Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.
Do not leak the object when the intent is to free it.
Introduced by 40d1271094
("asn1: Expand decoration w/ C types")
Change-Id: If8cd502f61d6f9b72118630839525933911c6697
3a7c2c6a7f
("krb5.h: define DOMAIN_X500_COMPRESS macro")
defined DOMAIN_X500_COMPRESS to the wrong name.
Change-Id: I5c60d86b856ce6d3fa94b1fa8d7ffe17b97c8513
ec866e635e
("Windows 10 SDK build fixes") inverted the meaning selecting
Debug versions for NODEBUG and vice versa.
Change-Id: I90771a71cd3efc93ba47076fbf5cd1efb0948f6f
Ah, we can't use context->default_cc_name because that will be taken
from KRB5CCNAME if it's set, and then we'll think whatever that value is
is the default, but we're really looking to special case resolving of
the "%{UID}" KCM cache name. So do that.
Our kcm daemon will resolve default cache names (%{UID}) to the user's
session's default cache name. SSSD's kcm daemon will not.
Therefore we add a heuristic for "if we're resolving what may be the
local configured default KCM cache, and it doesn't exist as such in the
KCM session, then use the KCM session's default cache".
This allows our kinit and klist to work as intended.
krb5_store_string, krb5_store_stringz, krb5_store_stringnl
If the input string is NULL, fail the call with EINVAL.
Do not pass the NULL pointer to strlen().
Change-Id: Id87d72e263dde798f300353ec4c1656b310d17a4
Both MIT and Heimdal are unable to, in krb5_cc_default(), call to KCM
(or CCAPI, or LSA, or...) to get the user's default ccache name in their
collection. Instead, the default ccache name is obtained in a static
way, and for KCM that's "%{UID}". When we krb5_cc_switch(), we simply
maintain a pointer to the name of the ccache that was made the default,
but klist can't make use of this because krb5_cc_default() can't.
The solution here is to first try resolving the ccache name given by the
client, and if that fails but the name happens to be what would be the
library's default KCM ccache name for that user, then try resolving it
through the default ccache name pointer saved at switch time.
Wrap all KCM cc ops that need to call kcm_alloc() so that they pass in
the cc ops pointer that they're associated with so that kcm_alloc() can
use the correct ccache type name if needed.
is_preauth (KFE_IS_PREAUTH is set) might require replying with
PA-ETYPE-INFO[2] which requires use of the long-term keys.
Without this change is_default_salt_p() can be called with 'key'
eq NULL.
Change-Id: I513fa768680225d4501d8b390e349a011666d90c
If mp_ubin_size(s) returns zero then mp_to_ubin() will fail and
not return MP_OKAY. If MP_OKAY is not returned, NULL is returned
to the caller of mpz2BN().
This change avoids the unnecessary memory allocation and function
calls. It also removes a dereference after null warning from
coverity.
Change-Id: I52ff2c166964e41cb4eef1dac637904bf2bf13bf
Use 'sizeof(*w)' to compute the correct size passed to erealloc().
Although sizeof(char **) == sizeof(char *), it is not guaranteed.
Change-Id: I5f66fafe20343d7e736922038d24abcd48bab8bd
190263bb7a
("assert non-NULL ptrs before calling mem funcs") introduced
two wrong size argument warnings. These locations are not
errors since the allocation is simply to ensure that the
data pointer is non-NULL; length is zero.
Change-Id: I7b3b58247799a48da3653008c7b6d7fbbbf83e25
The definitions of memcpy(), memmove(), and memset() state that
the behaviour is undefined if any of the pointer arguments are
NULL, and some compilers are known to make use of this to
optimise away existing NULL checks in the source.
Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
If 'local_realm' is true, must protect against failure
of krb5_get_default_realm() and krb5_principal_set_realm().
Otherwise, the wrong realm might be used.
Change-Id: Ib7a92559da1ac062c71228c5530106a13d836d53
instead of testing both cb_ctx.h and cb_ctx.h->prefix
for non-NULL, ensure that cb_ctx.h is NULL after each
failed for() loop. This also ensures that cb_ctx.h
is never left pointing to an invalid non-NULL value.
Change-Id: I3264577b0fbf1d620b00f87d251e8c43b81e0f29
Assign zero to the output size parameter at the start so that
callers that use the value when an error occurs do not see
garbage that might be misinterpreted.
Change-Id: Iccfcf4f6944b1bf72789c83919901d9b9d6f9153
