Commit Graph

2055 Commits

Author SHA1 Message Date
Luke Howard
0c0ac807c1 roken: socket test style fixes
Make error reporting in socket test programs consistent with other usages by
removing redundant newline, using strerror() and reporting error in
parentheses.
2020-08-31 16:02:09 +10:00
Jeffrey Altman
51912c0215 roken: introduce rk_socket_set_keepalive
Change-Id: I3086a10cd3d23bef00336f5db7db3a35ca02d568
2020-07-24 01:32:34 -04:00
Andrew Bartlett
bf3c4219fe Make rk_SOCK_INIT an inline function and check the result to avoid warnings
Similar to f6e0d19cc0 but
fixed in the header by making it a proper static inline
function (as some callers treats it as one, so do it
for all now for consistency).

Seen on Ubuntu 18.04 with

giving:

In file included from getaddrinfo-test.c:36:0:
getaddrinfo-test.c: In function ‘main’:
roken.h:110:24: error: statement with no effect [-Werror=unused-value]
 #define rk_SOCK_INIT() 0
                        ^
getaddrinfo-test.c:132:5: note: in expansion of macro ‘rk_SOCK_INIT’
     rk_SOCK_INIT();
     ^~~~~~~~~~~~

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-05-28 11:10:57 -04:00
Jeffrey Altman
d4c0d34548 lib/krb5: krb5_get_instance does not work on Windows 7
krb5_get_instance() is meant to ensure that the shared library
instance of heimdal loaded by a plugin matches the instance that
loaded the plugin.  It works by declaring a static C string whose
memory address will be used as an instance identifier.  If the
instance returned from the plugin matches the instance obtain
by the code that loads the plugin, then we can conclude the two
instances are the same.

This doesn't work on Windows 7.  When heimdal.dll loads a plugin
that is linked to heimdal.dll, the plugin's heimdal.dll is always
a new instance.  However, the requirement for plugin safety is
not that the plugin be the same instance in memory but that they
be the same instance on disk.

This change loads the path name and version string for the module
and generates a hash of those strings as an instance identifier.

Change-Id: I1c0651969e9738c5feecb0b323969d13efd4704d
2020-05-27 23:22:40 -05:00
Jeffrey Altman
f77618ef15 roken: stdint.hin libtommath 1.2.0 needs more
libtommath 1.2.0 c403b66082
("hcrypto: import libtommath v1.2.0") needs more from stdint.h
than what Heimdal previously declared.  Add more integer type
declarations and integer MIN/MAX macros.

Also, on Windows declare 64-bit integers using __int64 as
"long long" is not supported as 64-bit type across all visual
studio compiler versions.

Change-Id: I944bedc67bcb26374ffb30eb3dfd7c6108a98fc3
2020-05-26 11:48:45 -05:00
Nicolas Williams
9794f02245 roken: fix valgrind leak noise 2020-04-24 16:02:35 -05:00
Luke Howard
1c74afb01a roken: add mergesort_r()
Add mergesort_r() as a stable sort function that can be used by other
components of Heimdal. Note that there is no standardized prototype for this
function, however it appears that both FreeBSD and glibc would adopt the glibc
convention (where the private data argument appears last). See:

    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214248
2020-04-12 13:25:09 -05:00
Nicolas Williams
64d5f86ec3 Fix warnings (some bugs, some spurious)
Many spurious VC warnings not quieted though.
2020-03-12 21:02:09 -05:00
Nicolas Williams
a7359d6898 roken: Add mkdtemp() 2020-03-02 17:48:04 -06:00
Nicolas Williams
77619f245d roken: Add base32 2020-03-02 17:48:04 -06:00
Luke Howard
3daef8a5fd roken: Windows version support helpers
Add helper functions for determining the version of Windows upon which we are
running.
2019-12-05 20:20:28 -05:00
Nicolas Williams
f9a0e8f076 roken: add rkbase64 noinst program
This will be useful in tests.
2019-12-04 13:40:28 -06:00
Nicolas Williams
982ba80b6e roken: fix leak in roken_detach_prep() 2019-12-04 13:40:28 -06:00
Roland C. Dowdeswell
8b20d436d9 disable test-detach on Windows 2019-11-20 18:14:44 -05:00
Nicolas Williams
56c5f5909e roken: Add rkvis program for test scripts
This will help programs that need to URL-escape strings.

