- Fix markup
- Specific quoted command line for Visual Studio
build
- Caveat about line ending for gawk
- Add comments about python versions
- makeinfo.exe is no longer available from cygwin
- Add some words about APPVER setting
Without the change the build fails as:
CC hdb-ldap.lo
hdb-ldap.c:2109:5: warning: initialization of 'unsigned char:1' from 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} makes integer from pointer without a cast [-Wint-conversion]
2109 | init,
| ^~~~
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2109:5: error: initializer element is not computable at load time
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2110:5: warning: initialization of 'unsigned char:1' from 'void (*)(void *)' makes integer from pointer without a cast [-Wint-conversion]
2110 | fini,
| ^~~~
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2110:5: error: initializer element is not computable at load time
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2111:5: warning: initialization of 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} from incompatible pointer type 'char *' [-Wincompatible-pointer-types]
2111 | "ldapi",
| ^~~~~~~
hdb-ldap.c:2111:5: note: (near initialization for 'hdb_ldapi_interface.init')
hdb-ldap.c:2112:5: warning: initialization of 'void (*)(void *)' from incompatible pointer type 'krb5_error_code (*)(struct krb5_context_data *, HDB **, const char *)' {aka 'int (*)(struct krb5_context_data *, HDB **, const char *)'} [-Wincompatible-pointer-types]
2112 | hdb_ldapi_create
| ^~~~~~~~~~~~~~~~
hdb-ldap.c:2112:5: note: (near initialization for 'hdb_ldapi_interface.fini')
hdb-ldap.c:2113:1: warning: missing initializer for field 'prefix' of 'struct hdb_method' [-Wmissing-field-initializers]
2113 | };
| ^
Started failing when commit 93ada1fbf ("hdb: Remove default HDB backend
footgun") added extra fields to 'struct hdb_method'.
The 'bits' parameter to select_dh_group() is the minimum acceptable
bit size. Rename 'bits' to 'min_bits' and fix the comparision
with krb5_dh_moduli.bits to ensure that DH groups whose bit size
is the minimum acceptable are not excluded.
Fixes#1002
Reported-By: Julien Rische (GitHub: jrisc)
Heimdal supports the 2 mandatory MODP groups (group 2 and group 14)
according to RFC4556, however group 14 is defined with a size of
1760 bits instead of 2048.
Fixes#1001
Reported-by: Julien Rische (GitHub: jrisc)
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
CC test_common.o
In file included from test_common.c:34:
krb5/gsskrb5_locl.h:42:10: fatal error: gkrb5_err.h: No such file or directory
42 | #include <gkrb5_err.h>
| ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:2347: test_common.o] Error 1 shuffle=1656680590
The change moves gkrb5_err.h and friends to BUILT_SOURCES
to guarantee their presence when main build starts.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
Making all in doc
make[1]: Entering directory '/build/heimdal/doc'
MAKEINFO hx509.info
hx509.texi:15: @include: could not find vars.texi
hx509.texi:31: warning: undefined flag: PACKAGE_VERSION
hx509.texi:186: warning: undefined flag: PACKAGE_VERSION
make[1]: *** [Makefile:622: hx509.info] Error 1 shuffle=1656683556
The change moves vars.texi to BUILT_SOURCES to guarantee it's
presence when .info files start the build.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
make[2]: Leaving directory '/build/heimdal/lib/gss_preauth'
Making all in hdb
make[2]: Entering directory '/build/heimdal/lib/hdb'
../../lib/asn1/asn1_compile --option-file=./hdb.opt ./hdb.asn1 hdb_asn1
for genfile in 'asn1_Event.c asn1_GENERATION.c asn1_HDB_EncTypeList.c asn1_HDB_Ext_Aliases.c asn1_HDB_Ext_Constrained_delegation_acl.c asn1_HDB_Ext_KeyRotation.c asn1_HDB_Ext_KeySet.c asn1_HDB_Ext_Lan_Manager_OWF.c asn1_HDB_Ext_Password.c asn1_HDB_Ext_PKINIT_acl.c asn1_HDB_Ext_PKINIT_cert.c asn1_HDB_Ext_PKINIT_hash.c asn1_HDB_EntryOrAlias.c asn1_HDB_entry_alias.c asn1_HDB_entry.c asn1_HDB_extension.c asn1_HDB_extensions.c asn1_HDB_keyset.c asn1_HDBFlags.c asn1_Key.c asn1_KeyRotation.c asn1_KeyRotationFlags.c asn1_Keys.c asn1_Salt.c'; do \
true -style='{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' -i ${genfile}; \
done
../../lib/com_err/compile_et hdb_err.et
make all-am
make[3]: Entering directory '/build/heimdal/lib/hdb'
CC hdb-ldap.lo
In file included from hdb_locl.h:67,
from hdb-ldap.c:36:
./hdb.h:337:10: fatal error: hdb-protos.h: No such file or directory
337 | #include <hdb-protos.h>
| ^~~~~~~~~~~~~~
compilation terminated.
The change moves hdb-protos.ha and hdb-private.h to BUILT_SOURCES
to guarantee their presence when main build starts.
