On Windows if the compiler and C RTL is >= 1400 then the rand_s()
function is available. rand_s() unlike rand() makes use of the
RtlGenRandom() API to produce a random number between 0 and UINT_MAX.
If rand_s() is not available or fails, fallback to rand().
One of the benefits of rand_s() is that no initialization is required
so it will provide random output even if rk_random_init() is not called.
Change-Id: I2768155de744bd49604fc8237728bb205d637f2a
gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should
act like gss_acquire_cred() with desired_mechs containing just the
desired_mech.
This utility, inspired by the old SunOS 4.x intr(8) utility, will be
used to start daemons with --detach and a timeout, like this:
intr -t 5 kdc --detach || { echo failed to start kdc; exit 1 }
This will allow tests to stop having to sleep poll for "started" output
from the daemons they start, allowing them to run faster and to impose a
reasonable timeout on daemon startup.
The default timeout is 3 seconds.
Tests that start daemons have to "wait" for them to start.
This commit makes Heimdal daemons prep to detach (when requested) by
forking early, then having the child signal readiness to the parent when
the child really is ready. The parent exits only which the child is
ready. This means that tests will no longer need to wait for daemons.
However, tests will still need a pidfile or such so they can stop the
daemons.
Note that the --detach options should not be used on OS X from launchd,
only from tests.
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.
Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
The library delay loads bcrypt.dll so that it can run on versions of
Windows older than Vista. Remove the compile time checks.
Change-Id: I632b248dcca8b6e40e47011fc11d277e911ff209
The Heimdal kadmind sends bogus keys when the client has 'get'
but not 'get-keys' permission. For some kadmin commands this is
dangerous. For example, ext_keytab could happily write bogus
keys to a keytab when real keys are expected, causing eventual
breakage. Sending bogus keys is important for the kadmin get
command: so it can list the keysets that a principal has.
This patch implements a heuristic detection of kadmin get vs.
ext_keytab, add_enctype, del_enctype, and check commands. If the
client principal lacks 'get-keys' permission, then the server
will fail requests that appear to be from those kadmin commands,
but will continue to serve bogus keys to kadmin get commands.
Thanks to Nico Williams for the idea behind this implementation.
When performing a permission check for a GET operation the
KADM5_PRIV_GET_KEYS privilege should not be assumed to be a pure
superset of KADM5_PRIV_GET. If the "get" permission is denied the
user cannot get an entry with or without key data.
kadmin should not permit a modify that stores invalid keys into the
database. Accepting bad key data into the database will result in
errors when those keys are eventually used.
This change does not address the general case. It does address the
specific case of the kadmin client attempting to store the magic
bogus key since that is trivial to check for and can be unintentionally
returned to kadmind by a 1.6rc2 or prior client. This can happen when
a user has get privilege but lacks the new get-keys privilege.
Change-Id: I44795e6428472b75ab1e4257ce7cb9160f0299f5
If any of the keys returned by kadmin are the magic bogus key
generate a warning to the user that they are missing the git-keys
privilege.
Change-Id: I235b87eeb2f81e8fd8c8481154d613e92a7e11e2
If kadmind returned bogus keys it means that the user lacks the
get-keys permission. Generate a warning and exit.
Change-Id: Ib76dd86b65bd84a00f3e27c245b9cfc0173fff56
If kadmind returned bogus keys it means that the user lacks the
get-keys permission. Generate a warning and exit.
Also use calloc() to allocate the new_key_data.
Change-Id: I21b697e2ff5adf753b1cfe698877b3f593bbea9e
