Commit Graph

17435 Commits

Author SHA1 Message Date
Viktor Dukhovni
10f3ab0f2a Never store TGT "aliases"
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
2017-04-13 18:11:52 -05:00
Viktor Dukhovni
f468c2fed1 Use actual Ticket to construct AP-REQ
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred.  We don't think this is intended
or desirable.  The server should see the Ticket _exactly_ as minted by the KDC.

Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead.  Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
2017-04-13 18:11:52 -05:00
Nicolas Williams
f867a12aa9 Test rk_get*auxval() 2017-03-31 18:56:04 -05:00
Nicolas Williams
707b2372d2 Further improvements to issuid() 2017-03-31 18:56:04 -05:00
Viktor Dukhovni
26a0332e3c Update SQLite to 3.17.0 2017-03-19 18:55:51 -04:00
Jeffrey Altman
23ee804e9d lib/krb5: krb5_config_parse_file_multi use after free
If the file is not a regular file, the 'fname' buffer will be freed
before it is passed to the krb5_set_error_message() routine.  That
this is true is not obvious from code inspection but 'newfname'
and 'fname' refer to the same memory.

Change-Id: I7780eae9ceaf01b245df488a2f7d7f406770864f
2017-03-18 15:22:33 -04:00
Nicolas Williams
d8a112ae1a Fix lib/hdb make race 2017-03-17 13:20:06 -05:00
Viktor Dukhovni
aad3b229ae Fix off by 1 write. 2017-03-17 11:51:30 -04:00
Viktor Dukhovni
14135e90aa Add rationale comments for conditional yyparse redefinition 2017-03-15 19:15:57 -04:00
Nicolas Williams
3cec979cc4 Don't #define yyparse when using bison/flex
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
352ff15477 Use labs(rand()) instead of abs(rand()) in tommath
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
369945f5bc kadm5 ad backend wrong size memset
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
c9e5da9d2b NTLM memleak
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
9609397874 Misc 64-bit time support (debug message)
Originally by Christos Zoulas.  Originally used %jd and casts to
intmax_t, however, we can't use those on Windows yet.
2017-03-13 18:39:41 -04:00
Nicolas Williams
4c64231430 Misc last newline fixes
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
8e5e8aacbc Misc fixes to man pages
Originally by Christos Zoulas.
2017-03-13 18:39:41 -04:00
Nicolas Williams
6a0f45c4d7 Use __attribute__ ((__name__)) form
Protect against macros named noreturn and so on.
2017-03-13 18:39:41 -04:00
Nicolas Williams
0259f1c449 Fix CR comments on include/includedir 2017-03-10 17:33:12 -05:00
Quanah Gibson-Mount
7c16ce3457 Minor typo/grammar fixes 2017-03-10 15:47:43 -05:00
Roland C. Dowdeswell
a39bd42576 Remove #if 0'd code.
This is a slightly different fix than that proposed in Pull Request #151.
2017-03-09 14:12:39 -05:00
David Mulder
3f36b4ad68 On hpux, pthread_cond_t is undefined when pthread is disabled 2017-03-09 14:11:19 -05:00
Nicolas Williams
fe43be8558 Add include/includedir directives for krb5.conf 2017-02-27 18:15:59 -06:00
Jeffrey Altman
5360a6dee6 hdb: export hdb_generate_key_set_password_with_ks_tuple
Must export hdb_generate_key_set_password_with_ks_tuple() on Windows
which was introduced in 4303174a49.

Change-Id: Iea2993a17aba44c7cb0360716138c26239254e05
2017-02-16 13:14:50 -05:00
Roland C. Dowdeswell
4303174a49 Fix signature of hdb_generate_key_set_password()
The change to the signature of hdb_generate_key_set_password() in
Heimdal 7.1 broke API/ABI compatibility with previous releases.  We
fix this by renaming it hdb_generate_key_set_password_with_ks_tuple()
and creating a new hdb_generate_key_set_password() which calls our
new function with zeroes for the added arguments.

Issue #246      https://github.com/heimdal/heimdal/issues/246
2017-01-29 19:40:59 -05:00
Jeffrey Altman
ec39b832ff kdc: fix kx509 service principal match
Each KDC is a kx509 server.  The service principal must be of the
form

  kca_service/<localhost.domain>@<DEFAULT_REALM>

where localhost.domain is the hostname returned by gethostname()
and <DEFAULT_REALM> is one of the realms for which the KDC has a service
principal "kca_service/<localhost.domain>".

The matching code was broken by a5e77c578e
when krb5_sname_to_principal() began to always return a referral
principal.

