Make error reporting in socket test programs consistent with other usages by
removing redundant newline, using strerror() and reporting error in
parentheses.
The deprecated OSAtomicCompareAndSwapPtrBarrier() function is used by a code
path only taken on macOS systems with a single CPU. As very few Macs have a
single CPU today, remove this optimization. (Replacing it with <stdatomic.h> as
suggested would break compatability with macOS prior to 10.12.)
Rename heim_base_atomic_max to heim_base_atomic_integer_max (ditto with _type)
in order to better reflect their usage, now we have a separate
heim_base_atomic() macro for making an atomic version of any type.
heim_base_exchange_32() and heim_base_exchange_64() inline functions for
platforms without atomics were missing (these are very inefficient but,
clearly rarely used given the lack of build error reports)
On Windows i386 the asn1 tests would crash due to stack corruption
as a result of functions being executed with the wrong calling
conventions.
Change-Id: Ic4f8b3a05dad36e3db6397fbd9270b98f0a5dfc5
The code generators were shifting "1LU" by (<< 32) and (<< 63) which
are undefined operations for a 32-bit integer. To ensure the integer
is 64-bit use "1ULL".
Change-Id: I062cae5638139a9fe51563f64b1964f87e2f49e3
acquire_cred_with_password() must call
krb5_get_init_creds_opt_set_default_flags() to initialize the
krb5_get_init_creds option flags to the values obtained from
the krb5_context.
Change-Id: Icd8c500dd0787a781c2382284f19cef277b1d30b
gss_unwrap_iov() with rc4-hmac (RFC4757) encryption types would fail unless
GSS_C_DCE_STYLE was specified, as an incorrect length was passed to
_gssapi_verify_mech_header(). (The correct length is the header length for
GSS_C_DCE_STYLE, and the wrap token length otherwise.)
RFC 4121/4757 don't require padding as they operate as stream ciphers. Make the
PADDING buffer optional when using these encryption types with gss_wrap_iov()
and gss_unwrap_iov().
Our initiator supports configuration-driven delegation of destination
TGTs.
This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.
Currently we use the same appdefault for this.
Background:
A root TGT is one of the form krbtgt/REALM@SAME-REALM.
A destination TGT is a root TGT for the same realm as the acceptor
service's realm.
Normally clients delegate a root TGT for the client's realm.
In some deployments clients may want to delegate destination TGTs as
a form of constrained delegation: so that the destination service
cannot use the delegated credential to impersonate the client
principal to services in its home realm (due to KDC lineage/transit
checks). In those deployments there may not even be a route back to
the KDCs of the client's realm, and attempting to use a
non-destination TGT might even lead to timeouts.
Using syscall() directly on macOS has been deprecated since 10.12. The value of
AFS_SYSCALL on libkafs overlaps with SYS_poll, causing k_hasafs() to hang on
macOS 11.0. Remove the AFS_SYSCALL macro to disable the AFS syscall on macOS.
_gsskrb5_init_sec_context() when called with GSS_C_NO_CREDENTIAL
opens the default ccache and sets the CLOSE_CCACHE flag indicating
that the ccache lifetime is tied to the gsskrb5_ctx. When
_gsskrb5_delete_sec_context() is called, it must close the ccache
if the CLOSE_CCACHE flag is set. Otherwise, the ccache resources
will leak.
Leaked since 39fe446983.
Change-Id: I8d0faab1e844d68fe71b11b715f8d88fcd2f4af7
hx509_context_free() must call heim_config_file_free() on
the hx509_context.cf section binding. Otherwise the memory
is leaked.
Change-Id: Ib3350a5be67203904fc1aee727c342c3ed552978
When the "KRB5_CONFIG" is unset on Windows, the registry values
HKLM\Software\Heimdal "config"
HKCU\Software\Heimdal "config"
are used. The migration of krb5_config to heimbase failed to
differentiate between KRB5_CONFIG, HX509_CONFIG, etc. The above
registry values are only for the KRB5_CONFIG.
This change permits the envvar name to be searched for in the
registry. For HX509_CONFIG the registry values
HKLM\Software\Heimdal "HX509_CONFIG"
HKCU\Software\Heimdal "HX509_CONFIG"
will be searched for configuration information.
