HEIMDAL: move code from source4/heimdal* to third_party/heimdal*

This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184

1 files changed, 1152 insertions, 0 deletions

diff --git a/third_party/heimdal/NEWS b/third_party/heimdal/NEWS
new file mode 100644
index 00000000000..79efe803a78
--- /dev/null
+++ b/third_party/heimdal/NEWS
@@ -0,0 +1,1152 @@
+Release Notes - Heimdal - Version Heimdal 7.3
+
+ Security
+
+ - Fix transit path validation.  Commit f469fc6 (2010-10-02) inadvertently
+   caused the previous hop realm to not be added to the transit path
+   of issued tickets.  This may, in some cases, enable bypass of capath
+   policy in Heimdal versions 1.5 through 7.2.
+
+   Note, this may break sites that rely on the bug.  With the bug some
+   incomplete [capaths] worked, that should not have.  These may now break
+   authentication in some cross-realm configurations.
+   (CVE-2017-6594)
+
+Release Notes - Heimdal - Version Heimdal 7.2
+
+ Bug fixes
+ - Portability improvements
+ - More strict parsing of encoded URI components in HTTP KDC
+ - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism
+ - Avoid overly specific CPU info in krb5-config in aid of reproducible builds
+ - Don't do AFS string-to-key tests when feature is disabled
+ - Skip mdb_stat test when the command is not available
+ - Windows: update SHA2 timestamp server
+ - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple
+ - Fix signature of hdb_generate_key_set_password()
+ - Windows: enable KX509 support in the KDC
+ - kdc: fix kx509 service principal match
+ - iprop: handle case where master sends nothing new
+ - ipropd-slave: fix incorrect error codes
+ - Allow choice of sqlite for HDB pref
+ - check-iprop: don't fail to kill daemons
+ - roken: pidfile -> rk_pidfile
+ - kdc: _kdc_do_kx509 fix use after free error
+ - Do not detect x32 as 64-bit platform.
+ - No sys/ttydefaults.h on CYGWIN
+ - Fix check-iprop races
+ - roken_detach_prep() close pipe
+
+Release Notes - Heimdal - Version Heimdal 7.1
+
+ Security
+
+ - kx509 realm-chopping security bug
+ - non-authorization of alias additions/removals in kadmind
+   (CVE-2016-2400)
+
+ Feature
+
+ - iprop has been revamped to fix a number of race conditions that could
+   lead to inconsistent replication
+ - Hierarchical capath support
+ - AES Encryption with HMAC-SHA2 for Kerberos 5
+   draft-ietf-kitten-aes-cts-hmac-sha2-11
+ - hcrypto is now thread safe on all platforms
+ - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for
+   Solaris), and OpenSSL.  OpenSSL is now a first-class libhcrypto backend.
+   OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by
+   backend
+ - HDB now supports LMDB
+ - Thread support on Windows
+ - RFC 6113  Generalized Framework for Kerberos Pre-Authentication (FAST)
+ - New GSS APIs:
+   . gss_localname
+ - Allow setting what encryption types a principal should have with
+   [kadmin] default_key_rules, see krb5.conf manpage for more info
+ - Unify libhcrypto with LTC (libtomcrypto)
+ - asn1_compile 64-bit INTEGER functionality
+ - HDB key history support including --keepold kadmin password option
+ - Improved cross-realm key rollover safety
+ - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces
+ - Improved MIT compatibility
+   . kadm5 API
+   . Migration from MIT KDB via "mitdb" HDB backend
+   . Capable of writing the HDB in MIT dump format
+ - Improved Active Directory interoperability
+   . Enctype selection issues for PAC and other authz-data signatures
+   . Cross realm key rollover (kvno 0)
+ - New [kdc] enctype negotiation configuration:
+   . tgt-use-strongest-session-key
+   . svc-use-strongest-session-key
+   . preauth-use-strongest-session-key
+   . use-strongest-server-key
+ - The KDC process now uses a multi-process model improving
+   resiliency and performance
+ - Allow batch-mode kinit with password file
+ - SIGINFO support added to kinit cmd
+ - New kx509 configuration options:
+   . kx509_ca
+   . kca_service
+   . kx509_include_pkinit_san
+   . kx509_template
+ - Improved Heimdal library/plugin version safety
+ - Name canonicalization
+   . DNS resolver searchlist
+   . Improved referral support
+   . Support host:port host-based services
+ - Pluggable libheimbase interface for DBs
+ - Improve IPv6 Support
+ - LDAP
+   . Bind DN and password
+   . Start TLS
+ - klist --json
+ - DIR credential cache type
+ - Updated upstream SQLite and libedit
+ - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh,
+   telnet, xnlock
+ - Completely remove RAND_egd support
+ - Moved kadmin and ktutil to /usr/bin
