summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/tools
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--third_party/heimdal/tools/Makefile.am65
-rw-r--r--third_party/heimdal/tools/NTMakefile35
-rw-r--r--third_party/heimdal/tools/cov.sh19
-rwxr-xr-xthird_party/heimdal/tools/coveralls-tool277
-rwxr-xr-xthird_party/heimdal/tools/fixgcov-source-paths.sh18
-rw-r--r--third_party/heimdal/tools/heimdal-gssapi.pc.in14
-rw-r--r--third_party/heimdal/tools/heimdal-kadm-client.pc.in11
-rw-r--r--third_party/heimdal/tools/heimdal-kadm-server.pc.in12
-rw-r--r--third_party/heimdal/tools/heimdal-krb5.pc.in12
-rw-r--r--third_party/heimdal/tools/kadm-client.pc.in10
-rw-r--r--third_party/heimdal/tools/kadm-server.pc.in10
-rw-r--r--third_party/heimdal/tools/kafs.pc.in10
-rw-r--r--third_party/heimdal/tools/kdc-log-analyze.pl549
-rw-r--r--third_party/heimdal/tools/krb5-config.190
-rw-r--r--third_party/heimdal/tools/krb5-config.in266
-rw-r--r--third_party/heimdal/tools/krb5-gssapi.pc.in10
-rw-r--r--third_party/heimdal/tools/krb5.pc.in10
17 files changed, 1418 insertions, 0 deletions
diff --git a/third_party/heimdal/tools/Makefile.am b/third_party/heimdal/tools/Makefile.am
new file mode 100644
index 0000000..7c50e46
--- /dev/null
+++ b/third_party/heimdal/tools/Makefile.am
@@ -0,0 +1,65 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_SCRIPTS = krb5-config
+
+pkgconfigdir = $(libdir)/pkgconfig
+
+pkgconfig_DATA = \
+ heimdal-gssapi.pc \
+ heimdal-krb5.pc \
+ heimdal-kadm-client.pc \
+ heimdal-kadm-server.pc \
+ kafs.pc \
+ kadm-client.pc \
+ kadm-server.pc \
+ krb5.pc \
+ krb5-gssapi.pc
+
+man_MANS = krb5-config.1
+
+if PKINIT
+LIB_pkinit = -lhx509
+endif
+
+subst = sed -e "s!@PACKAGE\@!$(PACKAGE)!g" \
+ -e "s!@VERSION\@!$(VERSION)!g" \
+ -e "s!@CANONICAL_HOST\@!$(CANONICAL_HOST)!g" \
+ -e "s!@prefix\@!$(prefix)!g" \
+ -e "s!@exec_prefix\@!$(exec_prefix)!g" \
+ -e "s!@libdir\@!$(libdir)!g" \
+ -e "s!@includedir\@!$(includedir)!g" \
+ -e "s!@PTHREAD_LIBADD\@!$(PTHREAD_LIBADD)!g" \
+ -e "s!@LIB_crypt\@!$(LIB_crypt)!g" \
+ -e "s!@LIB_dbopen\@!$(LIB_dbopen)!g" \
+ -e "s!@LIB_hcrypto_appl\@!$(LIB_hcrypto_appl)!g" \
+ -e "s!@LIB_dlopen\@!$(LIB_dlopen)!g" \
+ -e "s!@LIB_door_create\@!$(LIB_door_create)!g" \
+ -e "s!@LIB_pkinit\@!$(LIB_pkinit)!g" \
+ -e "s!@LIBS\@!$(LIBS)!g"
+
+krb5-config: krb5-config.in
+ $(subst) $(srcdir)/krb5-config.in | /bin/sh > $@.new
+ mv $@.new $@
+ chmod +x $@
+
+.pc.in.pc:
+ $(subst) $< > $@.new
+ mv $@.new $@
+
+EXTRA_DIST = \
+ NTMakefile \
+ cov.sh \
+ $(man_MANS) \
+ krb5-config.in \
+ heimdal-gssapi.pc.in \
+ kdc-log-analyze.pl \
+ $(pkgconfig_DATA:.pc=.pc.in)
+
+CLEANFILES = \
+ krb5-config \
+ krb5-config.new \
+ $(pkgconfig_DATA) \
+ $(pkgconfig_DATA:.pc=.pc.new)
+
diff --git a/third_party/heimdal/tools/NTMakefile b/third_party/heimdal/tools/NTMakefile
new file mode 100644
