CHANGELOG

3.2.0rc2
	build: Add "make test" to test build integrity.
		Currently tests cosignd, cosign.cgi and logout cgi.
	build: Add "make server" to build only weblogin server components.
	build: Add "make install-server"
	build: Add DESTDIR support to Makefile.
		Patch from Sean Sweda <ssweda at barracuda dot com>.
	common: incorporate fixes from cosign 3.1.4.
	cgi: Check environment for alternate cosign.conf.
		Added for make test.
	
3.2.0rc1
	cgi: Add support for httponly cookies.
	cgi: Add validuser() to allow limited non-alphanumeric usernames.
	filters: Add support for httponly cookies.
	filters: Permit CosignAllowPublicAccess in .htaccess files.
		Patch from pgp at psu dot edu.
	filters: Use vhost servername as default value for CosignService.
		[Feature Request #2748312]
	filters: Prevent site configuration from caching cosign redirects.
	filters: CosignAllowValidationRedirect works with CosignNoAppendRedirect
	filters: Reorder calls to perror to avoid errno reset.
		Patch from Martin Sucha <sucha14 at st dot fmph dot uniba.sk>
	filters: NULL-terminate ap_pstrcat and apr_pstrcat.

3.1.4
	common: fix NULL dereference causing cosignd crash on config read.

3.1.3
	common: implicitly anchor regular expression matches.
		patch for COSIGN-VULN-2011-001. See:
                http://weblogin.org/cosign-vuln-2011-001.txt

3.1.2
        apache2 filter: detect apache 2.2, and instruct httpd to order
                mod_cosign ahead of mod_authz_host. older versions of
                the apache 2.2 filter incorrectly referred to mod_access.
        filters: fix hard-coded protocol version in read_scookie.
                Bug report from liamr at umich dot edu.

3.1.1
	daemon: correct format for arguments when handling CHECKs from
		clients using protocol 0.

3.1.0
	all: Cookie rekeying in apache and lighttpd filters.
	daemon: add banner capability list to work around hardcoded
		protocol version.
	filters: add capability list parsing.
	filters: add REKEY command. Replaces "CHECK <cookie> rekey" in
		older RCs.
	cgi: catch NULL return value from snet_getline_multi when storing
		krb tickets.
	cgi: add cosignprincipal config option. Based on a patch from matt
		at linuxbox dot com.
	cgi: add cosignstoretickets and cosignticketlifetime config options.
	cgi: add cosignlogoutregex config option.
	common: fix: --enable-mysql's optional path argument was ignored.
		Based on a patch from jorj at isc dot upenn dot edu.
	common: Adopt autoheader conventions in build.
	common: Handle NetBSD's krb5 pathing in configure script. Report
		from nmadura at umich dot edu.
	filters: [Patch 2801877]: Support multi-cert PEMs. Patch fromfedora
		dot dm0 at gmail dot com.
	filters: IP checking now defaults to "never".
	filters: [Request 2748342]: Allow CosignService value to start with
		"cosign-".
	filters: fix length passed to strncasecmp when checking cookie
		prefix in filters.
	filters: fix regression in return value check for ap_pregcomp.
		Report from jorj at isc dot upenn dot edu.
	lighttpd filter: fix size checks when copying into sinfo struct.
	build: Make LIBS environment available to apxs for compiling.
	Additional build modifications to clean up git detritus

3.0.2
	filter: use ap_pregcomp to compile regexes

3.0.1
	daemon: add cosignstrictcheck configuration option
	filter: register handler correctly for apache1
	filter: allow extended regular expressions in CosignValidReference

3.0.0
	common: implement cosign v3 scheme to address COSIGN-VULN-2009-002,
		see http://weblogin.org/cosign-vuln-2009-002.txt

2.1.1
	cgi: escape login name to address COSIGN-VULN-2009-001,
		see http://weblogin.org/cosign-vuln-2009-001.txt

