From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 20 Aug 2024 20:43:07 +0000 (-0400)
Subject: Update features list for 1.22
X-Git-Tag: krb5-1.22-beta1~79
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cbd45486eb0b7814377a3864aaa298d171b3134;p=thirdparty%2Fkrb5.git

Update features list for 1.22
---

diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst
index 10effcf175..a3679354f6 100644
--- a/doc/mitK5features.rst
+++ b/doc/mitK5features.rst
@@ -19,8 +19,8 @@ Quick facts
 License - :ref:`mitK5license`
 
 Releases:
-    - Latest stable: https://web.mit.edu/kerberos/krb5-1.20/
-    - Supported: https://web.mit.edu/kerberos/krb5-1.19/
+    - Latest stable: https://web.mit.edu/kerberos/krb5-1.22/
+    - Supported: https://web.mit.edu/kerberos/krb5-1.21/
     - Release cycle: approximately 12 months
 
 Supported platforms \/ OS distributions:
@@ -685,6 +685,51 @@ Release 1.21
   - Improved the test framework's detection of memory errors in daemon
     processes when used with asan.
 
+Release 1.21
+
+* User experience:
+
+  - The libdefaults configuration variable "request_timeout" can be
+    set to limit the total timeout for KDC requests.  When making a
+    KDC request, the client will now wait indefinitely (or until the
+    request timeout has elapsed) on a KDC which accepts a TCP
+    connection, without contacting any additional KDCs.  Clients will
+    make fewer DNS queries in some configurations.
+
+  - The realm configuration variable "sitename" can be set to cause
+    the client look for site-specific DNS records when making KDC
+    requests.
+
+* Developer experience:
+
+  - The profile library supports the modification of empty profiles
+    and the copying of modified profiles, making it possible to
+    construct an in-memory profile and pass it to
+    krb5_init_context_profile().
+
+  - GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
+    gss_init_sec_context() to request strict enforcement of channel
+    bindings by the acceptor.
+
+* Protocol evolution:
+
+  - PKINIT has support for elliptic curve client certificates and for
+    ECDH key exchange.
+
+  - The IAKERB implementation has been changed to comply with the
+    standard.
+
+* Code quality:
+
+  - Old-style function declarations have been removed, to accomodate
+    compilers removing support for them.
+
+  - OSS-Fuzz support has been added to the project's continuous
+    integration infrastructure.
+
+  - GSS per-message token parsing code has been rewritten for improved
+    safety.
+
 `Pre-authentication mechanisms`
 
 - PW-SALT                                         :rfc:`4120#section-5.2.7.3`