index 0000000..e4b3466
--- /dev/null
+++ b/third_party/heimdal/tools/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=tools
+
+!include ../windows/NTMakefile.w32
+
diff --git a/third_party/heimdal/tools/cov.sh b/third_party/heimdal/tools/cov.sh
new file mode 100644
index 0000000..8ceba2d
--- /dev/null
+++ b/third_party/heimdal/tools/cov.sh
@@ -0,0 +1,19 @@
+
+d="lib/roken lib/krb5 lib/gssapi lib/ntlm tests/kdc tests/gss kuser"
+
+basedir=$(basedir $0)
+
+${basedir}/../configure CFLAGS='-fprofile-arcs -ftest-coverage' > log
+
+lcov --directory . --zerocounters
+
+make all check > log
+
+lcov --directory . --capture --output-file heimdal-lcov.info
+
+objdir="/Volumes/data/Users/lha/obj/hg"
+srcdir="/Volumes/data/Users/lha/src/heimdal/git"
+
+perl -pi -e "s@SF:$objdir/(.*.[ly])\$@SF:$srcdir/\$1@" heimdal-lcov.info
+
+genhtml heimdal-lcov.info
diff --git a/third_party/heimdal/tools/coveralls-tool b/third_party/heimdal/tools/coveralls-tool
new file mode 100755
index 0000000..981bd17
--- /dev/null
+++ b/third_party/heimdal/tools/coveralls-tool
@@ -0,0 +1,277 @@
+#!/bin/bash
+
+# This script collates gcov data after one has configured with --enable-gcov,
+# built, and run tests. It either outputs or POSTs to Coveralls a JSON text in
+# the schema for the Coveralls API, which is documented here:
+#
+# https://docs.coveralls.io/api-introduction
+# https://docs.coveralls.io/api-reference
+#
+# Currently only files in source languages supported by gcov(1) are reported
+# on, though this can easily be extended. Currently that's only C/C++ files.
+#
+# This script is specifically written for Heimdal, which is an open source C
+# codebases that uses autoconf and libtool for its build system. This means
+# that sometimes the gcov notes and data files are not necessarily where the
+# gcov(1) utility would find them, which is why this script exists instead of
+# using some other integration script.
+#
+# Although this is specific to Heimdal, it can be extended.
+#
+# Note that one side effect of running this script, gcov(1) will be run for all
+# C/C++ source files in the workspace. As well, some gcov notes and data files
+# maybe hard-linked to other names. However, this script should be idempotent.
+
+set -euo pipefail
+set +o noglob
+
+PROG=${0##*/}
+
+job=${TRAVIS_JOB_ID:-}
+out=
+post=false
+repo=
+flst=
+quiet=false
+branch=
+srcdir=$PWD
+objdir=
+token=${COVERALLS_REPO_TOKEN:-}
+origin=
+verbose=0
+
+function usage {
+ ((${1:-1})) && exec 1>&2
+ cat <<EOF
+Usage: $PROG [OPTIONS]
+ Options:
+
+ -q Quiet. Do not even emit warnings.
+ -v Verbose (on stderr). May be given multiple times.
+ -o - Output to stdout instead of POSTing to Coveralls.
+ -o FILE Output to FILE instead of POSTing to Coveralls.
+ -s CI-NAME Name of CI (e.g., "travis-ci")
+ Defaults to travis-ci.
+ -t TOKEN Token for Coveralls.
