krb5_kt_get_entry() allows a NULL principal to be given ("match all").
The get method of the HDB-as-keytab keytab did not know this, and could
dereference a NULL as a result.
This is needed so that it can be optional for path token expansion,
which has to have the context be optional for ccapi (lib/krb5/acache.c),
which in some cases calls path token expansion functions w/ a NULL
context.
Let the KRB5_SENDTO_DONE and KRB5_SENDTO_FAILED action states be
handled by the provided switch blocks. This ensures that the
'ret' value is set appropriately before exiting the loop.
Change-Id: I56f4cea83efd86203a9a7a36cf48c80f632cf779
warning: 'mp_read_unsigned_bin' is deprecated
(declared at ./libtommath/tommath.h:732): replaced by mp_from_ubin
[-Wdeprecated-declarations]
warning: 'mp_unsigned_bin_size' is deprecated
(declared at ./libtommath/tommath.h:731): replaced by mp_ubin_size
[-Wdeprecated-declarations]
warning: 'mp_to_unsigned_bin' is deprecated
(declared at ./libtommath/tommath.h:733): replaced by mp_to_ubin
[-Wdeprecated-declarations]
warning: 'mp_unsigned_bin_size' is deprecated
(declared at ./libtommath/tommath.h:731): replaced by mp_ubin_size
[-Wdeprecated-declarations]
warning: ignoring return value of 'mp_init_multi',
declared with attribute warn_unused_result [-Wunused-result]
warning: ignoring return value of 'mp_to_unsigned_bin',
declared with attribute warn_unused_result [-Wunused-result]
warning: ignoring return value of 'mp_read_unsigned_bin',
declared with attribute warn_unused_result [-Wunused-result]
Change-Id: I510fd7a57c9cd52b59086a85d13aa6204ebb9fd9
Refactor the call to verify_common() to pass the krb5_cred by
pointer to and call krb5_free_cred_contents() in
verify_user_opt_int() instead of verify_common().
Calling strerror() with a negative value is an error.
Besides fixing that, we streamline hx509_get_error_string(), making it much
simpler and easier to read.
First, we enlarge Member's val field to int64_t.
Then we warn about skipping 2int, int2, and parse units glue for such
things with too-large members.
And we error out when generating the template for such things with
>UINT32_MAX members.
What about too-negative members? That could be a thing for INTEGER /
ENUMERATED. We'll look at that later.
We sometimes use this idiom where we ignore the result of some function
such as krb5_unparse_name() and then we log something and we use the
ternary operator to handle any error from that function by substituting
a string like "<unknown>" or "<out-of-memory>". This yields some static
analyzer complaints. Maybe casting the function's result to void will
help.
