Andrew Bartlett [Sat, 2 Oct 2010 11:22:17 +0000 (21:22 +1000)]
Add error code to use when a secret is not in this database
This will happen on an RODC, which has the entry, but not the full
secret.
Andrew Bartlett
Andrew Bartlett [Tue, 28 Sep 2010 20:44:33 +0000 (06:44 +1000)]
heimdal Use a seperate krb5_auth_context for the delegated credentials
This makes it much more clear that the timestamp written here is not
used in mutual authentication.
Andrew Bartlett
Andrew Bartlett [Sat, 2 Oct 2010 10:58:02 +0000 (20:58 +1000)]
Don't redefine socket() if socket_wrapper is already in use
In Samba, we may have already included socket_wrapper.h at this point
Andrew Bartlett
Andrew Bartlett [Sat, 2 Oct 2010 00:29:24 +0000 (10:29 +1000)]
heimdal Add support for extracting a particular KVNO from the database
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett [Fri, 1 Oct 2010 03:58:36 +0000 (13:58 +1000)]
heimdal use returned server entry from HDB to compare realms
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
Andrew Bartlett [Fri, 1 Oct 2010 03:13:34 +0000 (20:13 -0700)]
heimdal: added verbose logging of hemimdal crypto errors
Andrew Bartlett [Tue, 12 Jan 2010 06:55:59 +0000 (17:55 +1100)]
Push PKINIT configuration into default_config.c
The interaction with Samba4 is subtle - it calls
krb5_kdc_get_config(), but not configure() - but must have PKINIT set
up.
Andrew Bartlett
Stefan Metzmacher [Fri, 22 Aug 2008 09:45:26 +0000 (11:45 +0200)]
lorikeet-heimdal: Netbios Domain as Realm HACK...
This is really a ugly hack, to support using the Netbios Domain Name
as realm against windows KDC's, they always return the full realm
based on the DNS Name.
metze
Andrew Bartlett [Tue, 12 Jan 2010 02:22:10 +0000 (13:22 +1100)]
Don't segfault when in --one-file mode
The problem is that on Linux, fclose() of a NULL pointer segfaults
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:58:18 +0000 (11:58 +0200)]
lorikeet-heimdal: add wrap_ex_ntlm.diff from abartlet
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:36 +0000 (11:57 +0200)]
lorikeet-heimdal: add IMPORT-HEIMDAL.sh
I think this can be removed...
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Love Hornquist Astrand [Sat, 2 Oct 2010 00:49:05 +0000 (17:49 -0700)]
Handle picky windows RODC servers
Patrik Lundin [Thu, 30 Sep 2010 21:15:30 +0000 (23:15 +0200)]
Fix order of arguments given to memchr().
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Fri, 1 Oct 2010 01:36:58 +0000 (18:36 -0700)]
SHA384
Love Hornquist Astrand [Fri, 1 Oct 2010 01:22:00 +0000 (18:22 -0700)]
SHA384
Love Hornquist Astrand [Thu, 30 Sep 2010 08:04:19 +0000 (01:04 -0700)]
add sha512
Love Hornquist Astrand [Thu, 30 Sep 2010 08:00:42 +0000 (01:00 -0700)]
clue in sha512 in rsa signature
Love Hornquist Astrand [Thu, 30 Sep 2010 07:44:35 +0000 (00:44 -0700)]
Andrew Bartlet pointed out that the patch was incomplete, update and write doxygen.
Love Hornquist Astrand [Thu, 30 Sep 2010 07:20:52 +0000 (00:20 -0700)]
get padding size right
Love Hornquist Astrand [Thu, 30 Sep 2010 07:18:03 +0000 (00:18 -0700)]
glue in sha512
Love Hornquist Astrand [Thu, 30 Sep 2010 07:08:48 +0000 (00:08 -0700)]
Add SHA512
Love Hornquist Astrand [Thu, 30 Sep 2010 06:37:34 +0000 (23:37 -0700)]
SHA512 support
Love Hornquist Astrand [Wed, 29 Sep 2010 20:32:39 +0000 (13:32 -0700)]
add _der_gmtime, use and test it
Love Hornquist Astrand [Wed, 29 Sep 2010 05:37:01 +0000 (22:37 -0700)]
If the hostname contains a dot, assumes it's a FQAN and don't use
search domains since that might be painfully slow when machine is
disconnected from that network.
