Currently the Directional host address type is pretty useless,
since it's only useful in application protocols that a) use
KRB-PRIV/KRB-SAFE messages (so: not GSS-API applications), and b)
state in their specs to use Directional, or otherwise provide for
negotiation of host address types. There are no such protocols
that we care about except -since we control it- iprop. But even
for iprop it'd be better to switch to GSS-API.
This allows for negative lifetimes to be encoded, and fits in better
with our use elsewhere of time_t, which in POSIX is a signed integer
type.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This reduces the check-gssmask runtime from around 7min to 1-2sec on
my laptop.
It is, perhaps, suboptimal to disable Nagle for a program that writes
successive 4-byte units of a protocol message in separate syscalls
rather than a single batch, and might be better to instead disable
delayed acks, but:
(a) there's no portable API for disabling delayed acks, and
(b) this program appears to be used exclusively for testing anyway.
fix https://github.com/heimdal/heimdal/issues/1139
This isn't fully POSIX shell, because POSIX shell still doesn't have
`local' variable declarations, but at least it is reasonably portable
now.
fix https://github.com/heimdal/heimdal/issues/1299
The read() in readall() to read the SOCKS4a request was sometimes
failing with EAGAIN, which it wasn't prepared for, causing the
request to be rejected and the test to fail.
I wrote this code specifically under the assumption the fd would be
in blocking mode, and in the original draft I wrote with stdin/stdout
under socat that was true. But when I adapted this to do its own
bind/listen/accept logic, I broke it, because POSIX leaves it
unspecified whether accept() inherits the O_NONBLOCK setting or not:
https://pubs.opengroup.org/onlinepubs/9799919799/functions/accept4.html
And the traditional BSD semantics is to inherit O_NONBLOCK.
So, just explicitly clear O_NONBLOCK on the fd returned by accept().
All network traffic to KDC goes through the SOCKS4a proxy if it is
configured.
This is deliberately kept simple -- and is not generalized to SOCKS4
or SOCKS5 or other types of proxies -- so it is easy to audit for
network and DNS leaks. (SOCKS4 works in IP addresses, and so invites
DNS leaks. SOCKS5 can be OK, if used judiciously, but takes more
work to implement.)
This only affects krb5_sendto -- the other initiator of network
traffic in libkrb5, krb5_change_password, will be fixed to respect
socks4a_proxy in a subsequent commit.
XXX Need to figure out where the socks4a.c code should go.
fix https://github.com/heimdal/heimdal/issues/1151
