First, bison (and probably flex and other pkgs) got published to the
chocolatey pacman repos compressed using ZST, which requires installing
zstd and broke our Appveyor builds.
Then someone published zstd compressed using ZST, which further broke
our Appveyor build by creating an irrecoverable chicken-egg situation:
pacman can't install zstd because it indirectly depends on zstd.
Possible fixes include trying to install the last version of zstd that
did not have this problem (zstd-1.4.4-2, ascertained from inspecting the
Appveyor build history).
This commit simply stops adding pacman-mirrors, and stops refreshing the
database, and this does get the Appveyor build going again.
ea90ca8666
("Move some infra bits of lib/krb5/ to lib/base/ (2)") introduced
struct heim_config_binding to heimbase.h and removed the
struct krb5_config_binding definition from krb5.h. It changed
the krb5_config_binding typedef to be based upon the heim_config_binding
typedef.
These changes broke out of tree callers of krb5_config_get_list()
and krb5_config_vget_list(). The internals of struct krb5_config_binding
are required by callers of krb5_config_get_list() and krb5_config_vget_list()
and the names must remain the same.
This change restores struct krb5_config_binding to krb5.h. The
structure cannot be changed because it is public and leaves struct
heim_config_binding as an independent structure definition within
heimbase.h. As a result struct heim_config_binding in heimbase.h must
remain binary compatible until such time as krb5_config_get_list() and
krb5_config_vget_list() are no longer supported.
Change-Id: I69b4fda3f656cc8daa8f5fcd0c7151cee222fc8c
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
test_cipher.c: In function ‘test_cipher’:
test_cipher.c:299:19: error: suggest braces around empty body in an ‘if’ statement [-Werror=empty-body]
/* XXXX check */;
^
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Similar to f6e0d19cc0 but
fixed in the header by making it a proper static inline
function (as some callers treats it as one, so do it
for all now for consistency).
Seen on Ubuntu 18.04 with
giving:
In file included from getaddrinfo-test.c:36:0:
getaddrinfo-test.c: In function ‘main’:
roken.h:110:24: error: statement with no effect [-Werror=unused-value]
#define rk_SOCK_INIT() 0
^
getaddrinfo-test.c:132:5: note: in expansion of macro ‘rk_SOCK_INIT’
rk_SOCK_INIT();
^~~~~~~~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
rsa-ltm.c: In function ‘ltm_rsa_private_calculate’:
rsa-ltm.c:135:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
rsa-ltm.c: In function ‘gen_p’:
rsa-ltm.c:482:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This will make it harder to commit code that triggers warnings.
This list of allowed warnings is too long, but can be trimmed down
over time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen with Ubuntu 18.04
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
mech/gss_krb5.c: In function ‘gss_krb5_ccache_name’:
mech/gss_krb5.c:501:18: error: the address of ‘buffer’ will always evaluate as ‘true’ [-Werror=address]
_mg_buffer_zero(&buffer);
^
mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
if (buffer) { \
^~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The krb5_cc_ops structure is an extensible structure to which new
functionality has been added over the years.
Version zero was the original. It included all functions up to
and including get_default_name().
Version one added set_default().
Version two added lastchange().
Version three added set_kdc_offset() and get_kdc_offset().
Version four broke compatibility by modifying the signatures
of get_name() and resolve(). This was in change
7bf4d76e75 ("krb5: Improve cccol sub
naming; add gss_store_cred_into2()").
Version five restores the original signatures of get_name()
and resolve() and introduces get_name_2() and resolve_2() that
provide the additional cccol functionality.
This change
* introduces version five
* documents which functions are part of each version
* replaces KRB5_CC_OPS_VERSION with KRB5_CC_OPS_VERSION_0,
KRB5_CC_OPS_VERSION_1, KRB5_CC_OPS_VERSION_2, KRB5_CC_OPS_VERSION_3,
and KRB5_CC_OPS_VERSION_5. KRB5_CC_OPS_VERSION_4 is skipped
because of the aforementioned breakage.
* compatibility logic is added to permit ccache plugins to implement
any of version one, two, three, five or a future version.