+ - Stricter fcache checks (see fcache_strict_checking krb5.conf setting)
+    . use O_NOFOLLOW
+    . don't follow symlinks
+    . require cache files to be owned by the user
+    . require sensible permissions (not group/other readable)
+ - Implemented gss_store_cred()
+ - Many more
+
+ Bug fixes
+ - iprop has been revamped to fix a number of race conditions that could
+   lead to data loss
+ - Include non-loopback addresses assigned to loopback interfaces
+   when requesting tickets with addresses
+ - KDC 1DES session key selection (for AFS rxkad-k5 compatibility)
+ - Keytab file descriptor and lock leak
+ - Credential cache corruption bugs
+   (NOTE: The FILE ccache is still not entirely safe due to the
+   fundamentally unsafe design of POSIX file locking)
+ - gss_pseudo_random() interop bug
+ - Plugins are now preferentially loaded from the run-time install tree
+ - Reauthentication after password change in init_creds_password
+ - Memory leak in the client kadmin library
+ - TGS client requests renewable/forwardable/proxiable when possible
+ - Locking issues in DB1 and DB3 HDB backends
+ - Master HDB can remain locked while waiting for network I/O
+ - Renewal/refresh logic when kinit is provided with a command
+ - KDC handling of enterprise principals
+ - Use correct bit for anon-pkinit
+ - Many more
+
+ Acknowledgements
+
+ This release of Heimdal includes contributions from:
+
+    Abhinav Upadhyay        Heath Kehoe             Nico Williams
+    Andreas Schneider       Henry Jacques           Patrik Lundin
+    Andrew Bartlett         Howard Chu              Philip Boulain
+    Andrew Tridgell         Igor Sobrado            Ragnar Sundblad
+    Antoine Jacoutot        Ingo Schwarze           Remi Ferrand
+    Arran Cudbard-Bell      Jakub Čajka             Rod Widdowson
+    Arvid Requate           James Le Cuirot         Rok Papež
+    Asanka Herath           James Lee               Roland C. Dowdeswell
+    Ben Kaduk               Jeffrey Altman          Ross L Richardson
+    Benjamin Kaduk          Jeffrey Clark           Russ Allbery
+    Bernard Spil            Jeffrey Hutzelman       Samuel Cabrero
+    Brian May               Jelmer Vernooij         Samuel Thibault
+    Chas Williams           Ken Dreyer              Santosh Kumar Pradhan
+    Chaskiel Grundman       Kiran S J               Sean Davis
+    Dana Koch               Kumar Thangavelu        Sergio Gelato
+    Daniel Schepler         Landon Fuller           Simon Wilkinson
+    David Mulder            Linus Nordberg          Stef Walter
+    Douglas Bagnall         Love Hörnquist Åstrand  Stefan Metzmacher
+    Ed Maste                Luke Howard             Steffen Jaeckel
+    Eray Aslan              Magnus Ahltorp          Timothy Pearson
+    Florian Best            Marc Balmer             Tollef Fog Heen
+    Fredrik Pettai          Marcin Cieślak          Tony Acero
+    Greg Hudson             Marco Molteni           Uri Simchoni
+    Gustavo Zacarias        Matthieu Hautreux       Viktor Dukhovni
+    Günther Deschner        Michael Meffie          Volker Lendecke
+    Harald Barth            Moritz Lenz
+
+Release Notes - Heimdal - Version Heimdal 1.5.3
+
+ Bug fixes
+ - Fix leaking file descriptors in KDC
+ - Better socket/timeout handling in libkrb5
+ - General bug fixes
+ - Build fixes
+
+Release Notes - Heimdal - Version Heimdal 1.5.2
+
+ Security fixes
+ - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege
+ - Check that key types strictly match - denial of service
+
+Release Notes - Heimdal - Version Heimdal 1.5.1
+
+ Bug fixes
+ - Fix building on Solaris, requires c99
+ - Fix building on Windows
+ - Build system updates
+
+Release Notes - Heimdal - Version Heimdal 1.5
+
+New features
+
+ - Support GSS name extensions/attributes
+ - SHA512 support
+ - No Kerberos 4 support
+ - Basic support for MIT Admin protocol (SECGSS flavor)
+   in kadmind (extract keytab)
+ - Replace editline with libedit
+
+Release Notes - Heimdal - Version Heimdal 1.4
+
+ New features
+ 
+ - Support for reading MIT database file directly
+ - KCM is polished up and now used in production
+ - NTLM first class citizen, credentials stored in KCM
+ - Table driven ASN.1 compiler, smaller!, not enabled by default
+ - Native Windows client support
+
+Notes
+
+ - Disabled write support NDBM hdb backend (read still in there) since
+   it can't handle large records, please migrate to a diffrent backend
+   (like BDB4)
+
+Release Notes - Heimdal - Version Heimdal 1.3.3
+
+ Bug fixes
+ - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]
