oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
31,054 Commits 3 Branches 2 Tags
4bca716446f5649639663bdacfa86ab5608cb098
Commit Graph

18374 Commits

Author SHA1 Message Date
Michael Richardson
a0dcf9bffd if a CSR has multiple extRequests, keep only last 
The code already keeps the last entry, but it leaks the previous copies.  @nicowilliams noticed this.
 2026-01-19 00:18:47 -06:00
Nicolas Williams
76db37d833 sanon: Do not acquire creds for GSS_C_NO_NAME 2026-01-18 23:47:40 -06:00
fossdd
d233bf84d7 Use <poll.h> insted of <sys/poll.h> 
Acording to POSIX <poll.h> should be used instead of <sys/poll.h>.

Libcs like musl libc added a redict due maintain compat with older
glibcs and added the following warning:

	/usr/include/sys/poll.h:1:2: warning: #warning redirecting incorrect #include <sys/poll.h> to <poll.h> [-Wcpp]
	    1 | #warning redirecting incorrect #include <sys/poll.h> to <poll.h>
	      |  ^~~~~~~

Ref: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/poll.h.html
 2026-01-18 23:27:57 -06:00
Nicolas Williams
bbfc116686 gsskrb5: display_name(NO_NAME) should not crash (fix #1288) 2026-01-18 20:48:42 -06:00
Nicolas Williams
fa43b2d3c4 asn1: Fix UB in two tests 2026-01-18 19:06:17 -06:00
Nicolas Williams
a1dfcc8453 krb5: Constify krb5_kuserok() 2026-01-18 19:06:17 -06:00
Nicolas Williams
10732be94c gss: Constify gss_str_to_oid() 2026-01-18 19:06:17 -06:00
Taylor R Campbell
5589cf96c7 Sprinkle const and rk_UNCONST throughout the tests. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
56a6e7261b kadm5: Sprinkle const and rk_UNCONST for private string not modified. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
5373ab492f ipc: rk_UNCONST for private string not modified. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
a9f37d2597 libroken: Make roken_detach_prep take const char *special_arg. 
Requires an internal rk_UNCONST because of annoying execvp type, but
that's better than rk_UNCONST in all the call sites.
 2026-01-18 19:06:17 -06:00
Taylor R Campbell
5fec8989b5 gssapi: Sprinkle const and rk_UNCONST to pacify -Wwrite-strings. 
All for read-only krb5_data or gss_buffer_desc.
 2026-01-18 19:06:17 -06:00
Taylor R Campbell
9c1b2e963b krb5: Sprinkle const and rk_UNCONST to pacify -Wwrite-strings. 
Mostly for read-only iov or krb5_data.
 2026-01-18 19:06:17 -06:00
Taylor R Campbell
29da785a64 kadm5: Note strict aliasing violation. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
0eb423022f hdb: Label unconst abuse for read-only krb5_data. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
82225829a0 gss_preauth: Label unconst abuse with rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
cdd1fb8fc4 gssapi/sanon: Sprinkle const and rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
bbf6150cfd gssapi: Make gss_duplicate_oid{,_set} take gss_const_OID_t. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
04dcda3628 gssapi/spnego: Sprinkle const and rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
137939e0d2 gssapi: Make gss_add_buffer_set_member take gss_const_buffer_t. 
`const gss_buffer_t' was probably meant to be gss_const_buffer_t.

XXX This changes the type of a public symbol -- does thiat require a
version bump?
 2026-01-18 19:06:17 -06:00
Taylor R Campbell
34dc2dda57 gssapi/mech: Sprinkle const and rk_UNCONST. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
80545251a0 gssapi/krb5: Sprinkle some const, but mostly label unconst abuse. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
d17fed0c7f krb5/log: Note strict aliasing violation. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
c199e31fcd krb5/init_creds_pw.c: Label unconst abuse. 
API is just not type-safe here, bummer.
 2026-01-18 19:06:17 -06:00
Taylor R Campbell
18dcaf1ca7 krb5/get_cred: Sprinkle const and label & comment unconst abuse. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
4cb23c61c7 krb5/fcache: Sprinkle const; note strict aliasing violation. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
7726409b5c krb5/store: Label unconst abuse for read-only krb5_data. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
9907e29baa krb5/pac: Label unconst abuse for iov. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
709d317cc9 heim_openlog: Sprinkle const. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
270e0d819c krb5/deprecated: Nix const abuse. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
7ec6b6220d krb5/crypto: Label unconst abuse for iov. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
6da033336e krb5/context: Sprinkle const and note strict aliasing violation. 2026-01-18 19:06:17 -06:00
Taylor R Campbell
5c694deee9 _krb5_load_plugins: Sprinkle const. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
3cc4861888 heim_load_plugins: Sprinkle const. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
9765e2522b asn1: Mitigate const abuse and omit needless casts. 
There's still an abusive rk_UNCONST in _asn1_encode_open_type, but
that will take more effort to untangle.
 2026-01-18 19:06:16 -06:00
Taylor R Campbell
f494333624 base/json: Sprinkle const. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
a578088705 heim_data_ref_create: Use rk_UNCONST. 
This API is used for both const and non-const strings, depending on
whether there is a deallocator passed or not, so the C type system
can't distinguish this for us.

XXX Perhaps this should be two separate APIs, one which takes
const-qualified pointers and one which takes non-const-qualified
pointers.
 2026-01-18 19:06:16 -06:00
Taylor R Campbell
f6d1dfd60f *.l: Fix old-style function definitions of yywrap. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
a1d92fefbc Use rk_UNCONST with putenv("...") to pacify -Wwrite-strings. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
7223924aeb roken/hostent_find_fqdn.c: Fix unnecessary const abuse. 2026-01-18 19:06:16 -06:00
Taylor R Campbell
ce43ff7b42 roken/getuserinfo.c: Fix various const abuse. 2026-01-18 19:06:16 -06:00
Nicolas Williams
1a82701a91 osx: Fix warnings/errors 2026-01-18 19:06:16 -06:00
Nicolas Williams
76fbb83e86 hx509: Add a JWT fuzzer 2026-01-18 19:06:16 -06:00
Nicolas Williams
2ff2cc04b8 base: Add a fuzzer for JSON 2026-01-18 19:06:16 -06:00
Nicolas Williams
ae7d6746d1 gsstool: Add GSS-based kinit-like acquire_cred cmd 
This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().

It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).

The point of this commit is to explore:

 - GSS functionality for kinit-like actions

 - credential store key/value pairs supported by the mechanisms

 - document the credential store key/value pairs (in gsstool.1)

that might lead to further enhancements.  But gsstool acquire-cred
is quite functional at this point!
 2026-01-18 19:06:16 -06:00
Nicolas Williams
b804b22446 gsskrb5: Add cred store PKINIT and FAST options 2026-01-18 19:06:16 -06:00
Nicolas Williams
220a47b000 hx509: Add JOSE functionality 2026-01-18 19:06:16 -06:00
Nicolas Williams
dafe6323fb krb5: Restore 1DES and 3DES 2026-01-18 19:06:16 -06:00
Nicolas Williams
cbe156d927 Use OpenSSL 3.x _only_ and implement RFC 8636 
- No more OpenSSL 1.x support
 - Remove 1DES and 3DES
 - Remove NETLOGON, NTLM (client and 'digest' service)
 2026-01-18 19:06:16 -06:00
Nicolas Williams
02ce745c6e sl: Fix OS X build (bison) 2026-01-18 16:09:31 -06:00