We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.
This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform. __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.
Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
The call to free_KDCDHKeyInfo(), further down, could have caused heap
corruption.
Found by Coverity (Samba CID 1544611).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every
TGT, but we don't necessarily want PACs on cross-realm TGTs.
Specifically, we don't interop well yet with AD when issuing cross-realm
TGTs with AD realms as the destination realm (see #1091).
‘r->error_code’ might have been set earlier, and we don’t want to
overwrite it with a successful error code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If ‘r->error_code’ was zero, we would turn it into an ERR_GENERIC error
and return that to the client. Now we return the actual error code
instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
There are a few reasons that this function could fail (e.g., failure to
allocate memory) besides random number generation being unavailable. No
other caller abort()s on failure like this.
Furthermore, krb5_generate_random_block(), which is called by
krb5_generate_random_keyblock(), already aborts if random generation
fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.
fix https://github.com/heimdal/heimdal/issues/1111