Change-Id: I140945fa603d668d270eb5d740a11edc6fc121d7
ea90ca8666
("Move some infra bits of lib/krb5/ to lib/base/ (2)") introduced
struct heim_config_binding to heimbase.h and removed the
struct krb5_config_binding definition from krb5.h. It changed
the krb5_config_binding typedef to be based upon the heim_config_binding
typedef.
These changes broke out of tree callers of krb5_config_get_list()
and krb5_config_vget_list(). The internals of struct krb5_config_binding
are required by callers of krb5_config_get_list() and krb5_config_vget_list()
and the names must remain the same.
This change restores struct krb5_config_binding to krb5.h. The
structure cannot be changed because it is public and leaves struct
heim_config_binding as an independent structure definition within
heimbase.h. As a result struct heim_config_binding in heimbase.h must
remain binary compatible until such time as krb5_config_get_list() and
krb5_config_vget_list() are no longer supported.
Change-Id: I69b4fda3f656cc8daa8f5fcd0c7151cee222fc8c
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
test_cipher.c: In function ‘test_cipher’:
test_cipher.c:299:19: error: suggest braces around empty body in an ‘if’ statement [-Werror=empty-body]
/* XXXX check */;
^
cc1: all warnings being treated as errors
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Similar to f6e0d19cc0 but
fixed in the header by making it a proper static inline
function (as some callers treats it as one, so do it
for all now for consistency).
Seen on Ubuntu 18.04 with
giving:
In file included from getaddrinfo-test.c:36:0:
getaddrinfo-test.c: In function ‘main’:
roken.h:110:24: error: statement with no effect [-Werror=unused-value]
#define rk_SOCK_INIT() 0
^
getaddrinfo-test.c:132:5: note: in expansion of macro ‘rk_SOCK_INIT’
rk_SOCK_INIT();
^~~~~~~~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen on Ubuntu 18.04 with
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
giving:
rsa-ltm.c: In function ‘ltm_rsa_private_calculate’:
rsa-ltm.c:135:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
rsa-ltm.c: In function ‘gen_p’:
rsa-ltm.c:482:9: error: variable ‘where’ set but not used [-Werror=unused-but-set-variable]
int where = 0; /* Ignore the set-but-unused warning from this */
^~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Seen with Ubuntu 18.04
gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
mech/gss_krb5.c: In function ‘gss_krb5_ccache_name’:
mech/gss_krb5.c:501:18: error: the address of ‘buffer’ will always evaluate as ‘true’ [-Werror=address]
_mg_buffer_zero(&buffer);
^
mech/mech_locl.h:72:7: note: in definition of macro ‘_mg_buffer_zero’
if (buffer) { \
^~~~~~
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The krb5_cc_ops structure is an extensible structure to which new
functionality has been added over the years.
Version zero was the original. It included all functions up to
and including get_default_name().
Version one added set_default().
Version two added lastchange().
Version three added set_kdc_offset() and get_kdc_offset().
Version four broke compatibility by modifying the signatures
of get_name() and resolve(). This was in change
7bf4d76e75 ("krb5: Improve cccol sub
naming; add gss_store_cred_into2()").
Version five restores the original signatures of get_name()
and resolve() and introduces get_name_2() and resolve_2() that
provide the additional cccol functionality.
This change
* introduces version five
* documents which functions are part of each version
* replaces KRB5_CC_OPS_VERSION with KRB5_CC_OPS_VERSION_0,
KRB5_CC_OPS_VERSION_1, KRB5_CC_OPS_VERSION_2, KRB5_CC_OPS_VERSION_3,
and KRB5_CC_OPS_VERSION_5. KRB5_CC_OPS_VERSION_4 is skipped
because of the aforementioned breakage.
* compatibility logic is added to permit ccache plugins to implement
any of version one, two, three, five or a future version.
* all in-tree krb5_cc_ops implementations are updated to version 5.
Change-Id: Iadfce01d10834bc6151939e4d9d196f03001626e
common_plugin.h is expected to be usable on its own.
For backward compatibility, restore the definitions of
KRB5_CALLCONV and KRB5_LIB_CALL.
Change-Id: I6d2239f91ab48b9a6b71816b5221807382dc5914