+ Defaults to \$COVERALLS_REPO_TOKEN.
+ -b BRANCH Name of branch the report is for.
+ Defaults to \$TRAVIS_BRANCH or currently-checked out branch in
+ SRCDIR.
+ -J ID Job ID (e.g., Travis-CI job ID)
+ Defaults to \${TRAVIS_JOB_ID}.
+ -i FILE Lists source files to run gcov(1) against
+ Defaults to \<(git ls-files -- '*.c' '*.cpp').
+ -S SRCDIR Path to workspace
+ Defaults to \${PWD}.
+ -O OBJDIR Path to object directory if workspace is built out of tree
+ Defaults to SRCDIR.
+ -U ORIGIN Name of origin.
+ Defaults to tracked upstream remote of BRANCH.
+ -R URI Repository URI
+ Defaults to git@github.com:\${TRAVIS_REPO_SLUG} or the push URI
+ for the ORIGIN remote of the workspace at SRCDIR.
+
+ $PROG will look for .gcno and .gcda files in OBJDIR for source files
+ in the workspace at SRCDIR and will run gcov on them, and produce
+ a request body as JSON in FILE (or stdout if -o FILE not given)
+ for the Coveralls API.
+
+ If -o FILE is not given, then $PROG will POST the JSON to Coveralls.
+ If -o FILE is given, then $PROG will not POST it to Coveralls.
+
+ If SRCDIR == OBJDIR == \$PWD, then -S and -O need not be given.
+ If running in a Travis-CI build, -J, -R, and -b need not be given, and -t
+ should not be given -- instead you should set a secret COVERALLS_REPO_TOKEN
+ environment variable in your project's Travis-CI's settings.
+
+ Only C and C++ source files are reported on. E.g., Yacc/Bison/Flex
+ source files are not reported.
+
+ The resulting JSON output is or can be POSTed to Coveralls with:
+
+ $ curl -sfg -X POST -F "json_file=@\${FILE}" -F "Filename=json_file" \\
+ https://coveralls.io/api/v1/jobs
+EOF
+ exit ${1:-1}
+}
+
+while getopts +:J:O:R:S:U:b:hi:o:qs:t:vx opt; do
+case "$opt" in
+J) job=$OPTARG;;
+O) cd "$OPTARG"; objdir=$PWD; cd "$OLDPWD";;
+R) repo=$OPTARG;;
+S) cd "$OPTARG"; srcdir=$PWD; cd "$OLDPWD";;
+U) origin=$OPTARG;;
+b) branch=;;
+h) usage 0;;
+i) flst=$OPTARG;;
+o) out=$OPTARG;;
+q) quiet=true; verbose=0;;
+s) ci=$OPTARG;;
+t) token=$OPTARG;;
+v) quiet=false; ((verbose++)) || true; ((verbose > 3)) && set -vx;;
+*) usage 1;;
+esac
+done
+
+# Note: we don't cd to $srcdir or $objdir or anywhere, so if $out is a relative
+# path, we do the right thing.
