On Windows a file descriptor is an int value allocated by the
local module instance of the C Run Time Library. A socket handle is a
SOCKET value allocated by a Winsock Provider for the requested family and
protocol. These two values cannot be mixed and there is no mechanism for
converting between the two. The _get_osfhandle() and _open_osfhandle()
functions can work with a standard HANDLE (file, pipe, etc) but cannot be
used for a SOCKET.
The Heimdal krb5_storage_from_fd() routine counted on the osf conversion
functions working on SOCKET values. Since they do not any attempt to call
krb5_storage_from_fd() on a socket resulted in an assertion being thrown
by the C RTL.
Another problem is SOCKET value truncation when storing a 64-bit value
into a 32-bit int.
To address these problems a new krb5_storage_from_socket() routine is
introduced. This routine setups a krb5_storage that stores a socket value
as a rk_socket_t and provides a set of helper routines that always use
network ready functions.
The krb5_storage_from_fd() routines no longer use net_read() and
net_write() but provide helpers that follow their logic so that pipes can
be processed.
All call sites that allocate a socket now store the socket as rk_socket_t
and call krb5_storage_from_socket().
All locations that previously called the bare close() on a socket value
now call rk_closesocket().
Change-Id: I045f775b2a5dbf5cf803751409490bc27fffe597
Set the realm argument to NULL to get the usual default realm.
The krb5_parse_name_flags() function is now a wrapper around
krb5_parse_name_flags_realm().
Also, we were stopping as soon as one registered plugin returned
something other than KRB5_PLUGIN_NO_HANDLE, but we weren't doing the
same for discovered plugins. Add KRB5_PLUGIN_INVOKE_ALL flag to deal
with this; by default we'll stop at the first plugin that returns
anything other than KRB5_PLUGIN_NO_HANDLE.
Other buglets fixed as in c1423a8.
The lib/krb5 export lists contained the following functions
that are no longer in the tree:
krb5_425_conv_principal
krb5_425_conv_principal_ext2
krb5_425_conv_principal_ext
krb5_524_conv_principal
_krb5_krb_tf_setup
_krb5_krb_dest_tkt
_krb5_krb_life_to_time
_krb5_krb_decomp_ticket
_krb5_krb_create_ticket
_krb5_krb_create_ciph
_krb5_krb_create_auth_reply
_krb5_krb_rd_req
_krb5_krb_free_auth_data
_krb5_krb_time_to_life
_krb5_krb_cr_err_reply
Change-Id: I1f73768de2f7e9243e4e7a623b54af282ec54641
synchronize the export lists on Windows and UNIX.
When new functions are exported on UNIX or Windows,
the "test" build target on Windows will verify if
the export lists are in sync.
Change-Id: I9df3607983b03ee8dc6fa7cd22f85b07a6cee784
We add a function to cause krb5_storage's to be sync'd to their backing
store. For memory backed storages, this is a NOP. For files, it calls
fsync on the file descriptor.
Support for manipulating srvtabs was previously removed, but there
were still remnants in command documentation in the ktutil man page
and some declared and exported variables for the keytab ops
definitions for srvtab manipulation. Remove these additional
remnants.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Add krb5_allow_weak_crypto parallel to the API introduced in MIT
Kerberos 1.8. Enables or disables all enctypes marked as weak.
Add a new enctype flag marking weak enctypes (all of the ones that
are disabled by default).
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
krb5_principal_get_num_comp was prototyped as a public function but
not exported from libkrb5. Add it to the export version map.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Works for krb5 and SPNEGO mechanisms. Kerberos credentials are passed as
credential cache names, or if there are memory based credentials, inband in the protocol. This means that the credentials buffers must be keep secret.
As documented by IBM (they have the wrong prototype though)
and GGF (GSS-API Extensions) back in 2001
