From 4b6ba67f51b8723f53bcf7a532fedfda66f4bdbb Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 18 Sep 2015 13:03:05 -0400
Subject: [PATCH] Updates for krb5-1.14-alpha1

---
 README              | 162 ++++++++++++++++++++++++++++++++++++++++++++
 src/patchlevel.h    |   4 +-
 src/po/mit-krb5.pot |   4 +-
 3 files changed, 166 insertions(+), 4 deletions(-)

diff --git a/README b/README
index 90b6fe63a3..8b1c05ee0b 100644
--- a/README
+++ b/README
@@ -76,9 +76,167 @@ beginning with krb5-1.8.
 Major changes in 1.14
 ---------------------
 
+Administrator experience:
+
+* Add a new kdb5_util tabdump command to provide reporting-friendly
+  tabular dump formats (tab-separated or CSV) for the KDC database.
+  Unlike the normal dump format, each output table has a fixed number
+  of fields.  Some tables include human-readable forms of data that
+  are opaque in ordinary dump files.  This format is also suitable for
+  importing into relational databases for complex queries.
+
+* Add support to kadmin and kadmin.local for specifying a single
+  command line following any global options, where the command
+  arguments are split by the shell--for example, "kadmin getprinc
+  principalname".  Commands issued this way do not prompt for
+  confirmation or display warning messages, and exit with non-zero
+  status if the operation fails.
+
+* Accept the same principal flag names in kadmin as we do for the
+  default_principal_flags kdc.conf variable, and vice versa.  Also
+  accept flag specifiers in the form that kadmin prints, as well as
+  hexadecimal numbers.
+
+* Remove the triple-DES and RC4 encryption types from the default
+  value of supported_enctypes, which determines the default key and
+  salt types for new password-derived keys.  By default, keys will
+  only created only for AES128 and AES256.  This mitigates some types
+  of password guessing attacks.
+
+* Add support for directory names in the KRB5_CONFIG and
+  KRB5_KDC_PROFILE environment variables.
+
+* Add support for authentication indicators, which are ticket
+  annotations to indicate the strength of the initial authentication.
+  Add support for the "require_auth" string attribute, which can be
+  set on server principal entries to require an indicator when
+  authenticating to the server.
+
+* Add support for key version numbers larger than 255 in keytab files,
+  and for version numbers up to 65535 in KDC databases.
+
+* Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+  during pre-authentication, corresponding to the client's most
+  preferred encryption type.
+
+* Add support for server name identification (SNI) when proxying KDC
+  requests over HTTPS.
+
+* Add support for the err_fmt profile parameter, which can be used to
+  generate custom-formatted error messages.
+
+Developer experience:
+
+* Change gss_acquire_cred_with_password() to acquire credentials into
+  a private memory credential cache.  Applications can use
+  gss_store_cred() to make the resulting credentials visible to other
+  processes.
+
+* Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+  IAKERB or for non-standard variants of the krb5 mechanism OID unless
+  explicitly requested.  (SPNEGO will still accept the Microsoft
+  variant of the krb5 mechanism OID during negotiation.)
+
+* Change gss_accept_sec_context() not to accept tokens for IAKERB or
+  for non-standard variants of the krb5 mechanism OID unless an
+  acceptor credential is acquired for those mechanisms.
+
+* Change gss_acquire_cred() to immediately resolve credentials if the
+  time_rec parameter is not NULL, so that a correct expiration time
+  can be returned.  Normally credential resolution is delayed until
+  the target name is known.
+
+* Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+  which can be used by plugin modules or applications to add prefixes
+  to existing detailed error messages.
+
+* Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+  implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+
+* Add support for pre-authentication mechanisms which use multiple
+  round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+  code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+  interface; these callbacks can be used to save marshalled state
+  information in an encrypted cookie for the next request.
+
+* Add a client_key() callback to the kdcpreauth interface to retrieve
+  the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+  by the KDC.
+
+* Add an add_auth_indicator() callback to the kdcpreauth interface,
+  allowing pre-authentication modules to assert authentication
+  indicators.
+
+* Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+  suppress sending the confidentiality and integrity flags in GSS
+  initiator tokens unless they are requested by the caller.  These
+  flags control the negotiated SASL security layer for the Microsoft
+  GSS-SPNEGO SASL mechanism.
+
+* Make the FILE credential cache implementation less prone to
+  corruption issues in multi-threaded programs, especially on
+  platforms with support for open file description locks.
+
+Performance:
+
+* On slave KDCs, poll the master KDC immediately after processing a
+  full resync, and do not require two full resyncs after the master
+  KDC's log file is reset.
+
+
 krb5-1.14 changes by ticket ID
 ------------------------------
 