Found by Tridge
Love Hornquist Astrand [Wed, 29 Sep 2010 05:12:20 +0000 (22:12 -0700)]
free more bn that was allocated
Love Hornquist Astrand [Wed, 29 Sep 2010 05:08:00 +0000 (22:08 -0700)]
don't allocate n twice, indent
Andrew Bartlett [Fri, 24 Sep 2010 23:46:38 +0000 (09:46 +1000)]
s4:heimdal Create a new PAC when impersonating a user with S4U2Self
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Karolin Seeger [Fri, 9 Apr 2010 07:23:54 +0000 (09:23 +0200)]
s4-krb5: Fix typos in comment.
Karolin
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Andrew Bartlett [Sat, 27 Mar 2010 12:09:31 +0000 (23:09 +1100)]
s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Karolin Seeger [Tue, 1 Jun 2010 07:35:53 +0000 (09:35 +0200)]
s4-heimdal: Fix typo in comment.
Karolin
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Karolin Seeger [Tue, 13 Apr 2010 18:09:13 +0000 (20:09 +0200)]
s4-heimdal: Fix typo in comment.
Karolin
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Thu, 23 Sep 2010 18:11:00 +0000 (11:11 -0700)]
Support PADDING_NONE for encryption too
Love Hornquist Astrand [Wed, 22 Sep 2010 22:00:13 +0000 (15:00 -0700)]
add back hx509_crypto_allow_weak
Love Hornquist Astrand [Wed, 22 Sep 2010 21:41:17 +0000 (14:41 -0700)]
add padding support via hx509_crypto_set_padding
Love Hornquist Astrand [Sun, 19 Sep 2010 08:47:32 +0000 (01:47 -0700)]
remove unused header file
Love Hornquist Astrand [Sun, 19 Sep 2010 08:14:07 +0000 (01:14 -0700)]
x
Love Hornquist Astrand [Sun, 19 Sep 2010 07:55:36 +0000 (00:55 -0700)]
add PTHREAD_LIBADD
Love Hornquist Astrand [Sun, 19 Sep 2010 06:37:06 +0000 (23:37 -0700)]
Move to a plugin cache, contributed from Secure Endpoints
Asanka C. Herath [Sun, 19 Sep 2010 03:37:32 +0000 (23:37 -0400)]
Generalize MSLSA ccache type to a plug-in based ccache type
Asanka C. Herath [Sat, 18 Sep 2010 19:39:25 +0000 (15:39 -0400)]
Windows: Add missing export for libhcrypto-exports.def
Love Hornquist Astrand [Sat, 18 Sep 2010 21:45:33 +0000 (14:45 -0700)]
remove prefix zeros
Love Hornquist Astrand [Sat, 18 Sep 2010 18:55:59 +0000 (11:55 -0700)]
less brokenness
Love Hornquist Astrand [Tue, 14 Sep 2010 17:52:04 +0000 (10:52 -0700)]
add validate.obj
Simon Wilkinson [Sun, 12 Sep 2010 16:48:47 +0000 (17:48 +0100)]
Uses unsigned ints for lengths
EVP_BytesToKey uses min() on a mixture of signed and unsigned
paramters. To avoid compiler warnings, use unsigned int for all
of the iv and key lengths in this function.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Sat, 18 Sep 2010 18:26:09 +0000 (11:26 -0700)]
make address a full adress
Anton Lundin [Fri, 17 Sep 2010 10:42:39 +0000 (12:42 +0200)]
Fix to build on aix.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Anton Lundin [Fri, 17 Sep 2010 10:44:50 +0000 (12:44 +0200)]
Fix testing when compiled with --disable-afs-support
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Fri, 17 Sep 2010 19:20:29 +0000 (12:20 -0700)]
make addresses not use compression in the middle since diffrent
inet_ntop have diffrent way to format them
Anton Lundin [Thu, 16 Sep 2010 07:57:33 +0000 (09:57 +0200)]
Rename struct to not clash with aix header sys/proc.h
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Anton Lundin [Thu, 16 Sep 2010 06:18:35 +0000 (08:18 +0200)]
ifdef away code to be able to build with --disable-krb4
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Fri, 17 Sep 2010 03:59:35 +0000 (20:59 -0700)]
use krb5_unparse_name instead of krb5_unparse_name_short since that doesnt fail. From Zdenek Hatas
Love Hornquist Astrand [Thu, 16 Sep 2010 05:47:52 +0000 (22:47 -0700)]
typecase to avoid warning
Love Hornquist Astrand [Thu, 16 Sep 2010 04:57:20 +0000 (21:57 -0700)]
make test pass
Guillaume Rousse [Wed, 15 Sep 2010 19:25:48 +0000 (21:25 +0200)]
add version-script.map to distributed files
Signed-off-by: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Love Hornquist Astrand [Wed, 15 Sep 2010 19:06:16 +0000 (12:06 -0700)]
add header files for libtommath
Love Hornquist Astrand [Tue, 14 Sep 2010 17:44:33 +0000 (10:44 -0700)]
spelling
Simon Wilkinson [Sun, 12 Sep 2010 13:56:10 +0000 (14:56 +0100)]
Don't typedef u8, u16, u32 in rijndael-alg-fast.c
Some kernels define u8, u16 and u32 in their standard headers.
