The ASN.1 functions copy_Realm(), copy_PrincipalName() and
copy_EncryptionKey() can fail. Check the return and perform error
handling as appropriate.
Change-Id: I2b3629d19db96eb41d1cd554cef1dca99745e753
When comparing the first component of a multi-component
string that uses a field separator (e.g., '/' or ':'), be sure
to include the separator in the comparison to ensure that the
comparison does not succeed due to a prefix match.
Change-Id: Ieec3e73cb015a83bb652ec11cd7d83e57755c3d2
Fix the numeric error value comparison performed by error_cmp().
Identified by AppChecker and previously fixed by Darwin.
Change-Id: I0a72fd381bef0b34b7e7d155bfff03ab4196d38e
if defined(HAVE_GETAUXVAL) && !defined(GETAUXVAL_SETS_ERRNO) the
stack variable declaration for 'a' is missing:
const auxv_t *a
Declare 'a' so that Heimdal can build again.
Change-Id: If64dd497f240688b76f3dd6139ac68c2ff149a0e
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred. We don't think this is intended
or desirable. The server should see the Ticket _exactly_ as minted by the KDC.
Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead. Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
If the file is not a regular file, the 'fname' buffer will be freed
before it is passed to the krb5_set_error_message() routine. That
this is true is not obvious from code inspection but 'newfname'
and 'fname' refer to the same memory.
Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f
Must export hdb_generate_key_set_password_with_ks_tuple() on Windows
which was introduced in 4303174a49.
Change-Id: Iea2993a17aba44c7cb0360716138c26239254e05
The change to the signature of hdb_generate_key_set_password() in
Heimdal 7.1 broke API/ABI compatibility with previous releases. We
fix this by renaming it hdb_generate_key_set_password_with_ks_tuple()
and creating a new hdb_generate_key_set_password() which calls our
new function with zeroes for the added arguments.
Issue #246https://github.com/heimdal/heimdal/issues/246
Each KDC is a kx509 server. The service principal must be of the
form
kca_service/<localhost.domain>@<DEFAULT_REALM>
where localhost.domain is the hostname returned by gethostname()
and <DEFAULT_REALM> is one of the realms for which the KDC has a service
principal "kca_service/<localhost.domain>".
The matching code was broken by a5e77c578e
when krb5_sname_to_principal() began to always return a referral
principal.
Since the second component is a host name update the default principal
type for service "kca_service" to be KRB5_NT_SRV_HST.
Change-Id: I6bd5f90b674ebb7220d8efafa6d339fdc21e1a07
Commit 7dc4481ed2 which changed from
pidfile -> rk_pidfile was incomplete. Must handle the NO_PIDFILE case.
Change-Id: Ifc0b135e1fa7abdf4e370ad4b8fe2eb1305760f5