2.1.0
	common: improved configure option passing
	common: added --enable-universal-binaries
	cgi: escape factors (xss)
	cgi: use SERVER_NAME env variable rather than cosign_host config
	cgi: support SPNEGO (Simon Wilkinson)
	cgi: try passwords against multiple legacy methods (Simon Wilkinson)
	cgi: default authenticator regexes use extended format
        cgi: report expired passwords to user (Kris Steinhoff)
	cgi: report killed factors to user
	cgi: moved Friend password incorrect message handling to main loop
	cgi: don't escape ';'
	cgi: bug in certificate-based authN variable substitution (Petr Lampa)
	daemon: bug in kerberos ticket path handling (Petr Lampa)
	daemon: bug in non-replication restart code (Petr Lampa)
	daemon: improvement to replication error case under high load
	filter: improved apxs 2 usage
	filter: close connection more reliably (Petr Lampa)
	filter: detect race where multple HTTP GETs cause overlapping
		cosign CHECKS
	filter: fix connection reordering bug (Simon Wilkinson)
        filter: fix setting COSIGN_FACTORS from cached cookie
        filter: store server protocol version in cached cookie
	filter: return from cosign_cookie_valid() if cosign_check_cookie()
		returns anything other than COSIGN_OK (Petr Lampa)
	filter: improve IP checking

2.0.2a
	cgi: examine cookies for invalid character (security)
	filter: move IP checking

2.0.2
	cgi & filters: improved validation of login & service cookies
	cgi: better error messages
	cgi: improved building
	daemon: removed config logging, corrects openlog/syslog ordering problem
	monster: corrected bug in 2-character hashing code
	filter: improved SSL error handling
	filter: allow CosignRequireFactor in .htaccess
	filter: fixed bug that would "lose" Kerberos tickets in some cases
	filter: fixed bug causing failure to update cookie cache
	filter: fixed bug that incorrectly enables IP checking
	filter: switched cookie cache reading code from stdio to snet

2.0.1
	cgi: preauth failed and expired password are now re-tryable errors
	daemon: krbtktpath is now maintained upon subsequent logins
	filters: fixed some typos
	
2.0.0
	updates to READMES and docs
	common: general bug fixes, more helpful logging and error messages
	common: support for multifactor
	common: support for factor suffix 
	common: new protocol v2 - STARTTLS, LOGIN and CHECK
	cgi: some structural reorganization
	cgi: change of browser IP address on a "REGISTER"
		causes a re-authentication event 
	cgi: kerberos and friend are now built in legacy factors, though 		building either is still optional
	cgi: factors can be primary or secondary
	cgi: if a keytab is present, it must be used now
	filters: support to require specific factors
	filters: CosignCheckIP directive to support browser ip 
		address checking - never, initial or always. This
		replaces the previous compile-time option. This may not 		work well or at all with load balancers and reverse NATS.
	helloCosign: new top level directory with test scripts in several		languages
	html: brand new UI to support multifactor
	libcgi: upgraded to newer C only cgi library, no more lex/yacc

1.9.4
	daemon: fixed replication/hashing problem
	filters: fixed filters/common install target problem

1.9.3
	daemon: updated return codes
	daemon: fixed bug in retrieve access control
	daemon: fixed bug where HUP with replication turned on would 
		cause the server to die and exit.
	man: reorganized and fixed typos

1.9.2
	filters: added missing krb DEFS options to common Makefile.in

1.9.1
	updates to READMES
	new cosign.conf(5) man page
	cgi: fixed newline in error string
	cgi: fixed reauth cookie truncation bug
	cgi: "friend" login select statement updated for 2.0 release
	cgi: re-present verify screen for logout if we don't get the post
	common: fixed bug in rate code output
	filters: shared code is now in filters/common
	filters: removed k4 support
	filters/daemon/monster: added db-hashing support
	scripts: create and upgrade scripts for db-hashing
	