+ - Check NULL pointers before dereference them [kdc]
+
+Release Notes - Heimdal - Version Heimdal 1.3.2
+
+ Bug fixes
+
+ - Don't mix length when clearing hmac (could memset too much)
+ - More paranoid underrun checking when decrypting packets
+ - Check the password change requests and refuse to answer empty packets
+ - Build on OpenSolaris 
+ - Renumber AD-SIGNED-TICKET since it was stolen from US
+ - Don't cache /dev/*random file descriptor, it doesn't get unloaded
+ - Make C++ safe
+ - Misc warnings
+
+Release Notes - Heimdal - Version Heimdal 1.3.1
+
+ Bug fixes
+
+ - Store KDC offset in credentials
+ - Many many more bug fixes
+
+Release Notes - Heimdal - Version Heimdal 1.3.1
+
+ New features
+
+ - Make work with OpenLDAPs krb5 overlay
+
+Release Notes - Heimdal - Version Heimdal 1.3
+
+ New features
+
+ - Partial support for MIT kadmind rpc protocol in kadmind
+ - Better support for finding keytab entries when using SPN aliases in the KDC
+ - Support BER in ASN.1 library (needed for CMS)
+ - Support decryption in Keychain private keys
+ - Support for new sqlite based credential cache
+ - Try both KDC referals and the common DNS reverse lookup in GSS-API
+ - Fix the KCM to not leak resources on failure
+ - Add IPv6 support to iprop
+ - Support localization of error strings in
+   kinit/klist/kdestroy and Kerberos library
+ - Remove Kerberos 4 support in application (still in KDC)
+ - Deprecate DES
+ - Support i18n password in windows domains (using UTF-8)
+ - More complete API emulation of OpenSSL in hcrypto
+ - Support for ECDSA and ECDH when linking with OpenSSL
+
+ API changes
+
+ - Support for settin friendly name on credential caches
+ - Move to using doxygen to generate documentation.
+ - Sprinkling __attribute__((__deprecated__)) for old function to be removed
+ - Support to export LAST-REQUST information in AS-REQ
+ - Support for client deferrals in in AS-REQ
+ - Add seek support for krb5_storage.
+ - Support for split AS-REQ, first step for IA-KERB
+ - Fix many memory leaks and bugs
+ - Improved regression test
+ - Support krb5_cccol
+ - Switch to krb5_set_error_message
+ - Support krb5_crypto_*_iov	
+ - Switch to use EVP for most function
+ - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec)
+ - Add support for GSS_C_DELEG_POLICY_FLAG
+ - Add krb5_cc_[gs]et_config to store data in the credential caches
+ - PTY testing application
+
+Bugfixes
+ - Make building on AIX6 possible.
+ - Bugfixes in LDAP KDC code to make it more stable
+ - Make ipropd-slave reconnect when master down gown
+
+
+Release Notes - Heimdal - Version Heimdal 1.2.1
+
+* Bug
+
+  [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris
+  [HEIMDAL-151] - Make canned tests work again after cert expired
+  [HEIMDAL-152] - iprop test: use full hostname to avoid realm
+                  resolving errors
+  [HEIMDAL-153] - ftp: Use the correct length for unmap, msync
+
+Release Notes - Heimdal - Version Heimdal 1.2
+
+* Bug
+
+  [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in
+  		 gss_display_name/gss_export_name when using SPNEGO
+  [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1
+  [HEIMDAL-17] - Remove support for depricated [libdefaults]capath
+  [HEIMDAL-52] - hdb overwrite aliases for db databases
+  [HEIMDAL-54] - Two issues which affect credentials delegation
+  [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args
+  [HEIMDAL-62] - Fix printing of sig_atomic_t
+  [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto
+  [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase
+  [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241)
+
+* Improvement
+  [HEIMDAL-67] - Fix locking and store credential in atomic writes
+                 in the FILE credential cache
+  [HEIMDAL-106] - make compile on cygwin again
+  [HEIMDAL-107] - Replace old random key generation in des module
+                  and use it with RAND_ function instead
+  [HEIMDAL-115] - Better documentation and compatibility in hcrypto
+                  in regards to OpenSSL
+
+* New Feature
+  [HEIMDAL-3] - pkinit alg agility PRF test vectors
+  [HEIMDAL-14] - Add libwind to Heimdal
+  [HEIMDAL-16] - Use libwind in hx509
+  [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to
+                 the negotiation
+  [HEIMDAL-74] - Add support to report extended error message back
+                 in AS-REQ to support windows clients
+  [HEIMDAL-116] - test pty based application (using rkpty)
+  [HEIMDAL-120] - Use new OpenLDAP API (older deprecated)
+
+* Task
+  [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ.