The variable 'ret' is set but not used. As the value is ignored
remove it. Restructure the initialization of 'replyinCnt', 'replyout',
and 'replyoutCnt' such that a failure of vm_read() results in a
properly initialized reply structure.
get_null() can fail for two reasons. There can be a memory allocation
issue or the hints->ai_family could be unsupported. This change
informs the caller of the error state instead of returning success
with an invalid struct addrinfo output parameter.
Fixes#1007
Reported-by: opless
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
We meant to clear only the UF_SMARTCARD_REQUIRED bit, but we were
instead clearing all bits excepting it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If the AP len is large enough, we might end up computing an address
beyond the end of the 'reply' array, which is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit makes the hxtool ca sub-command, when invoked with
--generate-key=TYPE and --certificate-private-key=STORE, write the
private key only to the given --certificate-private-key store and not
also the --certificate=STORE.
Before this commit, invoking the hxtool ca sub-command with both,
--generate-key=TYPE and --certificate-private-key=STORE, caused the
--generate-key option to be ignored and the private key to be read from
the given store and copied to the --certificate=STORE. That was clearly
a bug and non-sensical.
Add support for configuring the attributes of new principals created via
httpkadmind. This can be done via virtual host-based service
namespaces, which will provide default attributes even if disabled (but
the created principals will not be disabled, naturally), or via
krb5.conf.
We derive keysets for virtual host-based service principals, and that
includes the `set_time` field of keys. But applications using the kadm5
API lose that information. Our httpkadmind wants to set a Cache-Control
header with an appropriate max-age so that clients know when to re-fetch
keytabs.
We could extract some of the lib/hdb/common.c functions so that
httpkadmind could re-create an HDB_entry from a kadm5 entry then compute
the desired time, but ultimately we already have an appropriate field in
the HDB_entry and kadm5_principal_ent_rec types: "password expiration".
So let's set the `pw_end` of a virtual host-based service's HDB entry to
the time when a client should next fetch the principal's keys, and we'll
use that in httpkadmind as the `pw_expiration` field of the kadm5 entry
type.
If a virtual host-based service namespace is disabled, then the virtual
services below it cease existing.
This will be useful in a later commit where we'll use virtual host-based
service namespace for providing default attributes for new concrete
host-based service principals created via httpkadmind, whether the
namespace be enabled or disabled.
Add --no-automatic-renewal option to disable automatic TGT renewal.
Renewal can also be disabled by setting automatic_renewal to false
in the [kcm] section of krb5.conf.
Test that we can still do other things after `kadmin list` to make sure
we're not leaving -after listing- the connection in a state where other
operations can't work.
Also, no more sleeps at all in the test.
Now that we use krb5_copy_context() via kadm5_c_dup_context(), we see
occasional skew errors in the tests because context->max_skew was not
being initialized, so it was set to 0s of skew, and krb5_rd_priv() or
others could fail.
Texinfo in the GitHub OS X runners must be ancient. Even Texinfo 5.1
can handle UTF-8.
```
MAKEINFO /Users/runner/work/heimdal/heimdal/doc/heimdal.info
/Users/runner/work/heimdal/heimdal/doc/hx509.texi:11: warning: unrecognized encoding name `UTF-8'.
/Users/runner/work/heimdal/heimdal/doc/heimdal.texi:12: warning: unrecognized encoding name `UTF-8'.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:380: Next field of node `Using soft aliases for configuring referrals' not pointed to (perhaps incorrect sectioning?).
/Users/runner/work/heimdal/heimdal/doc//setup.texi:404: This node (Checking the setup) has the bad Prev.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:350: Prev field of node `Using hard aliases for realm migration' not pointed to.
/Users/runner/work/heimdal/heimdal/doc//setup.texi:310: This node (Using namespaces and synthetic principals to keep the database small) has the bad Next.
makeinfo: Removing output file `/Users/runner/work/heimdal/heimdal/doc/heimdal.info' due to errors; use --force to preserve.
make[1]: *** [/Users/runner/work/heimdal/heimdal/doc/heimdal.info] Error 1
```
Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
0878a568f9 fixed a warning from Texinfo 6.7:
doc/whatis.texi:33: warning: redefining Texinfo language command: @sub
but the fix makes the doc build fail w/ Texinfo 5.1.
There may still be other problems when using Texinfo 5.1.
One user had an entry with duplicate aliases. This happened with an
earlier version of Heimdal.
This commit does not remove the duplicates, but it does tolerate them.
This is an attempt to make sure we test realm migration aliases by doing
kinit w/ a hard alias name in a different realm, and that we can get
service tickets for services in the same and other realms some of which
are hard aliases in one direction, and some in the other.
The online LIST interrupt message is a NOP, but it's expected to not
have a reply (the server doesn't send one if it receives it before the
LIST finishes).
However, if the interrupt message arrives after the LIST finished, then
it does get a reply, and this causes the client to get out of step with
the server.
Fixes include:
1) flavor the interrupt NOP to make sure it never gets a reply,
2) introduce a new kadm_list_interrtupt message that is like a NOP that
produces no reply
3) always consume -after the LIST ends- a reply to any list interrupt
NOP on the client side.
This implements (1).