1.9.0
	updates to READMES
	more streamlined single server trial install process.
	common: added double quote support to argcargv() parsing.
	cgi: override "found" Kerberos paths.
	cgi: template directory configurable from cosign.conf.
	cgi: login and transfer tickets with x509.
	cgi: added ability to force re-authentication on a 
		per-service basis.
	cgi: tgts are transfered on macs again, we just build with MIT 			kerberos instead of on-board kerberos.
	cgi: check length of username before copy.
	cgi/daemon: ticket stores are separable.
	cgi/daemon: fixed miscellaneous core dump causing bugs.
	filters: streamlined server/directory directive merge routines.
	filters: almost all directives can be set on a per directory basis.
	filters: multiple CosignSiteEntry behavior more consistent.
	friend: cosign-friend is now its own project, which means it 
		is no longer a part of this distribution.
	libsnet: updated to current version.
	templates: default action is now "/cosign-bin/cosign.cgi"
		instead of "/". Details on suggested Apache configurations 		are available in README.weblogin.
	scripts: fixed syntax error in helloCosign.php
	
1.8.5
	updates to READMES
	common: updated config.sub and config.guess.
	cgi: looping page can be autoconfed or set within the config file.
	cgi: MAX_KEYTAB_NAME_LEN defined inline if not already done.
	cgi: NULL keytab means KDC check won't get run.
	cgi: On Macs, TGTs won't get passed to the daemon as they don't
		reside in the filesystem but rather
		somewhere in memory a la Apple's Kerberos Cache API.
	cgi/filters: return codes from talking to the daemon are now
		#defined and simplified, to make the code more readable.
	cgi/filters: we now deal with a mix of 4xx and 5xx answers correctly
	daemon: updated man pages to reflect required ticket argument
		in cosign.conf syntax.
	filters: CosignProtected On/Off allowed in .htaccess files now.
	filters: moved around some authN/authZ decisions so "require",
		"order", and "satisfy" work better. It's still not perfect,
		but that's an Apache issue, we just work with what we have.
	filters: We now return PostErrorRedirect earlier.