Redefining these symbols in hcrypto's own code prevents that code
from compiling on those kernels.
Instead, just replace all occurrences of u8, u16 and u32 with the
symbols that uint8_t, uint16_t and uint32_t that they were being
typedef'd as, anyway.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Simon Wilkinson [Tue, 14 Sep 2010 17:24:43 +0000 (10:24 -0700)]
Rename current to SHA1current
Some kernels define 'current' as a #define. This causes chaos when
we try to build sha.c. So, rename current as 'SHA1current', and avoid
the insanity.
Love Hornquist Astrand [Tue, 14 Sep 2010 17:18:08 +0000 (10:18 -0700)]
add arguments to rk_rename to move it into the macro/function namespace
Love Hornquist Astrand [Tue, 14 Sep 2010 17:08:03 +0000 (10:08 -0700)]
New drop with windows code from Secure Endpoints/Asanka
Love Hornquist Astrand [Mon, 13 Sep 2010 07:23:34 +0000 (00:23 -0700)]
clean better
Love Hornquist Astrand [Mon, 13 Sep 2010 07:22:03 +0000 (00:22 -0700)]
clean better
Love Hornquist Astrand [Mon, 13 Sep 2010 07:21:14 +0000 (00:21 -0700)]
clean better
Asanka C. Herath [Mon, 13 Sep 2010 02:44:48 +0000 (22:44 -0400)]
Windows: Build the SDK
Asanka C. Herath [Mon, 13 Sep 2010 02:44:21 +0000 (22:44 -0400)]
Windows: packages/windows/sdk
The Makefile in this directory pulls in the SDK into a separate directory tree.
Asanka Herath [Fri, 10 Sep 2010 18:03:15 +0000 (14:03 -0400)]
Add krb5_c_random_make_octets() to mit_glue.c
Asanka Herath [Thu, 2 Sep 2010 21:18:48 +0000 (17:18 -0400)]
Define KRB5_TC_OPENCLOSE and KRB5_TC_NOTICKET in krb5.h
Asanka Herath [Thu, 2 Sep 2010 21:18:26 +0000 (17:18 -0400)]
Add krb5_free_default_realm() to MIT glue
Asanka Herath [Thu, 2 Sep 2010 21:17:56 +0000 (17:17 -0400)]
Don't return a freed pointer in allocate_ccache()
Asanka Herath [Thu, 2 Sep 2010 21:15:01 +0000 (17:15 -0400)]
Handle Windows pathnames properly in krb5_cc_resolve()
On Windows, a pathname can contain a drive letter and a colon.
krb5_cc_resolve() used to check whether there were any colons in the
ccache name string and assume it is a FILE: cache if there weren't.
In addition, on Windows, check for a drive specification.
Asanka Herath [Thu, 2 Sep 2010 21:13:26 +0000 (17:13 -0400)]
Windows: Enable weak crypto by default
Asanka Herath [Fri, 27 Aug 2010 20:28:03 +0000 (16:28 -0400)]
klist: If we aren't being verbose, we don't need the full ticket
Asanka Herath [Fri, 27 Aug 2010 20:27:17 +0000 (16:27 -0400)]
Define KRB5_TC_NOTICKET
Asanka Herath [Thu, 26 Aug 2010 20:26:43 +0000 (16:26 -0400)]
Fix comment
Asanka Herath [Thu, 26 Aug 2010 20:25:13 +0000 (16:25 -0400)]
Additional MIT glue
Add compatible exports for:
krb5_auth_con_getsendsubkey()
krb5_auth_con_getrecvsubkey()
krb5_auth_con_setsendsubkey()
krb5_auth_con_setrecvsubkey()
Asanka Herath [Thu, 26 Aug 2010 20:23:42 +0000 (16:23 -0400)]
Deal with NULL or empty input for expand_path_tokens()
_krb5_expand_path_tokens() should return an empty string if the input
string is empty or NULL, instead of always returning a NULL for these
two cases.