+                 This drop compatibility with pre 0.3d KDCs.
+  [HEIMDAL-64] - kcm: first implementation of kcm-move-cache
+  [HEIMDAL-65] - Failed to compile with --disable-pk-init
+  [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some
+                 wraparound checks doesn't apply to Heimdal
+
+Changes in release 1.1
+
+ * Read-only PKCS11 provider built-in to hx509.
+
+ * Documentation for hx509, hcrypto and ntlm libraries improved.
+
+ * Better compatibilty with Windows 2008 Server pre-releases and Vista.
+
+ * Mac OS X 10.5 support for native credential cache.
+
+ * Provide pkg-config file for Heimdal (heimdal-gssapi.pc).
+
+ * Bug fixes.
+
+Changes in release 1.0.2
+
+* Ubuntu packages.
+
+* Bug fixes.
+
+Changes in release 1.0.1
+
+ * Serveral bug fixes to iprop.
+
+ * Make work on platforms without dlopen.
+
+ * Add RFC3526 modp group14 as default.
+
+ * Handle [kdc] database = { } entries without realm = stanzas.
+
+ * Make krb5_get_renewed_creds work.
+
+ * Make kaserver preauth work again.
+
+ * Bug fixes.
+
+Changes in release 1.0
+
+ * Add gss_pseudo_random() for mechglue and krb5.
+
+ * Make session key for the krbtgt be selected by the best encryption
+   type of the client.
+
+ * Better interoperability with other PK-INIT implementations.
+
+ * Inital support for Mac OS X Keychain for hx509.
+
+ * Alias support for inital ticket requests.
+
+ * Add symbol versioning to selected libraries on platforms that uses
+   GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc.
+
+ * New version of imath included in hcrypto.
+
+ * Fix memory leaks.
+
+ * Bugs fixes.
+
+Changes in release 0.8.1
+
+ * Make ASN.1 library less paranoid to with regard to NUL in string to
+   make it inter-operate with MIT Kerberos again.
+
+ * Make GSS-API library work again when using gss_acquire_cred
+
+ * Add symbol versioning to libgssapi when using GNU ld.
+
+ * Fix memory leaks 
+
+ * Bugs fixes
+
+Changes in release 0.8
+
+ * PK-INIT support.
+
+ * HDB extensions support, used by PK-INIT.
+
+ * New ASN.1 compiler.
+
+ * GSS-API mechglue from FreeBSD.
+
+ * Updated SPNEGO to support RFC4178.
+
+ * Support for Cryptosystem Negotiation Extension (RFC 4537).
+
+ * A new X.509 library (hx509) and related crypto functions.
+
+ * A new ntlm library (heimntlm) and related crypto functions.
+
+ * Updated the built-in crypto library with bignum support using
+   imath, support for RSA and DH and renamed it to libhcrypto.
+
+ * Subsystem in the KDC, digest, that will perform the digest
+   operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL
+   DIGEST-MD5 NTLMv1 and NTLMv2.
+
+ * KDC will return the "response too big" error to force TCP retries
+   for large (default 1400 bytes) UDP replies.  This is common for
+   PK-INIT requests.
+
+ * Libkafs defaults to use 2b tokens.
+
+ * Default to use the API cache on Mac OS X.
+
+ * krb5_kuserok() also checks ~/.k5login.d directory for acl files,
+   see manpage for krb5_kuserok for description.
+
+ * Many, many, other updates to code and info manual and manual pages.
+
+ * Bug fixes
+
+Changes in release 0.7.2
+
+* Fix security problem in rshd that enable an attacker to overwrite
+  and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+  in a NULL de-reference before the user logged in, resulting in inetd
+  turning telnetd off because it forked too fast.
+
+* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name
+  exists in the keytab before returning success. This allows servers
+  to check if its even possible to use GSSAPI.