1.8.0
	updates to READMES
	config: make install rule works from top level Makefile for apache 2.
	common: cgi and daemon can both read several config options from
                the cosign.conf file, see README and man pages. Many thanks
                to Brett Lomas at University of Auckland.
	common: TCP_NODELAY on by default in daemon, filters, and cgi,
                and off by default in monster. This should cause a
                noticeable improvement in replication and a small
                improvement in the cgis & filters.
	cgi: basiccosign.cgi and cosign.cgi are now 1 cgi. BasicAuth support
                is now implicitly built-in.
	cgi: massive code re-structure.
	cgi: subfile() now shared across both cgis (cosign.cgi and logout)
	cgi: filters can now optionally include (or not) a semi-colon at
                the end of the cookie when they re-direct for a register.
                The cgi can parse both ways.
	cgi: if logout is unable to run, we now tell the user to quit
                their browser instead.
	daemon/monster: code clean-up and small re-organization.
	daemon/monster: renamed some variables for clarity.
	daemon: fixed bug where a timed-out child was giving a 4xx,
                causing filters to set unnecessary new cookies and re-register.
	daemon: fixed bug in hup() and child() signal handlers (removed
		possibly non-reentrant calls)
	filters: fixed bug with PostErrorRedirect - it works, now.
	filters: logging now using ap_log_error() so it's more syslog-esque.
	filters: fixed bug in apache2 where building with krb and then not
		getting tickets would cause garbage to be written into the
		cookie file, and the server to core dump.
	filters: specifically apache2, fixed misc build errors.
1.7.0
	config: must specify path to apxs to build either filter, no default.
	common: first pass at rate logging, see README and man pages
	cgi: issue a new login cookie if the one presented is more than
		24 hours old.
	cgi: looping page a redirect now instead of just an error.
	cgi: check for sql injection prior to username query. 
	cgi: less verbose logging, more summaries.
	daemon: default log facility now daemon.
	daemon: more precise logging, supression of common errors.
	daemon/monster: override syslog facility and level from cmd line.
	filter: all settings configureable thorough runtime directives.
	filter: new directive to delimit authN optional, which allows you
		to push authN decisions back into the application.
	filter: issue a new service cookie if the one presented is more than
		24 hours old.
	html: new looping page, a redirect from the cgi, will allow you to
		capture the browser info ( in access logs ) for clients
		who are looping.
1.6.2
	config: bug fix for specifying apache2 path
	common: all declarations of port are now unsigned short
	common: compare of CN to hostname is now case insensitive
	cgi: check to prevent endless looping - defaults to break loops
	    after 10 redirects in 30 seconds.
	cgi: removed error message if logout failed, as long as the cookie
	    was successfully expired.
	cgi: kerberos tickets are unlinked after successful transfer to daemon
	daemon: idle and grey windows can be set on the cmd line
	daemon: wildcard matches are now case insensitive
	daemon: we no longer ignore the specified syslog facility
	daemon: updated docs, explain the various timeouts better
	filter: support for runtime config of filterDB, proxyDB, and 
		kerberosTicketCache
1.6.1
	common: krbpath is now MAXPATHLEN to allow for longer paths
	common: snprintf() to prevent buffer overruns in krb(4)path
	html: services directory now part of the distribution
1.6
	updates to READMES
	common: configure option for kerberos ticket cache
	common: support for n-tier cosign proxy authentication
	cgi: fixed bug resulting from legacy service menu code
	daemon: fixed error reporting bug
	daemon: added -n option to check config files
	filter: support for cosign protecting http pages
	filter: can now force users to return to a specific URL
	html: new example login/logout pages, no longer UM specific
	html: LOGIN_ERROR_HTML is now distinct from ERROR_HTML so
	      specific login errors can all include login screen and
	      fatal errors (where login is not possible) will not
	      include a login screen. The files in cosign_src/html/ are
	      login_error.m4 and error.m4 respectively.  This will
	      require a change to your existing html if you are
	      upgrading from a previous version.

1.5.1
	updates to READMES, thanks to J. Maddock
	README & configure change to address redhat 9/kerberos/ssl issue
	cgi: bug fix to not build SQL/friend support if not configured
	cgi: endian bug fix for BasicAuth
	cgi: removed redundant cookie length check
	daemon: -d prints every line to stdout now
	daemon: cookie len check portable across platforms now
	filter: more clean up on cookielen/path checks
	filter: apache2 uses same _FILTER_DB arg as apache

1.5.0
	more updates to READMES
	cgi: friend (self-created email-based accounts) support
	cgi: uniqname now login (html needs updating for subfile)
	cgi: reduced # of connections per transaction
	html: $u replaced by $l
	html: added friend support
	filter: optionally enable ip addr checking
	filter: beta Apache 2.x support
	filter: fixed bug with failover and kerberos ticket acquisition
	daemon: added monster support for time stamp/logout propagation
	daemon: revised man page for cosignd, added man page for monster
	daemon: added TIME and DAEMON command
	daemon: added replication 
	daemon: IP in login and service cookies no longer need match
	daemon: logout now denoted by permissions instead of file contents
	daemon: cleaned up logging

1.1.3
	filter: fixed bug in username size, again.
	daemon: fixed bug in username size, again.

1.1.2
	filter: fixed bug in username size.

1.1.1
	daemon: username size increased to support long email addrs
	filter: username size increased to support long email addrs

1.1.0
	cgi: BasicAuth capabilities
	cgi: rename uniqname to login
	cgi: remove htputs()
	daemon: app to clean cookie and tix by arbitrary idle time
	daemon: re-work read_cookie() to work with monster
	daemon: use mtime instead of atime for cookie idle out
	filter: fixed last stray version symbol problem
	filter: PSU bug - you can have multiple service names get tix and such

