| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
| |
The start of proper session key management in libzephyr. A new Z_AuthProc is
added which appends the key into a queue. ZSubscribeTo and
ZSubscribeToSansDefaults are modified to use it. For now, it's extremely simple
and makes no attempt to expire old keys.
|
|
|
|
| |
Explicitly takes a krb5_creds as input.
|
|
|
|
|
|
|
|
| |
If we have no Kerberos credentials, we cannot create a checksum.
This can happen if, for example, we end up with an expired TGT.
In this case, instead of crashing, just leave the zero checksum.
This fixes #80
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eliminate compiler warnings due to various issues (listed below). This
allows Zephyr to build cleanly under GCC versions ranging from 4.1.0 to
4.7.2 with all of the options shown below:
-g -O2 -Wall -Werror
-Wno-deprecated-declarations
-Wmissing-declarations
-Wpointer-arith
-Wstrict-prototypes
-Wshadow
-Wextra
-Wno-missing-field-initializers
-Wno-unused-parameter
and, on recent versions, -Wunreachable-code
Test builds were done
- On Ubuntu 12.10 (Quantal Quetzal) using both MIT Kerberos 1.10.1 and
Heimdal 1.6, without krb4 and both with and without C-Ares and Hesiod
- On Fedora 14 using Heimdal 0.6, without C-Ares or Hesiod and both
with and without krb4 (KTH Kerberos 1.3rc2)
- On Fedora Core 3, Fedora Core 5, Fedora 7, and Fedora 10, using
Heimdal 0.6 and without C-Ares, Hesiod, or krb4
It also allows clean builds on Solaris 10 under the Sun Studio 12 (9/07)
C compiler with the following options:
-g -fd -v -errfmt -errhdr=%user -errtags=yes -errwarn=%all
-erroff=E_OLD_STYLE_FUNC_DECL,E_ENUM_TYPE_MISMATCH_ARG,E_ARG_INCOMPATIBLE_WITH_ARG
... and under Solaris 9 with the Sun Forte 7 (3/02) C compiler with the above
options and -erroff=E_FUNC_HAS_NO_RETURN_STMT. Solaris builds were done
with Heimdal 0.6 and without C-Ares, Hesiod, or krb4.
The following types of issues are addressed in this change:
- Parameters and local variables with the same names as library functions
- Parameters and local variables with the same names as globals
- Declarations for exported global variables missing from headers
- Prototypes for exported functions missing from headers
- Missing 'static' on functions that shouldn't be exported
- Old-style function declarations
- Duplicate declarations
- Type mismatches
- Unused variables and functions
- Uninitialized variables
- Forward references to enums
- Necessary header files not included
- Violations of the aliasing rules, where GCC was able to detect them
- Missing braces on if blocks that might be empty
- Attempts to do pointer arithmetic on pointers of type void *, which
is not permitted in standard C.
- An attempt to pass a function pointer via a void * parameter, which is
not permitted in standard C. Instead, we now pass a pointer to a
structure, which then contains the required function pointer.
- Unnecessary inclusion of <krb5_err.h>, which is already included by
<krb5.h> when the former exists, and might not be protected against
double inclusion, depending on which com_err was used.
- Missing include of <com_err.h>, which was masked by the fact that it is
included by headers generated by e2fsprogs compile_et
- Use of com_err() with a non-constant value in place of the format string,
which in every case was a fixed-size buffer in which a message was built
using sprintf(!). Both the calls to sprintf and the fixed-size buffers
have been removed, in favor of just letting com_err() do the formatting.
- Various cases where X library functions expecting a parameter of type
wchar_t * were instead passed a parameter of type XChar2b *. The two
types look similar, but are not the same and are _not_ interchangeable.
- An overly-simplistic configure test which failed to detect existence of
<term.h> on Solaris, due to not including <curses.h>.
- Using the wrong type for the flags output of krb5_auth_con_getflags()
when building against Heimdal. A configure test is added to detect
the correct type.
|
| |
|
|
|
|
|
|
|
| |
The fact that the Heimdal and MIT APIs are subtly different strikes again.
I am honestly starting to wonder if they make it look this similar just
to frustrate people; I only don't believe it because neither team seems
like that sort of person. Fixes #74.
|
|
|
|
| |
notice->z_authent_authent_len will be zero.
|
|
|
|
|
|
|
|
|
|
|
| |
I am becoming increasingly enamored with the fall-through on error
clean-up-everything-at-the-end style of C error handling and resource
management.
Also remove some misleading/useless/wrong comments.
(also fix a problem in the tickets expired case where it was using
the wrong (possibly undefined) authenticator lengh)
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 actually checks in mk_req and fails if the ticks are expired,
rather than giving you an authenticator that would fail and, handing
you the session key that you'd already negotiated. This causes (meh)
sending auth to fail as opposed to just ending up unauthentic and
(poor) verifiable messages to look unauthentic or forged.
So get the session key from the ccache without checking the expiration
time, and have the cert routine skip making an authenticator if
krb5_mk_req_extended says the ticket is expired.
|
| |
|
|
|
|
|
|
| |
keyusage stuff
such that it actually works.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
sent from zwrite sending one notice and exiting).
|
| |
|
| |
|
|
|
|
| |
detailed change information.
|
|
|
|
| |
Kerberos.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
if an error occurred.
|
|
|
|
|
| |
have passed. New function ZResetAuthentication resets this cache.
[audited by marc]
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|