Windows plugins must be loaded from the same directory as the
heimdal.dll in order to ensure that "DLL Hell" is not revisited.
Since plugins cannot be grouped in a directory by "module" name
the plugins must have a name of the form:
plugin_<module>_<name>.dll
Construct the "plugin_<module>_" prefix string dynamically and
test for both the prefix and the ".dll" extension when building
the list of plugins to load.
Change-Id: I0ff7bf7287f8fb38061c226f0844d7d0f1fb59ec
rename callback() to cc_plugin_register_to_context() and document
its purpose.
The parameter that is the cc_ops structure is 'plugctx' not 'plug'.
This is critical because 'plug' is the common_plugin_model structure
and casting the wrong object leads to random behavior including
crashes.
The test to exit without action was reversed.
With these changes ccache plugins can be registered on each
krb5_init_context() operation.
Change-Id: I295ea91759f69b36ac13b1bfff87306d40df4a26
Windows treats '\\' and '/' equivalently but we cannot control
the form that will be used by end users. Introduce ISPATHSEP()
macro which tests only for '/' on UNIX and both on Windows.
Introduce ISTILDE() macro to test for '~'. When testing for
'/' with strchr() or strrchr() add conditional checks for '\\' on
Windows.
Change-Id: Ia85e698fc88f15a6a71db649db5417f02ef7e5fe
st_dev and st_ino are not set in a consistent fashion by stat()
and fstat() so disable the symlink test.
disable the open group/other readable test because st_mode
cannot be used to perform such a test on Windows.
Change-Id: I1b68c672f882018def7e6d40d4bc7f7add58df36
Do not look for plugin DLLs in either
$ORIGIN/../lib/plugin/krb5
$ORIGIN/../lib
Only look for plugin DLLs in $ORIGIN
Change-Id: I432cd81720b172e7451601b56ea7bba3c03d7d47
Execute tests that were built on Windows but previously skipped.
Remove the duplicate build rules for test-rfc3961.exe.
Change-Id: Icc84c07a33afbdc6ffa509222a3c81de35168eaf
Normally one would dlopen() a shared object's basename, not its absolute
path. However, lib/krb5/plugin.c, in an effort to be zero-conf-ish,
wants to readdir() to find plugins to load, and in the process it ends
up defeating the RTLD's search-the-caller's-rpath.
This commit partially addresses this by allowing the use of $ORIGIN in
plugin_dir values and using them for the default (except on OS X).
This allows multiple Heimdal versions installed on the same host, but
with different plugin ABIs, to co-exist. A step forward for doing make
check on hosts where Heimdal is installed.
For now we hardcode $ORIGIN/../lib/plugin/krb5 (linux, Solaris, *BSD),
or $ORIGIN (Windows; for assemblies objects need to be in the same
directory) and we eval $ORIGIN by using dladdr() (Linux, Solaris) or
GetModuleHandleEx() (Win32, via a dladdr() wrapper in libroken) to find
the path to libkrb5 whose dirname to use as $ORIGIN. For Windows,
because we need the plugins to be in the same directory as libkrb5, we
require a prefix on plugin DLLs ("plugin_krb5_") to distinguish them
from other objects.
We should add a special token to mean "look in $ORIGIN, sure, but
dlopen() the plugin basenames only (so the RTLD can search the rpath)".
- use O_NOFOLLOW
- be more strict not to follow symlinks
- require cache files to be owned by the user
- have sane permissions (not group/other readable)
As kerberos(8) provides a brief outline of this network authentication
system I would suggest extending SEE ALSO to include a few section 8
commands. I have excluded kadmind(8) and kpasswdd(8) as these servers
can be easily reachable from kadmin(8) and kpasswd(8) manual pages
respectively.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
There is no fchmod() implementation on Windows. For now prevent its
use on Windows with #ifndef _WIN32 but in the future set_default_cache()
should be updated to set ownership permissions for the cache file.
Change-Id: I57214dfecbd25d7b337a568fa5e522c0a22dbb76
If the registry type is NONE and the string is all numeric or
if the type is DWORD, the string is converted to a DWORD and then
stored into the registry as a REG_DWORD using RegSetValueEx().
The input parameter should be a pointer to the DWORD variable not
its value.
Change-Id: I9ff12121c6c17eb5afb2ea89adf8bb9cc6aa3a89
- KRB5_PRINCIPAL_PARSE_IGNORE_REALM: MIT compatible
- KRB5_PRINCIPAL_PARSE_NO_DEF_REALM: Don't default the realm
The first ignores the realm if present.
The second does not impute the default realm if no realm is given and
leaves the realm NULL. This will be used in kinit to determine whether
the user provided a realm or not, and if not we may use the user_realm,
or find the realm via the keytab.
Set the realm argument to NULL to get the usual default realm.
The krb5_parse_name_flags() function is now a wrapper around
krb5_parse_name_flags_realm().