Also, this changes `do_hvis()` to not fallback on `do_svis()` for chars in
`extra` -- that `do_hvis()` was doing that seems like an oversight.  Christos
Zoulas, of NetBSD, agrees.  `do_hvis()` still falls back on `do_svis()` for
characters not in the RFC 1808 / 3986 to-be-escaped set *and* characters not in
the `extra` set -- that much seems to have been the intent.
2019-11-19 22:33:20 -06:00
Nicolas Williams
4981cfc420 roken: base64: set errno on decode errors 2019-11-18 17:28:32 -06:00
Roland C. Dowdeswell
a8b749685c include <sys/exec_elf.h> if it's available.
This fixes the auxval logic on NetBSD.
2019-11-18 14:20:19 -06:00
Viktor Dukhovni
12826c9586 Handle partial writes on non-blocking sockets
Now that we're using krb5_net_write() with non-blocking sockets in
ipropd_master, we MUST correctly account for partial writes.

Therefore, roken net_write() called from krb5_net_write() now
returns the number of bytes written when the socket error was
EWOULDBLOCK (or EAGAIN).

Also, fix potential issue on Windows, where errno was used instead
of rk_SOCKET_ERRNO whether or not we used _write() or send().
2019-11-06 20:27:58 -05:00
Nicolas Williams
8af2d79d35 hx509: Add missing CSR extension request support
This is necessary in order to add proper support for CSRs in kx509,
where the KDC can examine all requested KUs/EKUs/SANs, check
authorization, and issue a certificate with all those extensions if
authorized.

This is the convention used by OpenSSL, of encoding all the KU, EKUs,
and SANs being requested as Extensions as they would appear in the
TBSCertificate, then putting those in as a single Attribute in the CSR's
Attributes list with attribute OID {id-pkcs-9, 14}.

 - expose all hx509_request_*() functions
 - finish support in hx509_request_parse*() for KU, EKU, and SAN CSR
   attributes
 - finish support in hx509_request_to_pkcs10() for encoding all
   requested KU, EKU, and SAN extensions as a CSR extReq (extension request)
 - add hx509_request_add_*() support for:
    - id-pkinit-san and ms-upn-pkinit-san
    - XMPP (Jabber) SAN
    - registeredID (useless but trivial)
 - add hxtool request-create options for all supported SANs
 - add hxtool request-create options for KeyUsage
 - add hxtool request-create options for ExtKeyUsage
 - add hxtool request-print support for all these things
 - fix bugs in existing id-pkinit-san handling