Asanka Herath [Thu, 26 Aug 2010 20:21:46 +0000 (16:21 -0400)]
Don't rely on non-CCAPI v3 exports
krb5_ipc_client_set_target_uid() and krb5_ipc_client_clear_target()
may not be present in CCAPI plug-in. Don't rely on their existence.
Asanka Herath [Thu, 26 Aug 2010 20:21:06 +0000 (16:21 -0400)]
Windows: Don't ignore failure in test_addr from now on
Asanka Herath [Thu, 26 Aug 2010 20:10:32 +0000 (16:10 -0400)]
Windows: Add support for MSLSA: cache type using a plug-in
Asanka Herath [Thu, 26 Aug 2010 20:05:06 +0000 (16:05 -0400)]
Windows: Build thirdparty packages if there are any
Asanka Herath [Wed, 25 Aug 2010 15:14:53 +0000 (11:14 -0400)]
Fix line endings
Asanka Herath [Wed, 25 Aug 2010 15:11:47 +0000 (11:11 -0400)]
Windows: Annotate symbols for libkadm5srv
Asanka Herath [Wed, 25 Aug 2010 04:20:00 +0000 (00:20 -0400)]
Windows: Build test binaries for kadm5
Asanka Herath [Tue, 24 Aug 2010 10:05:04 +0000 (06:05 -0400)]
Windows: Remove test_hdbkeys from test-run
test_hdbkeys is not a standalone test app.
Asanka Herath [Tue, 24 Aug 2010 10:04:28 +0000 (06:04 -0400)]
Windows: Fix exports for libhdb
Asanka Herath [Tue, 24 Aug 2010 10:03:42 +0000 (06:03 -0400)]
Windows: Fix exports for libgssapi
Asanka Herath [Tue, 24 Aug 2010 08:31:15 +0000 (04:31 -0400)]
Windows: Decorate krb5_cc_copy_creds export definition
Asanka Herath [Tue, 24 Aug 2010 08:29:37 +0000 (04:29 -0400)]
Address of an imported symbol is not always a constant
On Windows, the address of a symbol imported from a DLL is not
considered a constant. Therefore, it can't be used to initialized
static data.
Asanka Herath [Tue, 24 Aug 2010 08:29:08 +0000 (04:29 -0400)]
Windows: Build hxtool with the correct options
Asanka Herath [Tue, 24 Aug 2010 08:27:51 +0000 (04:27 -0400)]
Windows: Regenerated libasn1-exports.def
Sorted and with data exports declared using DATA statements.
Asanka Herath [Tue, 24 Aug 2010 08:27:17 +0000 (04:27 -0400)]
Declare ASN.1 exported data using ASN1EXP
Asanka Herath [Tue, 24 Aug 2010 08:24:53 +0000 (04:24 -0400)]
Windows: Check for DATA symbols when scanning .obj files
The export symbol list for ASN.1 on Windows is generated by scanning
all the .obj files and extracting the symbols defined in them. The
generated list did not specify which were functions and which were
data symbols. This distinction is necessary for generating correct
import library stubs.
Asanka Herath [Tue, 24 Aug 2010 04:34:18 +0000 (00:34 -0400)]
Add roken/rename.c to fix non-standard rename()
roken/rename.c is for platforms where the native rename()
implementation does not replace the target if it already exists. This
implementation isn't atomic, but should be close enough for most
purposes.
For correct behavior, rk_rename() should be used instead of rename().
rk_rename() is #defined to be rename() on platforms where this fix is
not necessary.
Asanka Herath [Tue, 24 Aug 2010 04:07:27 +0000 (00:07 -0400)]
Additional tests cases for test_addr.c
On platform where we build our own inet_ntop(), exercise it a bit
more. Specifically for zero string compression of IPv6 addresses.
Asanka Herath [Tue, 24 Aug 2010 04:04:51 +0000 (00:04 -0400)]
Windows: Don't attempt to copy a string to a zero length buffer
It won't cause harm since strcpy_s() deals with zero length buffers,
but it invokes the invalid parameter handler, which can disrupt
execution on debug builds.
Asanka Herath [Tue, 24 Aug 2010 04:04:17 +0000 (00:04 -0400)]
strlcat() isn't supposed to access *dst past dst_sz
Try not to do that on platforms where we can avoid it.