2006-01-22 nalin
	* src/bcmst.c(bcms_make_certificate_list): take a deep copy of the
	certificate, in case the current origin gets pulled out from under
	us before we go to encode this list.
	* src/commont.c(common_make_algorithm_identifier_list): take a deep
	copy of the parameters field, in case the one we're using gets pulled
	out from under us before we go to encode this list.

2006-01-19 nalin
	* src/bcmst.c, src/certs.c: use CERT_DestroyCertArray() instead of
	a home-grown function which actually leaks the array pointer (oops).
	* src/certs.c(cert_validate_kdc_certificate,
	cert_validate_client_certificate): provide a way to pass in a
	certificate pool when we're verifying certificates, and import that
	pool into the temporary database to help us fill in the gaps in
	certificate chains.
	* src/pkinitt.c(pkinit_validate_kdc_certificate): provide a way to
	pass in the pool of certs which may include intermediate CAs.

2006-01-12 nalin
	* src/bcmst.c, src/certs.c: give destroy_array_of_certs() an
	upper-bound on the array size.

2006-01-12 nalin
	* backport: update to base off of the final 1.6 sources.

2006-01-12 nalin
	* src/pkinit.c: release slots and certificates when they're no longer
	going to be used. Note if NSS shutdown fails.

2006-01-12 nalin
	* doc/CONFIGURATION: note which Oakley groups we know about already.

2006-01-12 nalin
	* src/show-cert-guid.c: note if NSS shutdown fails.

2006-01-12 nalin
	* src/pkinitt.c: release keys, certificates, contexts, and slots.

2006-01-12 nalin
	* src/certs.c: release certificates when they're no longer going to be
	used.

2006-01-12 nalin
	* src/bcmsutil.c: add a -t option to allow forcing a token login.
	* src/bcmst.c: release keys, certificates, contexts, and slots.

2006-01-12 nalin
	* src/oakley.c, src/prime2sub: add q values for the rest of the DH
	parameter sets.

2006-01-08 nalin
	* src/bcmst.c(bcms_add_cert_chain_to_signed_data): walk the chain
	correctly (#221917).

2006-12-21 nalin
	* src/map-file.c: add a mapping-file module.  Hopefully at some point
	we'll be able to just call out to something smarter, but for now this
	may have to do.
	* src/show-cert-guid.c: rename an unused parameter so that it is easy
	to tell that we knew it would be unused.
	* src/bcmst.c: rename an unused parameter so that it is easy
	to tell that we knew it would be unused.
	* src/pkinitt.c: take a flag indicating whether or not we should trust
	SAN values for cases where we have to find the cert by ourselves.
	Change create_rep to take the cert instead of searching directly.
	* src/certs.c: support the passing-in of additional acceptible
	subject DN values when we need to find a certificate.
	* src/pkinit.c: support mappings files, and being told to not trust
	SAN values.

2006-12-20 nalin
	* src/pkinit.c: add an "is_hw" flag to control whether or not we
	consider ourselves hardware preauth.
	* src/certs.c: make cert_certificate_is_preferred() module-local.
	Provide a way to require that the cert being checked is issued (at
	some point) by one of some provided DER certs.

2006-12-20 nalin
	* src/certs.c(cert_verify_cert_for_encryption): add, to check if the
	client's key is allowed to be used to encrypt enc-key-pack replies.
	* src/pkinit.c(server_return): ensure that we either have DH params or
	a client cert which can be used for encryption before building the
	reply.

2006-12-20 nalin
	* src/certs.c(cert_validate_kdc_certificate,
	cert_validate_client_certificate,cert_is_preferred): don't barf if we
	can't find the certificate's issuer.
	* src/certs.c(cert_certificate_get_is_ca): make the message about not
	having basicConstraints less emphatic.
	* src/pkinit.c,backport/: update backport to 1.6 branch, rev. 18998

2006-12-19 nalin
	* src/bcmst.c(bcms_add_cert_chain_to_signed_data): use
	CERT_FindCertIssuer() to walk the certifying chain because it's
	simpler and seems to work better.
	* src/pkinit.c(server_verify): initialize some pointers we didn't
	used to clear.
	* src/pkinitt.c(pkinit_kdc_dh_key_info_template): the nonce isn't
	optional.  Set it correctly, too.

