Under C99, Sec 6.2.4, paragraph 2:
The value of a pointer becomes indeterminate when the object it
points to reaches the end of its lifetime.
`Indeterminate' (3.17.2) includes a trap representation, and any
reference to a trap representation is undefined behaviour. Thus,
after realloc(res, ...) succeeds, any reference to res (or p) is
undefined behaviour.
So, instead of using `p - res` after res has been freed, use the
existing name for the value we know it has now: len. (We could also
use alloced because p == end in this branch, and end = res + alloced,
and p = res + len. Of course, we would have to move it up a line to
before we update alloced to have a different value.)
fix https://github.com/heimdal/heimdal/issues/1164
- Add an import command that imports JSON as output by
`ktutil list --json --keys`.
This is enables one to filter/edit keytabs with jq!
- Add a `merge` alias for the `copy` command, since that's effectively
what it does.
- Add a `--copy-duplicates` option to the `copy`/`merge` command.
- Add a `--no-create` option to the `get` command.
- Add a `--no-change-keys` option to the `get` command.
- Make `add` complain if it can't finish writing to the keytab.
Now that we always enforce password quality policies, ktutil get fails
because it uses "x" as a password when creating a principal.
Of course, it's probably a misfeature that ktutil get creates principals when
they don't exist...
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
Support for manipulating srvtabs was previously removed, but there
were still remnants in command documentation in the ktutil man page
and some declared and exported variables for the keytab ops
definitions for srvtab manipulation. Remove these additional
remnants.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