* all in-tree krb5_cc_ops implementations are updated to version 5.
Change-Id: Iadfce01d10834bc6151939e4d9d196f03001626e
common_plugin.h is expected to be usable on its own.
For backward compatibility, restore the definitions of
KRB5_CALLCONV and KRB5_LIB_CALL.
Change-Id: I6d2239f91ab48b9a6b71816b5221807382dc5914
krb5_get_instance() is meant to ensure that the shared library
instance of heimdal loaded by a plugin matches the instance that
loaded the plugin. It works by declaring a static C string whose
memory address will be used as an instance identifier. If the
instance returned from the plugin matches the instance obtain
by the code that loads the plugin, then we can conclude the two
instances are the same.
This doesn't work on Windows 7. When heimdal.dll loads a plugin
that is linked to heimdal.dll, the plugin's heimdal.dll is always
a new instance. However, the requirement for plugin safety is
not that the plugin be the same instance in memory but that they
be the same instance on disk.
This change loads the path name and version string for the module
and generates a hash of those strings as an instance identifier.
Change-Id: I1c0651969e9738c5feecb0b323969d13efd4704d
This avoids these compiler warnings on Ubuntu 18.04
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
expand_path.c: In function ‘expand_token’:
expand_path.c:493:17: warning: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Wunused-result]
asprintf(&arg, "%.*s", (int)(token_end - colon - 1), colon + 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
log.c: In function ‘fmtkv’:
log.c:646:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
vasprintf(&buf1, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘gss_mg_set_error_string’:
mech/context.c:212:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘_gss_mg_log_name’:
mech/context.c:319:6: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mech/context.c: In function ‘_gss_mg_log_cred’:
mech/context.c:346:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
(void) vasprintf(&str, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kerberos5.c: In function ‘_kdc_set_e_text’:
kerberos5.c:338:5: warning: ignoring return value of ‘vasprintf’, declared with attribute warn_unused_result [-Wunused-result]
vasprintf(&e_text, fmt, ap);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
ea90ca86664c73fb8d415f3cc7baacdf8a6dd685("Move some infra bits of
lib/krb5/ to lib/base/ (2)") forgot to add typedefs
heim_get_instance_func_t
krb5_get_instance_t
required for compilation of krb5_get_instance style plugins.
Change-Id: I3130f86034be1f9f79694eca0d1b309e247fd03f
Even though krb5_get_error_message() returns 'const char *' the
C-string is allocated and must be freed using krb5_free_error_message().
Change-Id: I8d4ef6fce12f113617443d15abadf51f1e04cf1a
This call
heim_warn(context, ret, "Ignoring", fname);
doesn't require the 'fname' paramter. Remove it.
Change-Id: Ia339568658306a903a64ff9e098f914e7387bdd7
At present Heimdal silently ignores included configuration files that
cannot be successfully opened or parsed. This is done to ensure that
an administrator or configuration management tool cannot lock users
out of a machine due to an editing mistake.
This change modifies heim_config_parse_file_multi() to warn the user
if a configuration file cannot be parsed or if an included ("include"
or "includedir") configuration file cannot be opened. Example warnings
for a configuration file starting with:
includedir c:/temp
where some of the matching file names cannot be parsed:
Ignoring: c:\temp\20170516:1: binding before section
or opened:
Ignoring: open or stat c:\temp\AUAA-83: Permission denied
A top level configuration file will also generate a warning if it
can be opened but cannot be parsed successfully produces
Ignoring: c:\temp\foo.cmd:1: binding before section
Ignoring: C:\ProgramData\Kerberos\krb5.conf:22: unmatched }
Change-Id: I455854156f4a61e1b7dad7f96601eca23d2368eb
Refactor heim_config_parse_file() to use a common exit and
ensure that 'newfname' is freed on all exit paths.
Change-Id: Ie805ce2f9d6cbd26a3b98dc944b40864945b6d80
A non-zero return value from heim_config_parse_debug() means there
was an failure to open or parse the configuration data. However, it
is not necessarily an error code. Callers when setting an error
message must use an error code.
This change to heim_config_parse_file_multi() and
heim_config_parse_string_multi() set an error code of
HEIM_ERR_CONFIG_BADFORMAT when setting the error message.
