krb5.git/src/lib/krb5/os, branch master MIT Kerberos patches Include autoconf.h before system headers 2014-07-08T23:19:24+00:00 Greg Hudson ghudson@mit.edu 2014-07-05T15:50:58+00:00 02a1123cf44381690c28f18ab2c4ba8036200539 Include autoconf.h (either directly or via proxy) before system headers, so that feature test macros defined there can affect the system namespace. Where include order was changed, eliminate some redundant or unnecessary includes. ticket: 7961 
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace.  Where include order was changed, eliminate some
redundant or unnecessary includes.

ticket: 7961
Simplify usage of strerror_r 2014-07-08T23:19:24+00:00 Greg Hudson ghudson@mit.edu 2014-07-05T14:23:11+00:00 6a8da91b691b8f51ac62d8142cd2fa32a69f3d15 Take advantage of the strerror_r portability wrapper to simplify code using it. Remove unused macros related to strerror_r in ldap_service_stash.c and plugins.c. ticket: 7961 
Take advantage of the strerror_r portability wrapper to simplify code
using it.  Remove unused macros related to strerror_r in
ldap_service_stash.c and plugins.c.

ticket: 7961
Avoid using length fields in socket addresses 2014-07-04T19:14:03+00:00 Greg Hudson ghudson@mit.edu 2014-07-03T16:48:53+00:00 48a0b16ab1f70b6486a6d7af7ca9e7b376b19956 Remove code to set or reference the length fields of socket addresses (sa_len/sin_len/sin6_len), since they aren't portable and setting them is not required. Remove autoconf tests for those fields which are no longer used or which were never used. There is one exception: in localaddr.c, we still neeed to reference sa_len for the definition of ifreq_size on platforms which have sa_len. Leave that behind, along with the autoconf test which defines SA_LEN. 
Remove code to set or reference the length fields of socket addresses
(sa_len/sin_len/sin6_len), since they aren't portable and setting them
is not required.  Remove autoconf tests for those fields which are no
longer used or which were never used.

There is one exception: in localaddr.c, we still neeed to reference
sa_len for the definition of ifreq_size on platforms which have
sa_len.  Leave that behind, along with the autoconf test which defines
SA_LEN.
Don't depend on sa_len sockaddr field 2014-07-04T19:14:02+00:00 Greg Hudson ghudson@mit.edu 2014-07-03T16:17:25+00:00 1fde9a67030845d3cae0661595f5737a4db8b9dd In socket-utils.h, replace the socklen macro with an inline function sa_socklen which always uses the address family, even on platforms with the sa_len sockaddr field. This removes the need to set sa_len in socket addresses we construct. 
In socket-utils.h, replace the socklen macro with an inline function
sa_socklen which always uses the address family, even on platforms
with the sa_len sockaddr field.  This removes the need to set sa_len
in socket addresses we construct.
Simplify and fix k5_check_cert_address 2014-06-12T16:23:42+00:00 Greg Hudson ghudson@mit.edu 2014-06-03T15:48:13+00:00 b6ec31e4e599db867ff19beef3be9b0bfa5b70eb Get rid of the address union. Store the result of get_cert_cn in a signed variable so we can meaningfully check for negative results. Make get_cert_cn return int for consistency with X509_NAME_get_text_by_NID and its two callers. Also add an emacs mode line to the top of the file. ticket: 7929 
Get rid of the address union.  Store the result of get_cert_cn in a
signed variable so we can meaningfully check for negative results.
Make get_cert_cn return int for consistency with
X509_NAME_get_text_by_NID and its two callers.

Also add an emacs mode line to the top of the file.

ticket: 7929
Use k5_setmsg 2014-06-05T15:22:50+00:00 Greg Hudson ghudson@mit.edu 2014-05-24T16:15:32+00:00 a7b5808b5df9e54ef8a8a7ac24e5faad458ddbce Replace most calls to krb5_set_error_message with k5_setmsg for brevity. Leave alone plugin sources where we don't include k5-int.h (mostly PKINIT). 
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity.  Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
Check names in the server's cert when using KKDCP 2014-06-02T22:38:54+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2014-04-17T21:19:03+00:00 f7825e81b1ebf533c1dba9f84ae9ad36073a89cf When we connect to a KDC using an HTTPS proxy, check that the naming information in the certificate matches the name or address which we extracted from the server URL in the configuration. ticket: 7929 
When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.

ticket: 7929
Load custom anchors when using KKDCP 2014-06-02T22:09:47+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2014-04-17T21:17:13+00:00 f220067c2969aab107bd1300ad1cb8d4855389a7 Add an http_anchors per-realm setting which we'll apply when using an HTTPS proxy, more or less mimicking the syntax of its similarly-named PKINIT counterpart. We only check the [realms] section, though. ticket: 7929 
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart.  We only check the [realms] section, though.

ticket: 7929
HTTPS transport (Microsoft KKDCPP implementation) 2014-06-02T21:59:14+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2014-04-24T20:30:56+00:00 d950809ff49e3e7603594186d77135a09ab6b1b2 Add an 'HTTPS' transport type which connects to an [MS-KKDCP] proxy server using HTTPS to communicate with a KDC. The KDC's name should take the form of an HTTPS URL (e.g. "https://proxybox/KdcProxy"). An HTTPS connection's encryption layer can be reading and writing when the application layer is expecting to write and read, so the HTTPS callbacks have to handle being called multiple times. [nalin@redhat.com: use cleanup labels, make sure we always send the realm name, keep a copy of the URI on-hand, move most of the conditionally-compiled sections into their own conditionally-built functions, break out HTTPS request formatting into a helper function, handle the MS-KKDCP length bytes, update comments to mention specific versions of the MS-KKDCP spec, differentiate TCP and HTTP trace messages, trace unparseable responses] ticket: 7929 
Add an 'HTTPS' transport type which connects to an [MS-KKDCP] proxy
server using HTTPS to communicate with a KDC.  The KDC's name should
take the form of an HTTPS URL (e.g. "https://proxybox/KdcProxy").

An HTTPS connection's encryption layer can be reading and writing when
the application layer is expecting to write and read, so the HTTPS
callbacks have to handle being called multiple times.

[nalin@redhat.com: use cleanup labels, make sure we always send the
 realm name, keep a copy of the URI on-hand, move most of the
 conditionally-compiled sections into their own conditionally-built
 functions, break out HTTPS request formatting into a helper function,
 handle the MS-KKDCP length bytes, update comments to mention specific
 versions of the MS-KKDCP spec, differentiate TCP and HTTP trace
 messages, trace unparseable responses]

ticket: 7929
Dispatch-style protocol switching for transport 2014-06-02T21:58:27+00:00 Robbie Harwood (frozencemetery) rharwood@club.cc.cmu.edu 2013-08-16T18:48:55+00:00 606e2ccc0a2546a23761f910482a55c5bf0f98ac Switch to using per-transport-type functions when a socket that we're using to communicate with a server becomes readable or writable, and add them as pointers to the connection state. The functions are passed the name of the realm of the server being contacted, as we expect to need this in the near future. [nalin@redhat.com: replace macros with typedefs] [nalin@redhat.com: compare transports with TCP_OR_UDP rather than with 0] ticket: 7929 
Switch to using per-transport-type functions when a socket that we're
using to communicate with a server becomes readable or writable, and add
them as pointers to the connection state.  The functions are passed the
name of the realm of the server being contacted, as we expect to need
this in the near future.

[nalin@redhat.com: replace macros with typedefs]
[nalin@redhat.com: compare transports with TCP_OR_UDP rather than with 0]

ticket: 7929