+6938    krb5 and ldap signed traffic
+7532    Improve support for large kvnos
+7790    Make cross-realm S4U2Self work
+7804    Can't write to file ccache with OPENCLOSE unset
+7903    Remove des3 and arcfour from supported_enctypes
+7991    kadmin should have a script-friendly mode
+8002    Fix KCM ccache per-type cursor
+8021    SPNEGO clients should not try IAKERB by default
+8022    klist -s only looks for TGTs
+8023    Use OFD locks where available
+8025    krb5 gss_inquire_context doesn't work with partially established context
+8026    Use stdio reads, O_APPEND writes in FILE ccache
+8027    Client RPC timeout during kadmin listprincs command
+8030    Add support for directories in profile paths
+8046    Add new error message wrapping APIs
+8047    Add err_fmt profile parameter
+8048    Remove ksu -D flag documentation
+8052    Include file ccache name in error messages
+8062    Fix const correctness on krb5_c_fx_cf2_simple()
+8063    Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
+8123    Check timestamp in PKINIT kdcpreauth module
+8124    Use preauth timestamp in PKINIT clpreauth module
+8139    SIGNTICKET creation and verification doesn't always use the right key
+8152    gss_acquire_cred_with_password() ignores expired creds
+8157    Authentication indicator support
+8161    kpropd -t (runonce) doesn't work for full dumps
+8163    python test issues
+8164    Avoid unnecessary iprop full resyncs after resets
+8171    kadm5_hook does not have rename method
+8198    Support SNI in MS-KKDCP client
+8199    Only include one key in etype-info
+8200    Add client_keyblock kdcpreauth callback
+8213    Policy extensions in 1.11 break iprop dump compatibility
+8215    Unify KDB principal flag specifiers
+8217    Limit use of deprecated krb5 mech OIDs
+8219    Conditionalize iprop stderr output in kadmind
+8224    Add KDC_ERR_PREAUTH_EXPIRED support
+8225    Improve krb5_cccol_have_content() error messages
+8227    Allow missing authenticator checksum with GSSAPI
+8228    Add krb5_c_prfplus() and krb5_c_derive_prfplus()
+8233    Add secure cookie support
+8234    Add etype-info2 to MORE_PREAUTH_DATA_REQUIRED
+8235    Resolve krb5 GSS creds if time_rec is requested
+8236    Update SPNEGO hintName value to current spec
+8242    Improve PKINIT OpenSSL error reporting
+8243    Add tabular dump capability to kdb5_util
+8245    kerberos.ldif file has malformed entries
+8246    Fix error mappings for IOV MIC mechglue funcs
+
+
 Acknowledgements
 ----------------
 
@@ -197,6 +355,7 @@ reports, suggestions, and valuable resources:
     Kevin Coffman
     Simon Cooper
     Sylvain Cortes
+    Ian Crowther
     Arran Cudbard-Bell
     Jeff D'Angelo
     Nalin Dahyabhai
@@ -218,6 +377,7 @@ reports, suggestions, and valuable resources:
     Ronni Feldt
     Bill Fellows
     JC Ferguson
+    Remi Ferrand
     William Fiveash
     Ãkos Frohner
     Sebastian Galiano
@@ -286,6 +446,7 @@ reports, suggestions, and valuable resources:
     Mark Phalan
     Brett Randall
     Jonathan Reams
+    Jonathan Reed
     Robert Relyea
     Martin Rex
     Jason Rogers
@@ -320,6 +481,7 @@ reports, suggestions, and valuable resources:
     Ross Wilper
     Augustin Wolf
     David Woodhouse
+    Tsu-Phong Wu
     Xu Qiang
     Neng Xue
     Nickolai Zeldovich
diff --git a/src/patchlevel.h b/src/patchlevel.h
index 41322b88b8..e37933be70 100644
--- a/src/patchlevel.h
+++ b/src/patchlevel.h
@@ -52,6 +52,6 @@
 #define KRB5_MAJOR_RELEASE 1
 #define KRB5_MINOR_RELEASE 14
 #define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "prerelease"
+#define KRB5_RELTAIL "alpha1"
 /* #undef KRB5_RELDATE */
-#define KRB5_RELTAG "master"
+#define KRB5_RELTAG "krb5-1.14-alpha1"
diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot
index 52658bcc59..5ca47eb268 100644
--- a/src/po/mit-krb5.pot
+++ b/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: mit-krb5 1.14-prerelease\n"
+"Project-Id-Version: mit-krb5 1.14-alpha1\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-09-17 15:20-0400\n"
+"POT-Creation-Date: 2015-09-18 13:13-0400\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
-- 
2.47.3