+
+: ${objdir:=${srcdir}}
+: ${branch:=${TRAVIS_BRANCH:-$(cd "$srcdir" && git rev-parse --abbrev-ref HEAD)}}
+
+if [[ -z ${origin:-} ]]; then
+ origin=$(
+ git for-each-ref \
+ --format="%(refname:short) %(upstream:remotename)" refs/heads |
+ while read gb gr; do
+ [[ $gb = $branch ]] || continue
+ printf '%s\n' "$gr"
+ break
+ done
+ )
+fi
+
+if [[ -z ${repo:-} ]]; then
+ if [[ -n ${TRAVIS_REPO_SLUG:-} ]]; then
+ repo=git@github.com:${TRAVIS_REPO_SLUG:-heimdal/heimdal}
+ else
+ repo=$(cd "$srcdir" && git remote get-url --push "$origin")
+ fi
+fi
+
+if ((verbose > 1)); then
+ exec 3>&2
+else
+ exec 3>/dev/null
+fi
+
+d=
+function cleanup {
+ [[ -n $d ]] && rm -rf "$d"
+}
+
+trap cleanup EXIT
+d=$(mktemp -d)
+touch "${d}/f"
+
+declare -a gcov
+
+(cd "$srcdir" &&
+ if [[ -n $flst ]]; then cat "$flst"; else git ls-files -- '*.c' '*.cpp'; fi) |
+while read f; do
+ # Remember to be careful to refer to ${srcdir}/${f}
+ ((verbose)) && printf 'Processing: %s\n' "$f" 1>&2
+
+ dir=${f%/*}
+ base=${f##*/}
+ base=${base%.*}
+
+ if [[ ! -f ${objdir}/${dir}/.libs/${base}.gcda && ! -f ${objdir}/${dir}/${base}.gcda ]]; then
+ # Look for .libs/libfoo_la-${base}.gcda -- we don't know "foo", and
+ # there may be more than one!
+ gcda=
+ for gcda in ${objdir}/${dir}/.libs/*_la-${base}.gcda; do
+ break
+ done
+ gcno=
+ for gcno in ${objdir}/${dir}/.libs/*_la-${base}.gcno; do
+ break
+ done
+ [[ -n $gcno && -f $gcno ]] && ln -f "$gcno" "${objdir}/${dir}/.libs/${base}.gcno"
+ [[ -n $gcda && -f $gcda ]] && ln -f "$gcda" "${objdir}/${dir}/.libs/${base}.gcda"
+ if [[ ( -n $gcda && ! -f $gcda ) || ( -n $gcno && ! -f $gcno ) ]]; then
+ $quiet || printf 'Warning: %s has no gcov notes file\n' "$f" 1>&2
+ continue
+ fi
+ fi
+
+ if [[ -f ${objdir}/${dir}/.libs/${base}.gcda ]]; then
+ ((verbose > 1)) && printf 'Running gcov for %s using gcda from .libs\n' "$f" 1>&2
+ if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov -o .libs "${f##*/}") 1>&3; then
+ $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2
+ continue
+ fi
+ elif [[ -f ${objdir}/${dir}/${base}.gcda ]]; then
+ if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov "${f##*/}") 1>&3; then
+ $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2
+ continue
+ fi
+ fi
+
+ if [[ ! -f ${objdir}/${f}.gcov ]]; then
+ $quiet || printf 'Warning: gcov did not produce a .gcov file for %s\n' "$f" 1>&2
+ continue
+ fi
+
+ md5=$(md5sum "${srcdir}/${f}")
+ md5=${md5%% *}
+
+ jq -Rn --arg sum "${md5}" --arg f "$f" '
+ {
+ name: $f,
+ source_digest: $sum,
+ coverage: [
+ inputs
+ | split(":")
+ | (.[1] |= tonumber)
+ | select(.[1] > 0)
+ | if .[0]|endswith("#")
+ then 0
+ elif .[0]|endswith("-")
+ then null
+ else .[0]|tonumber
+ end
+ ]
+ }
+ ' "${objdir}/${f}.gcov" >> "${d}/f"
+done
+
+function make_report {
+ jq -s --arg job "$job" \
+ --arg ci "${ci:-travis-ci}" \
+ --arg token "$token" \
+ --arg repo "$repo" \
+ --arg branch "$branch" \
+ --arg upstream "$origin" \
+ --arg head "$(git log -n1 --format=%H)" \
+ --arg subject "$(git log -n1 --format=%s)" \
+ --arg aN "$(git log -n1 --format=%aN)" \
+ --arg ae "$(git log -n1 --format=%ae)" \
+ --arg cN "$(git log -n1 --format=%cN)" \
+ --arg ce "$(git log -n1 --format=%ce)" \
+ '{
+ service_job_id: $job,
+ service_name: $ci,
+ repo_token: $token,
+ git: {
+ id: $head,
+ author_name: $aN,
+ author_email: $ae,
+ committer_name: $cN,
+ committer_email: $ce,
+ message: $subject,
+ branch: $branch,
+ remotes: [ {
+ "name": $upstream,
+ "url": $repo
+ }
+ ]
+ },
+ source_files: .