Change-Id: I534b9af1c50e32d79799a936cb6252dab99c2a64
In heim_config_parse_dir_multi() do not call heim_enomem(context)
when returning ENOMEM when a better error has already been set in
the context. Just return ENOMEM.
Change-Id: I9bd9de552b2b04b5a7328ac635e911d6e95422ef
The caller of heim_config_parse_debug() expects the output
parameters to be initialized even when the return code is non-zero.
This change initializes the output parameters in case the caller
did not. Not all code paths assign values to the output parameters
which can result in unexpected termination of the process when
an uninitialized stack pointer is assumed to be valid.
Change-Id: Ib7530a9f16ba3e1500a7e27ccdd8ad9f0492b464
not_found() is called internally with error code KRB5_CC_NOTFOUND
from find_cred() and get_cred_kdc_capath_worker() where a hard
coded error string "Matching credential not found" makes sense.
However, it is also called from krb5_get_creds() and
krb5_get_credentials_with_flags() with error codes that are
returned from the KDC where hiding the true error string
confuses the end user and hampers debugging.
This change replaces the hard coded string with the result
of krb5_get_error_message() and appends the service ticket
name.
Change-Id: I275c66c7b5783ae25029dce5b851cb389b118bcc
PATH_SEP is declared on Windows to be ";" and not ":"
by include/config.h.w32.
lib/base/context.c and lib/hx509.c must not override an existing
setting. Otherwise, file lists cannot be separated and will be
treated as a single file name.
Change-Id: I5521188faca36e41fbae95fbb8942970eab261c8
ea90ca8666 ("Move some infra bits of
lib/krb5/ to lib/base/ (2)") inappropriately altered the declaration
of the "ldebug" macro which stores the switches passed to "link.exe".
There is no "/RELEASE" switch and the "/DEBUG" switch instructs the
linker to produce files containing debug symbols (.pdb) which are
required for generating the Windows assemblies.
This change restores the prior behavior.
Change-Id: I61b8fd4759ba84671858f7c8275dbd25af1638e6
KRB5_USE_PATH_TOKENS cannot be used within lib/base as its value
is declared in lib/krb5/krb5.h. Declare HEIM_BASE_USE_PATH_TOKENS
in lib/base/baselocl.h and test for it in
heim_config_parse_file_multi().
By conditionalizing heim_config_parse_file_multi() behavior on
KRB5_USE_PATH_TOKENS heim_expand_path_tokens() is not executed
and open() is called on a path without token substitution. As a
result open() always fails with ENOENT.
Change-Id: I29dc018bc560519b76314232b2d51f53bde6313c
libtommath 1.2.0 c403b66082
("hcrypto: import libtommath v1.2.0") needs more from stdint.h
than what Heimdal previously declared. Add more integer type
declarations and integer MIN/MAX macros.
Also, on Windows declare 64-bit integers using __int64 as
"long long" is not supported as 64-bit type across all visual
studio compiler versions.
Change-Id: I944bedc67bcb26374ffb30eb3dfd7c6108a98fc3
When a function is assigned to a function pointer that is declared
with a particular calling convention, then the assigned function
must be declared with that calling convention as well. Otherwise,
kaboom!!!
The following functions are fixed by this change:
kuser/kx509.c
validate1()
add1_2chain()
lib/base/log.c
log_syslog()
close_syslog()
log_file()
close_file()
lib/gssapi/mech/context.c
gss_set_log_function()
lib/krb5/kx509.c
certs_export_func()
Change-Id: Ib68abf739e3385e98136fa4e4f5a0240e9fce033
Some pacman packages are now being compressed with the ZST algorithm,
but pacman can't handle that unless we first install `zstd`. This
commit does that.
SAnon unconditionally sets the replay, sequence, confidentiality, and integrity
flags on the acceptor; do so on the initiator as well. Some indentation
cleanups are also included in this commit.
In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.
In SAnon:
The is_initiator bitfield must be unsigned to avoid undefined behaviour, as
there is only a single bit defined. Thanks to Nico Williams for explaining
this.