+
+* Fix receiving end of token delegation for GSS-API. It still wrongly
+  uses subkey for sending for compatibility reasons, this will change
+  in 0.8.
+
+* telnetd, login and rshd are now more verbose in logging failed and
+  successful logins.
+
+* Bug fixes
+
+Changes in release 0.7.1
+
+* Bug fixes
+
+Changes in release 0.7
+
+ * Support for KCM, a process based credential cache
+
+ * Support CCAPI credential cache
+
+ * SPNEGO support
+
+ * AES (and the gssapi conterpart, CFX) support
+
+ * Adding new and improve old documentation
+
+ * Bug fixes
+
+Changes in release 0.6.6
+
+* Fix security problem in rshd that enable an attacker to overwrite
+  and change ownership of any file that root could write.
+
+* Fix a DOS in telnetd. The attacker could force the server to crash
+  in a NULL de-reference before the user logged in, resulting in inetd
+  turning telnetd off because it forked too fast.
+
+Changes in release 0.6.5
+
+ * fix vulnerabilities in telnetd
+
+ * unbreak Kerberos 4 and kaserver
+
+Changes in release 0.6.4
+
+ * fix vulnerabilities in telnet
+
+ * rshd: encryption without a separate error socket should now work
+
+ * telnet now uses appdefaults for the encrypt and forward/forwardable
+   settings
+
+ * bug fixes
+
+Changes in release 0.6.3
+
+ * fix vulnerabilities in ftpd
+
+ * support for linux AFS /proc "syscalls"
+
+ * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
+   kpasswdd
+
+ * fix possible KDC denial of service
+
+ * bug fixes
+
+Changes in release 0.6.2
+
+ * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
+
+Changes in release 0.6.1
+
+ * Fixed ARCFOUR suppport
+
+ * Cross realm vulnerability
+
+ * kdc: fix denial of service attack
+
+ * kdc: stop clients from renewing tickets into the future
+
+ * bug fixes
+	
+Changes in release 0.6
+
+* The DES3 GSS-API mechanism has been changed to inter-operate with
+  other GSSAPI implementations. See man page for gssapi(3) how to turn
+  on generation of correct MIC messages. Next major release of heimdal 
+  will generate correct MIC by default.
+
+* More complete GSS-API support
+
+* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
+  support in applications no longer requires Kerberos 4 libs
+
+* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
+
+* other bug fixes
+
+Changes in release 0.5.2
+
+ * kdc: add option for disabling v4 cross-realm (defaults to off)
+
+ * bug fixes
+
+Changes in release 0.5.1
+
+ * kadmind: fix remote exploit
+
+ * kadmind: add option to disable kerberos 4
+
+ * kdc: make sure kaserver token life is positive
+
+ * telnet: use the session key if there is no subkey
+
+ * fix EPSV parsing in ftp
+
+ * other bug fixes
+
+Changes in release 0.5
+
+ * add --detach option to kdc
+
+ * allow setting forward and forwardable option in telnet from
+   .telnetrc, with override from command line
+
+ * accept addresses with or without ports in krb5_rd_cred
+
+ * make it work with modern openssl
+
+ * use our own string2key function even with openssl (that handles weak
+   keys incorrectly)
+
+ * more system-specific requirements in login
+
+ * do not use getlogin() to determine root in su
+
+ * telnet: abort if telnetd does not support encryption
+
+ * update autoconf to 2.53
+
+ * update config.guess, config.sub
+
+ * other bug fixes
+
+Changes in release 0.4e
+
+ * improve libcrypto and database autoconf tests
+
+ * do not care about salting of server principals when serving v4 requests
+
+ * some improvements to gssapi library
+
+ * test for existing compile_et/libcom_err
+
+ * portability fixes
+
+ * bug fixes
+
+Changes in release 0.4d
+
+ * fix some problems when using libcrypto from openssl
+
+ * handle /dev/ptmx `unix98' ptys on Linux
+
+ * add some forgotten man pages
+
+ * rsh: clean-up and add man page
+
+ * fix -A and -a in builtin-ls in tpd
+
+ * fix building problem on Irix
+
+ * make `ktutil get' more efficient
+
+ * bug fixes
+
+Changes in release 0.4c
+
+ * fix buffer overrun in telnetd
+
+ * repair some of the v4 fallback code in kinit
+
+ * add more shared library dependencies
+
+ * simplify and fix hprop handling of v4 databases
+