1.0.1
	more updates to README
	rename common variables so there are no symbol conflicts
	added access() to check access to crypto
	cgi: realm is taken from krb5.conf defualt realm
	cgi: fixed bug that was partially dropping query string on redirect
	cgi: code no longer specifies how to do addressing with kerberos tickets
	cgi: fixed endian bug in connect code
	filter: initialize ticket locations so no garbage should we fail
	filter: access() for filterdb as well
	html: tweaks
	scripts: self-documentation

1.0.0
	more updates to README
	readme for cron and logout scripts ( README.scripts )
	readme for installation of weblogin server ( README.weblogin )
	improved help from ./configure --help
	cosignd: added TLS Optional debug flag ( -X )
	cosignd: now returns 226 on re-register ( was 526 )
	cgi: added autoconf support for cgi settings
	cgi: fixed default keytab setting
	cgi: improved http cache and expires headers
	cgi: added a favicon.ico to login screen
	cgi: added service cookie hidden field to login screen
	cgi: simplified, slightly, XSS checks on ref and service cookie
	cgi: now calls register with service cookie after redirected login

0.9.4
	condense duplicate code into common/
	overhaul of the README
	configure for AIX: CFLAGS from apxs and extra libs for ssl
	cgi: autoconf hostname of cosignd server
	cgi: autoconf certs, same args as daemon
	cgi: autoconf keytabpath
	cgi: '=' handled correctly on query string
	cgi: fixed looping bug on idle time out
	cgi and filter: properly set kerror on every fail
	cgi and filter: changed the name of secant to scookie
	common: mkcookie() calls RAND_bytes, not RAND_pseudo_bytes
	filter: autoconf filter db location
	filter: all sn's set to NULL when closed
	filter: suppress spurious connection errors
	filter: reorder check_cookie so retr is only called when check succeeds
	filter: COSIGN_SEVICE env variable
	filter: cookies must be the length of a cookie we'd set
	
0.9.3
	cgi: more anti-xss attacks
	cgi: redirect to referer is done with a post now
	cgi: button instead of link on the reminder screen
	daemon: man page
	daemon: autoconf cadir, cert, key
	daemon: supports hup to re-read conf file
	daemon: fixed bug for re-login when IP address changes
	filter: extraneous debugging removed
	misc html tweaks
	libsnet updated to most current version

0.9.2
	filter: support for gss
	cgi: post error screen now supported
	cgi: many tweaks to prevent XSS and more seamless redirects
	cgi: html facelift

0.9.1
	autoconf options for daemon dirs
	daemon: cmd line option for log and certs
	cgi: check to prevent KDC spoofing
	daemon: removed extraneous logging
	filter: toggle whether or not k5 gets converted to k4

0.9.0
	added entrust, verisign and umweb CA certs to the distro
	make everything now instead of make all
	updated README with new info
	autoconf changes to support k5 and k4
	autoconf changes to make libsnet shared and/or static
	auconf changes to only build the filter if apxs is installed
	cgi stores a tgt now, and propogates it
	logout takes a URL on the query string
	cadir for cgi and filter
	daemon has a conf file, with wildcard support
	daemon does "RETRIEVE" for tickets
	filter has kerberos 5 and 4 functionality
	fixed javascript bug in login screen
	misc html tweaks

0.8.1
	added make dist rule to Makefile
	added check in the cgi to make sure daemon host and cert subject match
	also check in the filter to make sure daemon host and cert subject match
	must now call "starttls" before any other commands will work
	cadir ( supports multiple CAs ) replaces cafile
	removed extraneous logging

0.8.0
	added support for autoconf
	added -V for the cgi
	moved daemon's default datadir to /var/cosign/daemon
	moved filter's default datadir to /var/cosign/filter
	re-worked the connection management model
	break "loops" when filter fails to establish a session w/ daemon
	moved around mkcookie() to prepare for later code sharing
	module returns 503 (HTTP_SERVICE_UNAVAILABLE) instead of FORBIDDEN
	reworked .m4 -> html screens


0.7.0
	first unified release of cgi, daemon, and apache filter