+ }' "${d}/f"
+}
+
+if [[ -z $out ]]; then
+ post=true
+ make_report > "${d}/out"
+elif [[ $out = - ]]; then
+ make_report
+else
+ make_report > "${out}"
+fi
+
+if $post && [[ $out != /dev/stdout ]]; then
+ curl -sfg -X POST -F "json_file=@${d}/out" -F "Filename=json_file" \
+ https://coveralls.io/api/v1/jobs
+fi
diff --git a/third_party/heimdal/tools/fixgcov-source-paths.sh b/third_party/heimdal/tools/fixgcov-source-paths.sh
new file mode 100755
index 0000000..eaa9c9c
--- /dev/null
+++ b/third_party/heimdal/tools/fixgcov-source-paths.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+find ${1:-.} -name '*.gcov' -print | while read f; do
+ case "$f" in
+ */.libs/*) continue;;
+ *) true;;
+ esac
+ echo FIX $f
+ f_basename=${f%%.gcno\#\#*}.c
+ f_basename=${f_basename##*/}
+ head -1 "$f" | grep 'Source:/' > /dev/null && continue
+ #bname=$(head -1 "$f" | grep 'Source:/' | cut -d: -f4)
+ dname=$(echo "$f"|cut -d'#' -f1|sed -e 's,/[^/]*$,/,')
+ ex "$f" <<EOF
+1,1 s,:Source:.*$,:Source:${dname}${f_basename},
+wq!
+EOF
+done
diff --git a/third_party/heimdal/tools/heimdal-gssapi.pc.in b/third_party/heimdal/tools/heimdal-gssapi.pc.in
new file mode 100644
index 0000000..41adefe
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-gssapi.pc.in
@@ -0,0 +1,14 @@
+# $Id$
+prefix=@prefix@
+exec_prefix=${prefix}
+libdir=@libdir@
+includedir=@includedir@
+
+Name: @PACKAGE@
+Description: Heimdal is an implementation of Kerberos 5, freely available under a three clause BSD style license.
+Version: @VERSION@
+URL: http://www.pdc.kth.se/heimdal/
+Requires.private: heimdal-krb5
+Libs: -L${libdir} -lgssapi
+Libs.private: -lheimntlm @LIB_crypt@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-kadm-client.pc.in b/third_party/heimdal/tools/heimdal-kadm-client.pc.in
new file mode 100644
index 0000000..2eb9e3e
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-kadm-client.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: heimdal-kadm-client
+Description: Kadmin client library.
+Version: @VERSION@
+Requires.private: heimdal-gssapi
+Libs: -L${libdir} -lkadm5clnt
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-kadm-server.pc.in b/third_party/heimdal/tools/heimdal-kadm-server.pc.in
new file mode 100644
index 0000000..00a78cc
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-kadm-server.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: heimdal-kadm-server
+Description: Kadmin server library.
+Version: @VERSION@
+Requires.private: heimdal-gssapi
+Libs: -L${libdir} -lkadm5srv
+Libs.private: @LIB_dbopen@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/heimdal-krb5.pc.in b/third_party/heimdal/tools/heimdal-krb5.pc.in
new file mode 100644
index 0000000..a1f1399
--- /dev/null
+++ b/third_party/heimdal/tools/heimdal-krb5.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: heimdal-krb5
+Description: Heimdal implementation of the Kerberos network authentication.