Since the second component is a host name update the default principal
type for service "kca_service" to be KRB5_NT_SRV_HST.

Change-Id: I6bd5f90b674ebb7220d8efafa6d339fdc21e1a07
2017-01-27 00:37:08 -05:00
Nicolas Williams
656e4c4f42 iprop: handle case where master sends nothing new 2017-01-25 18:50:03 -06:00
Nicolas Williams
ed46a9b2a6 ipropd-slave: incorrect errors 2017-01-25 13:42:18 -06:00
Jeffrey Altman
c7129a9562 roken: pidfile -> rk_pidfile
Commit 7dc4481ed2 which changed from
pidfile -> rk_pidfile was incomplete.  Must handle the NO_PIDFILE case.

Change-Id: Ifc0b135e1fa7abdf4e370ad4b8fe2eb1305760f5
2017-01-20 17:54:12 -05:00
Jeffrey Altman
5d4a8a04f5 Merge pull request #238 from jelmer/x32
Do not detect x32 as 64-bit platform.
2017-01-09 15:04:20 -05:00
Thorsten Glaser
005c8886d7 Do not detect x32 as 64-bit platform.
Fixes test failures due to ISO C Undefined Behaviour in MP_MASK macro.
2017-01-09 19:57:40 +00:00
Viktor Dukhovni
3e509d7806 No sys/ttydefaults.h on CYGWIN
Issue: #236
Reported by: Allan Dynes <vseven@yahoo.com>
2017-01-03 14:52:24 -05:00
Nicolas Williams
d237e8e4d9 Fix check-iprop races 2016-12-22 09:40:14 -06:00
Viktor Dukhovni
f1bc9f2ff9 Avoid pidfile() missing prototype warnings 2016-12-19 20:55:08 -05:00
Viktor Dukhovni
24206682d7 Move external libdeps after our own
If some external library lives in a directory in which Heimdal is
already installed, we may pick up LD_LIBRARY_PATH Heimdal objects
from a different release.  Move the external deps to the end, to
ensure a more appropriate LD_LIBRARY_PATH.
2016-12-19 19:39:22 -05:00
Viktor Dukhovni
7dc4481ed2 Avoid interposing pidfile(), use rk_pidfile() instead 2016-12-19 19:10:49 -05:00
Antoine Jacoutot
586e5f6d9d Fix build with LibreSSL. 2016-12-17 23:04:41 -05:00
Nicolas Williams
63f22421c8 Fix lib/roken can't find pidfile() (#230) 2016-12-16 12:05:51 -06:00
Nicolas Williams
4a9d1782de More missing dist files 2016-12-15 12:40:23 -06:00
Nicolas Williams
3f88aae56c Finish removal of lib/45 2016-12-15 12:23:09 -06:00
Nicolas Williams
995c8279b1 One more missing file 2016-12-15 12:21:17 -06:00
Nicolas Williams
3e65dfbc32 Fix make dist missing files (#228) 2016-12-15 12:15:56 -06:00
Viktor Dukhovni
3657f23a9e Fix more doxygen bitrot 2016-12-15 04:28:21 -05:00
Nicolas Williams
2ebec2e4ec Fix some Doxygen warnings 2016-12-14 22:05:46 -06:00
Viktor Dukhovni
a1c505309c More extensive SRV order tests
Based largely on initial version by Nico.
2016-12-12 19:42:11 -05:00
Viktor Dukhovni
32f8564296 Fix incorrect scaling of weight 0 SRV records
Loosely based on patch by Nico.
2016-12-12 17:51:13 -05:00
Nicolas Williams
a7f8732d79 Fix #182, add -lpthread to libheimbase as needed
We should really check whether pthread_once() is in libc so that then we
don't have to add an unnecessary dependency on -lpthread.

Also, we have a proper once implementation that we could use when we
don't have pthread_once(), so we should fallback on that if we detect
that we have neither pthread_once() in libc and --disable-pthread is
given.
2016-12-08 18:44:41 -06:00
Nicolas Williams
87b234e154 roken_detach_prep() close pipe 2016-12-06 22:44:23 -06:00
Nicolas Williams
d609264a00 Only rm pidfile if PID matches 2016-12-06 22:44:23 -06:00
Nicolas Williams
a6e8ff2ae5 pidfile(): write newline too 2016-12-06 22:44:23 -06:00
Nicolas Williams
12eb54d03f rk_pidfile() should call pidfile() if HAVE_PIDFILE
This is necessary so we can use --detach in tests even on NetBSD and
OpenBSD.
2016-12-06 22:44:23 -06:00