Possible future improvements

 - add HX509_TRACE env var and support (it would be nice to be able to
   observe why some certificate is rejected, or not matched in a query)
 - add testing that CSR creating and printing round-trip for all KUs,
   EKUs, and SANs
   (probably in tests/kdc/check-pkinit.in)
 - add testing that OpenSSL can print a CSR made by hxtool and
   vice-versa
 - hxtool ca: add KU sanity checking (via hx509_ca_sign() and/or friends)
   (don't allow encrypt for signing-only algs)
   (don't allow encrypt for RSA at all, or for RSA with small e exponents)
 - hxtool request-print: warn about all unknown attributes and
   extensions
 - hxtool ca: MAYBE add support for adding requested extensions from the
   --req=CSR
   ("Maybe" because CA operators should really verify and authorize all
    requested attributes, and should acknowledge that they have, and the
    simplest way to do this is to make them add all the corresponding
    CLI arguments to the hxtool ca command, but too, that is
    error-prone, thus it's not clear yet which approach is best.
    Perhaps interactively prompt for yes/no for each attribute.)
 - add additional SAN types:
    - iPAddress                 (useless?)
    - dNSSrv                    (useful!)
    - directoryName             (useless, but trivial)
    - uniformResourceIdentifier (useful)
 - it would be nice if the ASN.1 compiler could generate print
   functions..., and/or even better, to-JSON functions
 - it would be nice if we had a known-OID db, including the names of the
   types they refer to in certificate extensions, otherName SANs and CSR
   attributes, then we could generate a CSR and certificate printer for
   all known options even when they are not supported by the rest of
   Heimdal
    - and we could also get friendly names for OIDs, and we could
      resolve their arc names
    - longer term, we could also stand to add some ASN.1 information
      object system functionality, just enough to make
      lib/hx509/asn1_print awesome by being able to automatically decode
      all heim_any and OCTET STRING content (better than its current
      --inner option)
2019-10-08 22:20:40 -05:00
Nicolas Williams
96d1e80bda roken: add mkostemp() 2019-10-03 13:09:18 -05:00
Nicolas Williams
f31cdc30b2 roken: add rk_memmem() 2019-10-03 13:09:18 -05:00
Nicolas Williams
34728ce79e rk_base64_encode(): set errno in all error cases 2019-10-03 13:09:18 -05:00
Nicolas Williams
1ae941af9b roken_detach_prep() should return fd 2019-10-03 13:09:18 -05:00
Nicolas Williams
141289f14b roken: add roken_get_loginname() 2019-09-25 23:09:20 -05:00
Rod Widdowson
e143639400 Windows: Windows CRT doesn't support %k as format for strftime
The fix involves:
  - Removing HAVE_STRFTIME from config.h.w32
  - Adding strftime.c to the makefile
  - Defining timezone and tzname to their windows equivalent
    for the compile of this module
2019-05-22 09:47:59 -04:00
Jeffrey Altman
e60955e835 roken: getuserinfo WIN32 fix username string termination
95eb83c424 ("roken: Add roken_get_username() and friends")
failed to copy the username C-String NUL terminator.  As a result
a "DOMAIN\user" is returned as "userIN\user".

Change-Id: I10027e4eef18364074eecf385fa9fab1ae68dbe7
2019-05-02 13:42:01 -04:00
Rod Widdowson
f1b27d77cd Windows: Make getaddrinfo-test work
Before we call gettaddrinfo we have to call rx_SOCK_INIT

In order to exercise the test we have to supply parameters to the command line
2019-03-25 16:38:56 -07:00
Jeffrey Altman
43a34f6663 roken: tsearch use rk_UNCONST instead of __DECONST #307
The rk_UNCONST macro exists because neither __DECONST nor uintptr_t
are available on all platforms (for example, AIX).

Change-Id: Ie36f0dd7a9ce454d411761ee4dbd6fc1f7c6692c
2019-02-21 15:46:51 -05:00
Jeffrey Altman
f0d9289d86 roken: fix strtoll
b10ad7eb57
("roken: strtoll.c negation is a no-op on unsigned integer")
broke strtoll() by failing to assign 'ret' in the success case.

Change-Id: I30535d83a2bef305140f1a6bd1ed2eeba23db9b9
2019-01-22 00:02:57 -05:00
Jeffrey Altman
9ce2683f2d roken: strtoull.c negation is a no-op on unsigned integer
strtoull() returns an unsigned long long.  However, then the input
string represents a negative number the return value is supposed to
be the unsigned representation of the negative value.  Before applying
the negation the value must be cast to (long long).

Change-Id: Icf9e75400ff736819b1f7e0e6fb3c8abd707a23a
2019-01-21 22:28:02 -05:00
Jeffrey Altman
b10ad7eb57 roken: strtoll.c negation is a no-op on unsigned integer
strtoll() returns a signed long long not an unsigned long long.
When applying the negation for negatives the value must be cast
from unsigned to signed and then stored in a signed variable
before returning it.

Change-Id: If568afd2509d27c7bf206ca59d32ca150cb34857
2019-01-21 22:25:19 -05:00
Jeffrey Altman
3bbd8663b0 WIN32: fix roken build
__declspec not _declspec

Include "err.h" not <err.h>

Include "roken.h" before "err.h"

Indent "#if" as "# if" within roken.h.in when CPP rules must be copied
into the generated "roken.h".