+Version: @VERSION@
+Libs: -L${libdir} -lkrb5
+Libs.private: @LIB_pkinit@ -lcom_err @LIB_hcrypto_appl@ -lasn1 -lwind -lheimbase -lroken @LIB_crypt@ @PTHREAD_LIBADD@ @LIB_dlopen@ @LIB_door_create@ @LIBS@
+Cflags: -I${includedir}
diff --git a/third_party/heimdal/tools/kadm-client.pc.in b/third_party/heimdal/tools/kadm-client.pc.in
new file mode 100644
index 0000000..f843885
--- /dev/null
+++ b/third_party/heimdal/tools/kadm-client.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: kadm-client
+Description: Kadmin client library.
+Version: @VERSION@
+Requires: heimdal-kadm-client
diff --git a/third_party/heimdal/tools/kadm-server.pc.in b/third_party/heimdal/tools/kadm-server.pc.in
new file mode 100644
index 0000000..9f1e62e
--- /dev/null
+++ b/third_party/heimdal/tools/kadm-server.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: kadm-server
+Description: Kadmin server library.
+Version: @VERSION@
+Requires: heimdal-kadm-server
diff --git a/third_party/heimdal/tools/kafs.pc.in b/third_party/heimdal/tools/kafs.pc.in
new file mode 100644
index 0000000..bd31f26
--- /dev/null
+++ b/third_party/heimdal/tools/kafs.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: kafs
+Description: Libraries for application that uses kafs.
+Version: @VERSION@
+Requires.private: heimdal-krb5
+Libs: -lkafs
diff --git a/third_party/heimdal/tools/kdc-log-analyze.pl b/third_party/heimdal/tools/kdc-log-analyze.pl
new file mode 100644
index 0000000..6692bf4
--- /dev/null
+++ b/third_party/heimdal/tools/kdc-log-analyze.pl
@@ -0,0 +1,549 @@
+#! /usr/pkg/bin/perl
+# -*- mode: perl; perl-indent-level: 8 -*-
+#
+# Copyright (c) 2003 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+# kdc-log-analyze - Analyze a KDC log file and give a report on the contents
+#
+# Note: The parts you want likely want to customize are the variable $notlocal,
+# the array @local_network_re and the array @local_realms.
+#
+# Idea and implemetion for MIT Kerberos was done first by
+# Ken Hornstein <kenh@cmf.nrl.navy.mil>, this program wouldn't exists
+# without his help.
+#
+
+use strict;
+use Sys::Hostname;
+
+my $notlocal = 'not SU';
+my @local_realms = ( "SU.SE" );
+my @local_networks_re =
+ (
+ "130\.237",
+ "193\.11\.3[0-9]\.",
+ "130.242.128",
+ "2001:6b0:5:"
+ );
+
+my $as_req = 0;
+my %as_req_addr;
+my %as_req_addr_nonlocal;
+my %as_req_client;
+my %as_req_server;
+my %addr_uses_des;
+my %princ_uses_des;
+my $five24_req = 0;
+my %five24_req_addr;
+my %five24_req_addr_nonlocal;
+my %five24_req_server;
+my %five24_req_client;
+my $as_req_successful = 0;
+my $as_req_error = 0;
+my $no_such_princ = 0;
+my %no_such_princ_princ;
+my %no_such_princ_addr;
+my %no_such_princ_addr_nonlocal;
+my $as_req_etype_odd = 0;
+my %bw_addr;
+my $pa_alt_princ_request = 0;
+my $pa_alt_princ_verify = 0;
+my $tgs_req = 0;
+my %tgs_req_addr;
+my %tgs_req_addr_nonlocal;
+my %tgs_req_client;
+my %tgs_req_server;
+my $tgs_xrealm_out = 0;
+my %tgs_xrealm_out_realm;
+my %tgs_xrealm_out_princ;
+my $tgs_xrealm_in = 0;
+my %tgs_xrealm_in_realm;
+my %tgs_xrealm_in_princ;
+my %enctype_session;
+my %enctype_ticket;
+my $restarts = 0;
+my $forward_non_forward = 0;
+my $v4_req = 0;
+my %v4_req_addr;
+my %v4_req_addr_nonlocal;
+my $v4_cross = 0;
+my %v4_cross_realm;