2006-12-18 nalin
	* src/pkinit.c: don't use the non-existent appdefault_integer() call,
	use our own.
	* src/commont.c: provide an alternate integer decoder.

2006-12-18 nalin
	* po: refresh
	* src/pkinitt.c: remove redundant validation calls, since we do the
	same in the cert...() functions we call
	* src/bcmst.c: change things so that we expect constructed data as
	the content in content-info structures, but continue to decode both.
	Generate signed-attributes by default; handle signed-attributes when
	verifying signed messages.
	* src/bcmsutil.c: update for bcmst changes.
	* src/commont.c: update for bcmst changes.  Encode the
	private_value_length field of DH parameters, if it's there, likewise
	for the validation_parms field of domain parameters.
	* src/pkinit.c: rework module init/cleanup to use the hooks provided
	by newer versions of the plugin layer, properly shut down NSS when
	we were the ones who initialized it.  Pick up "try_dh" and
	"preferred_group" options to affect how the client tries to get creds
	from the KDC.  (Note: the default modulus file distributed with Heimdal
	is group 2.)
	* src/certs.c: fail validation of either client or server certs if we
	can't build a chain from the cert to a "root" certificate.  Assume that
	such a certificate is unsuitable for our use, too.
	* src/oakley.c: track subprime values for groups for which they are
	defined, and provide a way for the caller to get them, too.
	* src/pkinitt.c: encode the parts of a PA-PK-AS-REQ as octet strings,
	not structures, per the spec.

2006-11-01 nalin
	* src/pkinit.c: don't try to free that duplicate cert
	* tag 0.2.1

2006-11-01 nalin
	* tag 0.2.0

2006-11-01 nalin
	* src/certs.c: remove no-longer-used certdb parameter from
	find_preferred_cert.  Clean up use of SAN matching flags.  Use
	CERT_DupCertificate instead of malloc to save the certificate.

2006-10-31  Jeff Moyer  <jmoyer@redhat.com>
	* src/certs.c, src/pkinit.c: It turns out that using
	CERT_FindCertByNickname is not a reliable method for listing
	certificates.  Instead, get a list of slots, and a list of
	certificates for each slot.  This fixes a problem with pkinit not
	allowing one to renew credentials after a kdestroy or expiry.

2006-10-30 nalin
	* src/certs.c: if the certificate we get back from
	CERT_FindCertByNickname() isn't the one we wanted, log a debug message.
	From Jeff Moyer.
	* backport/krb5-1.5.1-pal-18695.patch: remove
	* backport/krb5-1.5.1-pal-18750.patch: add updated
	* backport/krb5-trunk-edata.patch: add proposal for e-data changes
	* backport/krb5-trunk-free_plugin_dir_data.patch: add to fix a memleak
	* backport/krb5-trunk-module-global.patch: add to make module contexts
	shared across preauth systems.  Placeholder until Kevin's rework is
	ready.
	* backport/krb5-trunk-preauth-sort.patch: add to fix a crasher.
	* doc/openssl/make-certs.sh: add, for generating test certs without
	a full-blown CA installation.
	* src/certs.c: don't bail if we don't match the Kerberos name if we're
	also going to try to match a UPN.
	* src/pkinit.c: use a single call to find the KDC's certificate.

2006-10-30 nalin
	* src/certs.c: use the principal name templates from pkinitt, and not
	the local out-of-date-and-wrong ones, so that we properly recognize
	the value in a certificate.
	* src/pkinit.c: disable ocsp in the client by default, leaving it
	enabled by default in the KDC.  Only search for a certificate once.
	This means that we'll prefer a UPN cert over a KPN(?) cert if we
	see it first, but it cuts down on the number of prompts.
	* src/pkinitt.c: export only the one ASN.1 template.

2006-10-26 jmoyer
	* src/pkinit.c: report the error when NSS_Init() fails.