Correct verr() attribute to be ROKEN_LIB_NORETURN_FUNCTION.

Change-Id: I4289ecaba4a097175b4a5a1cde529b59038c72e3
2019-01-21 22:04:06 -05:00
Nicolas Williams
a3a8c1e4a4 ASN.1: Support wider bit sets (fix #514) 2019-01-15 13:21:25 -06:00
Nicolas Williams
99188ea797 Bump roken SONAME version (fix #279) 2019-01-04 12:49:58 -06:00
Luke Howard
befe1b8f90 always load plugins with RTLD_LOCAL/RTLD_GROUP if available 2019-01-03 20:06:27 -06:00
Nicolas Williams
7c449afbf8 Fix lib/roken test macro redefinition 2019-01-02 13:56:04 -05:00
Nicolas Williams
299fbf5dac Fix warning in roken test on Windows 2019-01-02 13:56:04 -05:00
Jeffrey Altman
bec4818943 WIN32: hint noreturn functions
apply __declspec(noreturn) compiler hints to functions that
do not return.

Change-Id: I3c6c4703c7235d1df3e21dccad5272ea4cddfd36
2019-01-02 10:23:39 -06:00
Jeffrey Altman
c1c98d3cfd lib/roken: is_special_auxv_p test for AT_HWCAP2
fix breakage introduced by 6341132175
("roken: fix build breakage, AT_HWCAP2 may be undefined (#446)").
Detected by Coverity.

Change-Id: Iefdb73d4392e5184a69a99208945ece6b7b8ecb3
2019-01-01 14:59:19 -05:00
Jeffrey Altman
134b53ead1 lib/roken: roken_get_shell unreachable code warning
When WIN32 is undefined an unreachable code warning was generated
since "/bin/sh" is returned as the default resposne.

Change-Id: I757c9d05db62c1d52fee0e510259098d73273a84
2018-12-28 14:31:21 -05:00
Jeffrey Altman
434f76bcb7 lib/roken: rk_random_init HAVE_ARC4RANDOM #401
When arc4random() is available, rk_random_init() does not have to
call arc4random_stir().  ac4random_stir() will be called as a result
of the first call to arc4random().

Change-Id: I6f4a3be7c39752746657945ed15896472908f889
2018-12-26 16:49:06 -06:00
Luke Howard
6ce1aa84c5 Remove rk_getpw*_r() functions 2018-12-25 22:11:19 -06:00
Nicolas Williams
3f1451a4c3 Remove get_default_username() 2018-12-25 22:11:19 -06:00
Nicolas Williams
95eb83c424 roken: Add roken_get_username() and friends
We add roken_get_{shell, username, appdatadir, homedir}() functions.  These use
a combination of secure_getenv(), getpwuid_r(), getlogin_r(), or various WIN32
functions to get this information.

Use roken_get_appdatadir() instead of roken_get_homedir() when looking for
dotfiles.
2018-12-25 22:11:19 -06:00
Nicolas Williams
073ffd0423 roken: Make sure we have MAX_PATH 2018-12-25 22:11:19 -06:00
Nicolas Williams
a152c4c808 Remove k_getpwnam() and k_getpwuid() 2018-12-25 22:11:19 -06:00
Nicolas Williams
784637709b Remove unix_verify_user() 2018-12-25 22:11:19 -06:00
Nicolas Williams
8fae8a1826 Remove iruserok() 2018-12-25 22:11:19 -06:00
Nicolas Williams
3b8c762dd0 Remove lib/roken glob()
We no longer use it since removing ftp from appl/.

Note that expansion of ~username/ couldn't have been working because
k_getpwnam() was being called with an unsigned short * that was forcibly
cast to char *, but it really was shorts, not chars...  Anyone who ever
feels like reviving lib/roken/glob.[ch] will want to fix that...
2018-12-25 22:11:19 -06:00
Nicolas Williams
af9e938867 Fix infinite loop in print_units_table() 2018-12-25 22:11:19 -06:00