+my $v5_cross = 0;
+my %v5_cross_realm;
+my $referrals = 0;
+my %referral_princ;
+my %referral_realm;
+my %strange_tcp_data;
+my $http_malformed = 0;
+my %http_malformed_addr;
+my $http_non_kdc = 0;
+my %http_non_kdc_addr;
+my $tcp_conn_timeout = 0;
+my %tcp_conn_timeout_addr;
+my $failed_processing = 0;
+my %failed_processing_addr;
+my $connection_closed = 0;
+my %connection_closed_addr;
+my $pa_failed = 0;
+my %pa_failed_princ;
+my %pa_failed_addr;
+my %ip;
+
+$ip{'4'} = $ip{'6'} = 0;
+
+while (<>) {
+ process_line($_);
+}
+
+print "Kerberos KDC Log Report for ",
+ hostname, " on ", scalar localtime, "\n\n";
+
+print "General Statistics\n\n";
+
+print "\tNumber of IPv4 requests: $ip{'4'}\n";
+print "\tNumber of IPv6 requests: $ip{'6'}\n\n";
+
+print "\tNumber of restarts: $restarts\n";
+print "\tNumber of V4 requests: $v4_req\n";
+if ($v4_req > 0) {
+ print "\tTop ten IP addresses performing V4 requests:\n";
+ topten(\%v4_req_addr);
+}
+if (int(keys %v4_req_addr_nonlocal) > 0) {
+ print "\tTop ten $notlocal IP addresses performing V4 requests:\n";
+ topten(\%v4_req_addr_nonlocal);
+
+}
+print "\n";
+
+print "\tNumber of V4 cross realms (krb4 and 524) requests: $v4_cross\n";
+if ($v4_cross > 0) {
+ print "\tTop ten realms performing V4 cross requests:\n";
+ topten(\%v4_cross_realm);
+}
+print "\n";
+
+print "\tNumber of V45 cross realms requests: $v5_cross\n";
+if ($v5_cross > 0) {
+ print "\tTop ten realms performing V4 cross requests:\n";
+ topten(\%v5_cross_realm);
+}
+print "\n";
+
+print "\tNumber of failed lookups: $no_such_princ\n";
+if ($no_such_princ > 0) {
+ print "\tTop ten IP addresses failing to find principal:\n";
+ topten(\%no_such_princ_addr);
+ print "\tTop ten $notlocal IP addresses failing find principal:\n";
+ topten(\%no_such_princ_addr_nonlocal);
+ print "\tTop ten failed to find principals\n";
+ topten(\%no_such_princ_princ);
+}
+print "\n";
+
+print "\tBandwidth pigs:\n";
+topten(\%bw_addr);
+print "\n";
+
+print "\tStrange TCP data clients: ", int(keys %strange_tcp_data),"\n";
+topten(\%strange_tcp_data);
+print "\n";
+
+print "\tTimeout waiting on TCP requests: ", $tcp_conn_timeout,"\n";
+if ($tcp_conn_timeout > 0) {
+ print "\tTop ten TCP timeout request clients\n";
+ topten(\%tcp_conn_timeout_addr);
+}
+print "\n";
+
+print "\tFailed processing requests: ", $failed_processing,"\n";
+if ($failed_processing > 0) {
+ print "\tTop ten failed processing request clients\n";
+ topten(\%failed_processing_addr);
+}
+print "\n";
+
+print "\tConnection closed requests: ", $connection_closed,"\n";
+if ($connection_closed > 0) {
+ print "\tTop ten connection closed request clients\n";
+ topten(\%connection_closed_addr);
+}
+print "\n";
+
+print "\tMalformed HTTP requests: ", $http_malformed,"\n";
+if ($http_malformed > 0) {
+ print "\tTop ten malformed HTTP request clients\n";
+ topten(\%http_malformed_addr);
+}
+print "\n";
+
+print "\tHTTP non kdc requests: ", $http_non_kdc,"\n";
+if ($http_non_kdc > 0) {
+ print "\tTop ten HTTP non KDC request clients\n";
+ topten(\%http_non_kdc_addr);
+}
+print "\n";
+
+print "Report on AS_REQ requests\n\n";
+print "Overall AS_REQ statistics\n\n";
+
+print "\tTotal number: $as_req\n";
+
+print "\nAS_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ",