2006-10-26 nalin
	* doc/TODO: updates
	* src/bcmst.c: make the members of external_principal_identifier
	real OctetStrings and not pointers to Any.  Provide a way for
	code which creates enveloped_data to specify which bulk encryption
	algorithm we should use.
	* src/bcmsutil.c: provide -D and -R, to select the enveloped-data
	cipher.
	* src/commont.c: learn to generate/encode/use 3DES parameters (the IV).
	* src/pkinit.c: learn how to add auth_data to the list in the ticket
	provided by the KDC.
	* src/pkinitt.c: learn to encode the initial-verified authorization
	data.  Encode the authorization data when we verify a client's request,
	passing in items between the client and the end of its chain.  Get the
	bit- vs. byte-length stuff sorted out for DH keys.
	* src/oakley.c: add Oakley groups 1, 2, 5, 14, 15, 16.
	* src/pkinitt.c: default to using Oakley group 14.

2006-10-23 nalin
	* src/pkinit.c: track the client DH public key and nonce in the
	request context as well.
	* src/pkinitt.c: save the client DH public key and nonce from
	create_client_public_value.  Break KDC certificate validation into
	a shared subroutine.  Move enc-key-pack processing into a single
	function, and call it from the AS-REP verification function.  Try
	to get the client processing of a DH AS reply going.
	* src/certs.c: add OID information for dhPublicNumber and dhKeyAgreement
	* src/commont.c: add encoders/decoders for dhParameters, which might
	be what Windows expects.
	* src/pkinitt.c: follow examples more closely in calling the secret
	derivation functions.  Interpret the results of SECITEM_ItemsAreEqual
	properly, because it looks like yes, I am that dumb.
	* src/pkinit.c: be more careful about the request context pointer.
	* src/pkinitt.c: be more careful about assuming that we have access
	to the right client state.
	* src/pkinit.c: assume the module context is truly global, and use
	that so that we can access DH keying information for non-draft requests.
	* src/commont.c: add dump functions.  Add encoders/decoders for
	bit strings and integers.
	* src/pkinit.c: print the error message which goes with the return code.
	Encode the client's public value as an integer before passing it in
	for encoding as a bit string.  Catch errors decoding DH parameters
	sent by the client.  Encode the server's public value as an integer
	before passing it in for encoding as a bit string.  Return the server
	nonce iff we have a client nonce, not the other way around.  Decode
	the server's reply before using it as a public value.

2006-10-19 nalin
	* src/pkinit.c: track the client's private DH keying info in the client
	context.
	* src/pkinitt.c: add first pass at having the client supply DH
	parameters and keying data to the KDC.
	* src/commont.c: fix the template for the subject_public_key so that
	we encode it correctly.
	* src/pkinit.c: debug log when we save DH-related information in the
	server verify callback.
	* src/pkinitt.c: make the client's public key info in the auth_pack
	structures opaque at this level.  Forcibly disable DH in the draft
	version -- Windows either doesn't like it at all, or just this
	implementation.  Use CKM_DH_PKCS_KEY_PAIR_GEN instead of
	CKM_X9_42_DH_KEY_PAIR_GEN for generating DH keying data.  Call
	PK11_ExtractKeyValue before PK11_GetKeyData so that we actually
	get the keying data back.
	* src/pkinitt.c: catch a problem in my implementation.

2006-10-18 nalin
	* backport/backport-errors.h: wrap definitions of errors in #ifndef
	* src/commont.c: remove duplicate "j" reference in the template for
	domain parameters.  Add encode/decode function for domain_parameter
	structures.  Add common_make_random_item() for generating DH nonces.
	* src/pkinitt.c: correct the offset of client_public_value in the
	template for auth_pack.  Change client_dh_nonce in auth_pack to a
	pointer.  Change server_dh_nonce in dh_rep_info to a pointer.  Move
	create_auth_pack and create_draft_auth_pack to the right namespace.
	Teach pkinit_octet_string_to_aeskey() about the client and server
	nonces.  Flesh out pkinit_build_dh_key_info() implementation.

2006-10-16 nalin
	* src/pkinit.c(server_return): don't crash if the client didn't provide
	subject_public_key_info.

2006-10-16 nalin
	* src/pkinitt.c(kerberos_time_from_time): factor this out.

