Permit an explicit version of signtool.exe to be specified via an
environment variable. Now that sha256 signatures are required the version
of signtool.exe that matches the SDK or Visual Studio version might not
be sufficient to apply code signatures.
Change-Id: I694e2b319bd692d6358ae7ce3d241da2da7648f8
Move roken.h to the top of the header after config.h and remove the
includes that are duplicated by roken.h.
Change-Id: I33e29736519177f17c36e5c5948d7022011ab2b2
All source files must start with
include <config.h>
include <roken.h>
when krb5_locl.h or kdc_locl.h are includes, they must come before
other Heimdal include files.
Do not include stdint.h when roken.h is included.
Do not include config.h more than once.
Change-Id: I0baecb5d48317996f48b1a6c41b051f42f2fde61
In verify() if krb5_unparse_name() fails 'sname' will be used
unitialized in the subsequent krb5_warnx() and free() calls.
Change-Id: I5a49bf06879eb5a77cf2d1d3f0d4b9c6549aeff8
Coverity complains about the leakage of 'handle' when the identifier
goes out of scope. Change handle into a static global to hold the
value instead of a stack variable.
Change-Id: I040707ac731558f7d523f128a006a80b98d45b79
The Windows and PKCS#11 backends do this. The Common Crypto (OS X)
backend does not. Ideally this should be a ./configure option, and that
might be the next step, but right now we need this fallback in order to
get tests passing in Travis-CI.
The resolver plugin doesn't have a way to say "and stop here", so the
lookup done in lib/krb5/test_plugin.c can produce more results than used
to be expected, and indeed nowadays it does. The fix is to ensure that
we have the desired results and ignore the others.
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
Also, zero return means "success", non-zero means "failure" and the
non-zero value is a system error. That's how it is for the other
platforms' thread primitives.
(The no-threads defaults are still wrong though, as then are macros that
expand into do..while, which can't be used as expressions and don't
"return" values.)
The error string
missing @ or \ in name
must have the backslash double quoted as
missing @ or \\\\ in name
because of how compile_et parses the input and generates its output.
Otherwise, when compiling the generated ntlm_err.c a warning will
be produced because of invalid quoting of a space.
Change-Id: I994d3eb896098914702e418a0ef5cad783d16a5a
In srv_find_realm() the conditional for testing whether an entry
is the invalid gTLD response was inverted. Refactor the conditional
into a helper function is_invalid_tld_srv_target(). Use the helper
to simplify the conditional making it easier to confirm that the
test is correct.
Change-Id: I3220753b5585ac535862c4617030377c7a1f4bbe
