summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib
AgeCommit message (Collapse)AuthorFilesLines
2011-04-16s4-heimdal: Allow any kvno to match when searching the keytab.Andrew Bartlett1-2/+1
Windows does not use a KVNO when it checks it's passwords, and MIT doesn't check the KVNO when no acceptor identity is specified (looping over all keys in the keytab). Andrew Bartlett
2011-03-14Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2Jelmer Vernooij51-2717/+6901
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
2011-02-25s4:heimdal - fix valgrind issue on Fedora 14Milan Crha6-148/+148
This should definitely fix bug #7858. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Feb 25 12:39:21 CET 2011 on sn-devel-104
2011-02-25Revert "heimdal_build omit #line statments to allow valgrind to work again"Matthias Dieter Wallnöfer7-53/+376
This reverts commit 80e23c68d83a7c9989f87d5a88a78bb76d222afc. A better patch has been provided by Milan Crha in the following commit.
2011-02-25heimdal_build omit #line statments to allow valgrind to work againAndrew Bartlett7-376/+53
The lex/yacc files were generated on Fedora 14, and have empty filenames in #line declarations. I don't know why this is, but it seems best just to omit the #line statements. This is what was causing Valgrind on Fedora not to run on Samba binaries and programs linked to Samba libraries. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Feb 25 11:46:56 CET 2011 on sn-devel-104
2011-02-02s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett48-144/+186
aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
2010-12-18heimdal_build: Add version-script for heimdal_base, hx509 and hcrypto. ↵Jelmer Vernooij1-0/+244
Convert hbase and hcrypto to libraries.
2010-12-17heimdal_build: Add version-script for krb5.Jelmer Vernooij1-0/+769
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri Dec 17 21:09:25 CET 2010 on sn-devel-104
2010-12-17heimdal_build: Add version-script for gssapi.Jelmer Vernooij1-0/+180
2010-12-17heimdal_build: Add version-script for asn1.Jelmer Vernooij1-0/+6
2010-12-17heimdal_build: Add version-script for hdb.Jelmer Vernooij1-0/+107
2010-12-17heimdal_build: Add version-script for wind.Jelmer Vernooij1-0/+28
2010-12-17heimdal_build: Add version-script for ntlm.Jelmer Vernooij1-0/+30
2010-12-17heimdal: Add version script file for hcrypto (unused so far, as hcrypto ↵Jelmer Vernooij1-0/+299
still needs to be made a proper library).
2010-12-17heimdal_build: Add version-script for roken.Jelmer Vernooij1-0/+199
2010-12-17heimdal_build: Add version-script for com_err.Jelmer Vernooij1-0/+20
2010-12-11heimdal: unset SLIST_ENTRY only if we are with windowsMatthieu Patou1-1/+3
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX. The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform is broken because mechqueue.h's definition won't be used as SLIST_HEAD is already defined. The definition occurs when net/if.h is included as it includes sys/queue.h Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
2010-12-01s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett67-2631/+2586
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
2010-12-01heimdal: fix for w2000 from lhaAndrew Tridgell1-2/+14
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Dec 1 00:59:59 CET 2010 on sn-devel-104
2010-11-17s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERYAndrew Tridgell1-1/+5
this e_data field in a kerberos error packet tells windows to do clock skew recovery. See [MS-KILE] 2.2.1 KERB-ERROR-DATA Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-15heimdal Extra files required for merge up to current heimdalAndrew Bartlett19-0/+4893
2010-11-15heimdal regenate lex and yacc filesAndrew Bartlett9-3475/+2672
2010-11-15Add attribute macros for Heimdal to useAndrew Bartlett1-0/+304
Heimdal uses HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE, and we need to provide a link between these and Samba's function attribute handling. Andrew Bartlett
2010-11-15s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett45-11202/+1344
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
2010-11-11heimdal Don't dereference NULL in error verify_checksum error pathAndrew Bartlett1-1/+1
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Nov 11 10:37:03 UTC 2010 on sn-devel-104
2010-11-08heimdal: fixed a shadowed variable warning for error_messageAndrew Tridgell1-23/+23
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-08heimdal Add clock-skew handling to DCE-style GSSAPIAndrew Bartlett1-39/+65
The clock skew handling was previously only on properly wrapped GSSAPI, and was skipped for DCE-style. This allows the ASN.1 errors from the krb5_rd_req to suggest parsing as a kerberos error packet. Andrew Bartlett Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 8 07:58:09 UTC 2010 on sn-devel-104
2010-11-02heimdal Add handling for PAC signatures over all encryption typesAndrew Bartlett2-24/+89
There are exceptions from the expected behaviour of 'checksum type matches key type' that we must deal with here, or else we can't serve DES-only servers. Andrew Bartlett
2010-10-30s4-heimdal: lex_err_message() should not be staticAndrew Tridgell1-2/+2
2010-10-30s4-heimdal: fixed the use of error_message() in heimdalAndrew Tridgell12-47/+49
the lex code in heimdal had a function error_message() which conflicts with a function from the com_err library. This replaces it with lex_err_message() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-03Add new files for sha512 supportAndrew Bartlett1-0/+274
2010-10-03s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett19-106/+389
1bea031b9404b14114b0272ecbe56e60c567af5c)
2010-10-03s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou376-1634/+34086
42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
2010-09-30heimdal: added verbose logging of hemimdal crypto errorsAndrew Bartlett1-2/+15
2010-09-28heimdal: fixed timegm UTC/GMT bugAndrew Tridgell1-15/+6
This was a wonderful bug! On some Fedora systems, but not on Ubuntu, there is a difference between UTC and GMT. Heimdal replaced timegm() with _der_timegm() which did not account for that difference (which is 24 seconds at the moment). This led to a mutual authentication failure. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett3-1/+35
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
2010-09-29heimdal Fix DNS name qualification to not mangle IP addressesAndrew Bartlett1-5/+23
If the host running this code used IPv6 forms for IPv4 addreses then the check for '.' would not be sufficient to determine that this isn't a name we should mangle. Instead, check if it can be parsed as a numeric address first, and only then mangle. Andrew Bartlett
2010-09-29heimdal Add an error code for use in the RODCAndrew Bartlett1-0/+1
In this case, the whole request packet should be forwarded to a real KDC, with full secrets, as we don't have the password. This could also be used to implement 'play dead when the LDAP server is down'. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett2-2/+3
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-09-27heimdal: avoid DNS search domain expansion Andrew Tridgell1-1/+16
When you have a domain search list in resolv.conf, and one of the DNS servers for a searched domain is uncontactable then we would timeout resolving DNS names. Avoid this by adding a '.' to the hostname if the hostname already has a '.' in it, which we assume to mean it is fully qualified.
2010-06-01s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-05-11s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.cStefan Metzmacher1-659/+0
metze
2010-04-13s4-heimdal: Fix typo in comment.Karolin Seeger1-1/+1
Karolin
2010-04-10s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett1-1/+6
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
2010-04-09s4-krb5: Fix typos in comment.Karolin Seeger1-1/+1
Karolin
2010-03-27s4:heimal Update generated files (cp from Heimdal)Andrew Bartlett5-477/+459
2010-03-27s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett29-134/+365
f4e0dc17709829235f057e0e100d34802d3929ff)
2010-03-27s4:heimdal New files and supporting logic for heimdal updateAndrew Bartlett4-0/+1353
2010-03-27s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett210-1755/+3816
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
2010-03-16kerberos - set the memory to "0"s before freeing the password to prevent ↵Matthias Dieter Wallnöfer1-2/+6
security issues