2006-10-16 nalin
	* src/bcmst.c(bcms_create_signed_data): the encapsulated content OID
	can be const.
	* src/commont.c: add encode/decode functions for subject_public_key_info
	* src/pkinit.c: store the pkauthenticator nonce, a re-encoded copy of
	the client's DH subject_public_key_info, and the DH nonce in the server-
	side context.
	* src/pkinitt.c: add encode/decode functions for kdc_dh_key_info.  Save
	the nonces and DH info when verifying a client AS_REQ, and if we have
	them when we go to create an AS_REQ, try to use DH first, failing
	miserably (for now).

2006-10-16 nalin
	* configure.ac: adjust status output to note that support != 1 header.
	* doc/README: don't use me as an example
	* src/certs.c(oid_pkinit_dhkey_data,oid_pkinit_dhkey,
	cert_get_oid_pkinit_dhkey_data): add.
	* commont.c: add templates and definitions for validation_parms and
	domain_parameters
	* pkinitt.c: add templates and definitions for kdc_dh_key_info.  The
	server_dh_nonce isn't ANY, it's an OctetString.  Add an AES-specific
	pkinit_octet_string_to_aeskey() for converting a DH key to an AES key.

2006-10-13 nalin
	* backport/krb5-1.5.1-pal-18687.patch: remove.
	* backport/krb5-1.5.1-pal-18695.patch: add.
	* src/pkinit.c: update for changes in trunk version of module interface.
	* backport/krb5/preauth_plugin.h: update to latest from trunk.
	* Makefile.am: add backport/backport-errors.h to dist files.
	* src/pkinit.c: use the right symbol names for backports.

2006-10-12 nalin
	* backport/backport-errors.h: add.
	* src/certs.c(cert_ku_matches_mask): add.
	* src/certs.c(cert_validate_kdc_certificate): return a Kerberos error
	code.
	* src/certs.c(cert_validate_client_certificate): return a Kerberos
	error code.
	* src/pkinitt.c(pkinit_verify_pa_pk_as_rep_shared): use routines in
	certs for validating the response again.

2006-09-26 nalin
	* src/pkinit.c: flag that we replace the key on reply

2006-09-21 nalin
	* src/pkinit.c: turn on OCSP checking everywhere.

2006-09-20 nalin
	* src/bcms.c, src/pkinit.c: prototype updates for current rev of the
	pal patch, which is hopefully stable now

2006-09-15 nalin
	* configure.ac,Makefile.am,po/: add the beginnings of translation
	support for our one user-visible string.
	* src/pkinit.c: pull up the maximum allowed time skew by abusing the
	get-entry-data interface.
	* doc/krb5-1.5.1-pal.patch: add a means of querying for the maximum
	clock skew -- it's not per-entry, but the get-entry-data interface
	will do fine.  Unload plugins at KDC shutdown.  Skip over client
	modules which provide a NULL client_process() callback.

2006-09-14 nalin
	* doc/README.CVS: add
	* doc/Makefile.am: add README.CVS
	* doc/krb5-1.5.1-pal.patch: remove PA_VIRTUAL -- it's way more invasive
	to get it working right in the KDC.
	Client: skip preauth modules we've used more than once, and add sorting
	of the options the server presents, subject to the
	"preferred_preauth_types" setting.  Document "preferred_preauth_types"
	in the krb5.conf man page.  Fixup definitions of PADATA_PK_AS_REP_OLD,
	PADATA_PK_AS_REQ_OLD, and their not-old counterparts to match RFC 4120.
	Add a bunch of other preauth type definitions to krb5.h.
	* configure.ac: bump to 0.0.4
	* src/pkinit.c: use symbolic names for the preauth types.  Advertise
	PADATA_PK_AS_REQ from the server, not PADATA_PK_AS_REP.  In the client,
	treat PADATA_PK_AS_REQ as an invitation to do PKINIT, and
	PADATA_PK_AS_REP as the server response.  Now that we can sort out
	the preauth type order, don't rely on claiming to be both a PA_INFO
	and a PA_REAL module to get to run first.

2006-09-13 nalin
	* src/certs.c: don't leak the user's unparsed name
	* src/pkinit.c: debug-log whether or not we got a cert value from the
	realm database

2006-09-13 nalin
	* (all files) initial check-in