+ * fix some building problems (osf's sia and osfc2 login)
+
+ * bug fixes
+
+Changes in release 0.4b
+
+ * update the shared library version numbers correctly
+
+Changes in release 0.4a
+
+ * corrected key used for checksum in mk_safe, unfortunately this
+   makes it backwards incompatible
+
+ * update to autoconf 2.50, libtool 1.4
+
+ * re-write dns/config lookups (krb5_krbhst API)
+
+ * make order of using subkeys consistent
+
+ * add man page links
+
+ * add more man pages
+
+ * remove rfc2052 support, now only rfc2782 is supported
+
+ * always build with kaserver protocol support in the KDC (assuming
+   KRB4 is enabled) and support for reading kaserver databases in
+   hprop
+
+Changes in release 0.3f
+
+ * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
+   the new keytab type that tries both of these in order (SRVTAB is
+   also an alias for krb4:)
+
+ * improve error reporting and error handling (error messages should
+   be more detailed and more useful)
+
+ * improve building with openssl
+
+ * add kadmin -K, rcp -F 
+
+ * fix two incorrect weak DES keys
+
+ * fix building of kaserver compat in KDC
+
+ * the API is closer to what MIT krb5 is using
+
+ * more compatible with windows 2000
+
+ * removed some memory leaks
+
+ * bug fixes
+
+Changes in release 0.3e
+
+ * rcp program included
+
+ * fix buffer overrun in ftpd
+
+ * handle omitted sequence numbers as zeroes to handle MIT krb5 that
+   cannot generate zero sequence numbers
+
+ * handle v4 /.k files better
+
+ * configure/portability fixes
+
+ * fixes in parsing of options to kadmin (sub-)commands
+
+ * handle errors in kadmin load better
+
+ * bug fixes
+
+Changes in release 0.3d
+
+ * add krb5-config
+
+ * fix a bug in 3des gss-api mechanism, making it compatible with the
+   specification and the MIT implementation
+
+ * make telnetd only allow a specific list of environment variables to
+   stop it from setting `sensitive' variables
+
+ * try to use an existing libdes
+
+ * lib/krb5, kdc: use correct usage type for ap-req messages.  This
+   should improve compatability with MIT krb5 when using 3DES
+   encryption types
+
+ * kdc: fix memory allocation problem
+
+ * update config.guess and config.sub
+
+ * lib/roken: more stuff implemented
+
+ * bug fixes and portability enhancements
+
+Changes in release 0.3c
+
+ * lib/krb5: memory caches now support the resolve operation
+
+ * appl/login: set PATH to some sane default
+
+ * kadmind: handle several realms
+
+ * bug fixes (including memory leaks)
+
+Changes in release 0.3b
+
+ * kdc: prefer default-salted keys on v5 requests
+
+ * kdc: lowercase hostnames in v4 mode
+
+ * hprop: handle more types of MIT salts
+
+ * lib/krb5: fix memory leak
+
+ * bug fixes
+
+Changes in release 0.3a:
+
+ * implement arcfour-hmac-md5 to interoperate with W2K
+
+ * modularise the handling of the master key, and allow for other
+   encryption types. This makes it easier to import a database from
+   some other source without having to re-encrypt all keys.
+
+ * allow for better control over which encryption types are created
+
+ * make kinit fallback to v4 if given a v4 KDC
+
+ * make klist work better with v4 and v5, and add some more MIT
+   compatibility options
+
+ * make the kdc listen on the krb524 (4444) port for compatibility
+   with MIT krb5 clients
+
+ * implement more DCE/DFS support, enabled with --enable-dce, see
+   lib/kdfs and appl/dceutils
+
+ * make the sequence numbers work correctly
+
+ * bug fixes
+
+Changes in release 0.2t:
+
+ * bug fixes
+
+Changes in release 0.2s:
+
+ * add OpenLDAP support in hdb
+
+ * login will get v4 tickets when it receives forwarded tickets
+
+ * xnlock supports both v5 and v4
+
+ * repair source routing for telnet
+
+ * fix building problems with krb4 (krb_mk_req)
+
+ * bug fixes
+
+Changes in release 0.2r:
+
+ * fix realloc memory corruption bug in kdc
+
+ * `add --key' and `cpw --key' in kadmin
+
+ * klist supports listing v4 tickets
+
+ * update config.guess and config.sub
+
+ * make v4 -> v5 principal name conversion more robust
+
+ * support for anonymous tickets
+
+ * new man-pages
+
+ * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab.
