failing
	miserably (for now).

2006-10-16 nalin
	* configure.ac: adjust status output to note that support != 1 header.
	* doc/README: don't use me as an example
	* src/certs.c(oid_pkinit_dhkey_data,oid_pkinit_dhkey,
	cert_get_oid_pkinit_dhkey_data): add.
	* commont.c: add templates and definitions for validation_parms and
	domain_parameters
	* pkinitt.c: add templates and definitions for kdc_dh_key_info.  The
	server_dh_nonce isn't ANY, it's an OctetString.  Add an AES-specific
	pkinit_octet_string_to_aeskey() for converting a DH key to an AES key.

2006-10-13 nalin
	* backport/krb5-1.5.1-pal-18687.patch: remove.
	* backport/krb5-1.5.1-pal-18695.patch: add.
	* src/pkinit.c: update for changes in trunk version of module interface.
	* backport/krb5/preauth_plugin.h: update to latest from trunk.
	* Makefile.am: add backport/backport-errors.h to dist files.
	* src/pkinit.c: use the right symbol names for backports.

2006-10-12 nalin
	* backport/backport-errors.h: add.
	* src/certs.c(cert_ku_matches_mask): add.
	* src/certs.c(cert_validate_kdc_certificate): return a Kerberos error
	code.
	* src/certs.c(cert_validate_client_certificate): return a Kerberos
	error code.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_rep_shared): use routines in
	certs for validating the response again.

2006-09-26 nalin
	* src/pkinit.c: flag that we replace the key on reply

2006-09-21 nalin
	* src/pkinit.c: turn on OCSP checking everywhere.

2006-09-20 nalin
	* src/bcms.c, src/pkinit.c: prototype updates for current rev of the
	pal patch, which is hopefully stable now

2006-09-15 nalin
	* configure.ac,Makefile.am,po/: add the beginnings of translation
	support for our one user-visible string.
	* src/pkinit.c: pull up the maximum allowed time skew by abusing the
	get-entry-data interface.
	* doc/krb5-1.5.1-pal.patch: add a means of querying for the maximum
	clock skew -- it's not per-entry, but the get-entry-data interface
	will do fine.  Unload plugins at KDC shutdown.  Skip over client
	modules which provide a NULL client_process() callback.

2006-09-14 nalin
	* doc/README.CVS: add
	* doc/Makefile.am: add README.CVS
	* doc/krb5-1.5.1-pal.patch: remove PA_VIRTUAL -- it's way more invasive
	to get it working right in the KDC.
	Client: skip preauth modules we've used more than once, and add sorting
	of the options the server presents, subject to the
	"preferred_preauth_types" setting.  Document "preferred_preauth_types"
	in the krb5.conf man page.  Fixup definitions of PADATA_PK_AS_REP_OLD,
	PADATA_PK_AS_REQ_OLD, and their not-old counterparts to match RFC 4120.
	Add a bunch of other preauth type definitions to krb5.h.
	* configure.ac: bump to 0.0.4
	* src/pkinit.c: use symbolic names for the preauth types.  Advertise
	PADATA_PK_AS_REQ from the server, not PADATA_PK_AS_REP.  In the client,
	treat PADATA_PK_AS_REQ as an invitation to do PKINIT, and
	PADATA_PK_AS_REP as the server response.  Now that we can sort out
	the preauth type order, don't rely on claiming to be both a PA_INFO
	and a PA_REAL module to get to run first.

2006-09-13 nalin
	* src/certs.c: don't leak the user's unparsed name
	* src/pkinit.c: debug-log whether or not we got a cert value from the
	realm database

2006-09-13 nalin
	* (all files) initial check-in