+
+ * use and set expiration and not password expiration when dumping
+   to/from ka server databases / krb4 databases
+
+ * make the code happier with 64-bit time_t
+
+ * follow RFC2782 and by default do not look for non-underscore SRV names
+
+Changes in release 0.2q:
+
+ * bug fix in tcp-handling in kdc
+
+ * bug fix in expand_hostname
+
+Changes in release 0.2p:
+
+ * bug fix in `kadmin load/merge'
+
+ * bug fix in krb5_parse_address
+
+Changes in release 0.2o:
+
+ * gss_{import,export}_sec_context added to libgssapi
+
+ * new option --addresses to kdc (for listening on an explicit set of
+   addresses)
+
+ * bug fixes in the krb4 and kaserver emulation part of the kdc
+
+ * other bug fixes
+
+Changes in release 0.2n:
+
+ * more robust parsing of dump files in kadmin
+ * changed default timestamp format for log messages to extended ISO
+   8601 format (Y-M-DTH:M:S)
+ * changed md4/md5/sha1 APIes to be de-facto `standard'
+ * always make hostname into lower-case before creating principal
+ * small bits of more MIT-compatability
+ * bug fixes
+
+Changes in release 0.2m:
+
+ * handle glibc's getaddrinfo() that returns several ai_canonname
+
+ * new endian test
+
+ * man pages fixes
+
+Changes in release 0.2l:
+
+ * bug fixes
+
+Changes in release 0.2k:
+
+ * better IPv6 test
+
+ * make struct sockaddr_storage in roken work better on alphas
+
+ * some missing [hn]to[hn]s fixed.
+
+ * allow users to change their own passwords with kadmin (with initial
+   tickets)
+
+ * fix stupid bug in parsing KDC specification
+
+ * add `ktutil change' and `ktutil purge'
+
+Changes in release 0.2j:
+
+ * builds on Irix
+
+ * ftpd works in passive mode
+
+ * should build on cygwin
+
+ * work around broken IPv6-code on OpenBSD 2.6, also add configure
+   option --disable-ipv6
+
+Changes in release 0.2i:
+
+ * use getaddrinfo in the missing places.
+
+ * fix SRV lookup for admin server
+
+ * use get{addr,name}info everywhere.  and implement it in terms of
+   getipnodeby{name,addr} (which uses gethostbyname{,2} and
+   gethostbyaddr)
+
+Changes in release 0.2h:
+
+ * fix typo in kx (now compiles)
+
+Changes in release 0.2g:
+
+ * lots of bug fixes:
+   * push works
+   * repair appl/test programs
+   * sockaddr_storage works on solaris (alignment issues)
+   * works better with non-roken getaddrinfo
+   * rsh works
+   * some non standard C constructs removed
+
+Changes in release 0.2f:
+
+ * support SRV records for kpasswd
+ * look for both _kerberos and krb5-realm when doing host -> realm mapping
+
+Changes in release 0.2e:
+
+ * changed copyright notices to remove `advertising'-clause.
+ * get{addr,name}info added to roken and used in the other code
+   (this makes things work much better with hosts with both v4 and v6
+    addresses, among other things)
+ * do pre-auth for both password and key-based get_in_tkt
+ * support for having several databases
+ * new command `del_enctype' in kadmin
+ * strptime (and new strftime) add to roken
+ * more paranoia about finding libdb
+ * bug fixes
+
+Changes in release 0.2d:
+
+ * new configuration option [libdefaults]default_etypes_des
+ * internal ls in ftpd builds without KRB4
+ * kx/rsh/push/pop_debug tries v5 and v4 consistenly
+ * build bug fixes
+ * other bug fixes
+
+Changes in release 0.2c:
+
+ * bug fixes (see ChangeLog's for details)
+
+Changes in release 0.2b:
+
+ * bug fixes
+ * actually bump shared library versions
+
+Changes in release 0.2a:
+
+ * a new program verify_krb5_conf for checking your /etc/krb5.conf
+ * add 3DES keys when changing password
+ * support null keys in database
+ * support multiple local realms
+ * implement a keytab backend for AFS KeyFile's
+ * implement a keytab backend for v4 srvtabs
+ * implement `ktutil copy'
+ * support password quality control in v4 kadmind
+ * improvements in v4 compat kadmind
+ * handle the case of having the correct cred in the ccache but with
+   the wrong encryption type better
+ * v6-ify the remaining programs.
+ * internal ls in ftpd
+ * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat
+ * add `ank --random-password' and `cpw --random-password' in kadmin
+ * some programs and documentation for trying to talk to a W2K KDC
+ * bug fixes
+
+Changes in release 0.1m:
+
+ * support for getting default from krb5.conf for kinit/kf/rsh/telnet.
+   From Miroslav Ruda <ruda@ics.muni.cz>
+ * v6-ify hprop and hpropd
+ * support numeric addresses in krb5_mk_req
+ * shadow support in login and su. From Miroslav Ruda <ruda@ics.muni.cz>
+ * make rsh/rshd IPv6-aware
+ * make the gssapi sample applications better at reporting errors
+ * lots of bug fixes
+ * handle systems with v6-aware libc and non-v6 kernels (like Linux
+   with glibc 2.1) better
+ * hide failure of ERPT in ftp
+ * lots of bug fixes
+
+Changes in release 0.1l:
+
+ * make ftp and ftpd IPv6-aware
+ * add inet_pton to roken
+ * more IPv6-awareness
+ * make mini_inetd v6 aware
+
+Changes in release 0.1k:
+
+ * bump shared libraries versions
+ * add roken version of inet_ntop
+ * merge more changes to rshd
+
+Changes in release 0.1j:
+
+ * restore back to the `old' 3DES code.  This was supposed to be done
+   in 0.1h and 0.1i but I did a CVS screw-up.
+ * make telnetd handle v6 connections
+
+Changes in release 0.1i:
+
+ * start using `struct sockaddr_storage' which simplifies the code
+   (with a fallback definition if it's not defined)
+ * bug fixes (including in hprop and kf)
+ * don't use mawk which seems to mishandle roken.awk
+ * get_addrs should be able to handle v6 addresses on Linux (with the
+   required patch to the Linux kernel -- ask within)
+ * rshd builds with shadow passwords
+
+Changes in release 0.1h:
+
+ * kf: new program for forwarding credentials
+ * portability fixes
+ * make forwarding credentials work with MIT code
+ * better conversion of ka database
+ * add etc/services.append
+ * correct `modified by' from kpasswdd
+ * lots of bug fixes
+
+Changes in release 0.1g:
+
+ * kgetcred: new program for explicitly obtaining tickets
+ * configure fixes
+ * krb5-aware kx
+ * bug fixes
+
+Changes in release 0.1f;
+
+ * experimental support for v4 kadmin protokoll in kadmind
+ * bug fixes
+
+Changes in release 0.1e:
+
+ * try to handle old DCE and MIT kdcs
+ * support for older versions of credential cache files and keytabs
+ * postdated tickets work
+ * support for password quality checks in kpasswdd
+ * new flag --enable-kaserver for kdc
+ * renew fixes
+ * prototype su program
+ * updated (some) manpages
+ * support for KDC resource records
+ * should build with --without-krb4
+ * bug fixes
+
+Changes in release 0.1d:
+
+ * Support building with DB2 (uses 1.85-compat API)
+ * Support krb5-realm.DOMAIN in DNS
+ * new `ktutil srvcreate'
+ * v4/kafs support in klist/kdestroy
+ * bug fixes
+
+Changes in release 0.1c:
+
+ * fix ASN.1 encoding of signed integers
+ * somewhat working `ktutil get'
+ * some documentation updates
+ * update to Autoconf 2.13 and Automake 1.4
+ * the usual bug fixes
+
+Changes in release 0.1b:
+
+ * some old -> new crypto conversion utils
+ * bug fixes
+
+Changes in release 0.1a:
+
+ * new crypto code
+ * more bug fixes
+ * make sure we ask for DES keys in gssapi
+ * support signed ints in ASN1
+ * IPv6-bug fixes
+
+Changes in release 0.0u:
+
+ * lots of bug fixes
+
+Changes in release 0.0t:
+
+ * more robust parsing of krb5.conf
+ * include net{read,write} in lib/roken
+ * bug fixes
+
+Changes in release 0.0s:
+
+ * kludges for parsing options to rsh
+ * more robust parsing of krb5.conf
+ * removed some arbitrary limits
+ * bug fixes
+
+Changes in release 0.0r:
+
+ * default options for some programs
+ * bug fixes
+
+Changes in release 0.0q:
+
+ * support for building shared libraries with libtool
+ * bug fixes
+
+Changes in release 0.0p:
+
+ * keytab moved to /etc/krb5.keytab
+ * avoid false detection of IPv6 on Linux
+ * Lots of more functionality in the gssapi-library
+ * hprop can now read ka-server databases
+ * bug fixes
+
+Changes in release 0.0o:
+
+ * FTP with GSSAPI support.
+ * Bug fixes.
+
+Changes in release 0.0n:
+
+ * Incremental database propagation.
+ * Somewhat improved kadmin ui; the stuff in admin is now removed.
+ * Some support for using enctypes instead of keytypes.
+ * Lots of other improvement and bug fixes, see ChangeLog for details.