+ int(keys %as_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%as_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+ int(keys %as_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%as_req_addr_nonlocal);
+
+print "\n\tPreauth failed for for: ", $pa_failed, " requests\n";
+if ($pa_failed) {
+ print "\tPreauth failed top ten IP addresses:\n";
+ topten(\%pa_failed_addr);
+ print "\tPreauth failed top ten principals:\n";
+ topten(\%pa_failed_princ);
+}
+
+print "\n\tDistinct clients performing requests: ",
+ int(keys %as_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%as_req_client);
+
+print "\tDistinct services requested: ", int(keys %as_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%as_req_server);
+
+print "\n\n\nReport on TGS_REQ requests:\n\n";
+print "Overall TGS_REQ statistics\n\n";
+print "\tTotal number: $tgs_req\n";
+
+print "\nTGS_REQ client/server statistics\n\n";
+print "\tDistinct IP addresses performing requests: ",
+ int(keys %tgs_req_addr), "\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%tgs_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+ int(keys %tgs_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%tgs_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ",
+ int(keys %tgs_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%tgs_req_client);
+
+print "\tDistinct services requested: ", int(keys %tgs_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%tgs_req_server);
+
+print "\n\n\nReport on 524_REQ requests:\n\n";
+
+print "\t524_REQ client/server statistics\n\n";
+
+print "\tDistinct IP Addresses performing requests: ",
+ int(keys %five24_req_addr),"\n";
+print "\tOverall top ten IP addresses\n";
+topten(\%five24_req_addr);
+
+print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ",
+ int(keys %five24_req_addr_nonlocal), "\n";
+print "\tTop ten non-local ($notlocal) IP address:\n";
+topten(\%five24_req_addr_nonlocal);
+
+print "\tDistinct clients performing requests: ", int(keys %five24_req_client), "\n";
+print "\tTop ten clients:\n";
+topten(\%five24_req_client);
+
+print "\tDistinct services requested: ", int(keys %five24_req_server), "\n";
+print "\tTop ten requested services:\n";
+topten(\%five24_req_server);
+print "\n";
+
+print "Cross realm statistics\n\n";
+
+print "\tNumber of cross-realm tgs out: $tgs_xrealm_out\n";
+if ($tgs_xrealm_out > 0) {
+ print "\tTop ten realms used for out cross-realm:\n";
+ topten(\%tgs_xrealm_out_realm);
+ print "\tTop ten principals use out cross-realm:\n";
+ topten(\%tgs_xrealm_out_princ);
+}
+print "\tNumber of cross-realm tgs in: $tgs_xrealm_in\n";
+if ($tgs_xrealm_in > 0) {
+ print "\tTop ten realms used for in cross-realm:\n";
+ topten(\%tgs_xrealm_in_realm);
+ print "\tTop ten principals use in cross-realm:\n";
+ topten(\%tgs_xrealm_in_princ);
+}
+
+print "\n\nReport on referral:\n\n";
+
+print "\tNumber of referrals: $referrals\n";
+if ($referrals > 0) {
+ print "\tTop ten referral-ed principals:\n";
+ topten(\%referral_princ);
+ print "\tTop ten to realm referrals:\n";
+ topten(\%referral_realm);
+}
+
+print "\n\nEnctype Statistics:\n\n";
+print "\tTop ten session enctypes:\n";
+topten(\%enctype_session);
+print "\tTop ten ticket enctypes:\n";
+topten(\%enctype_ticket);
+
+print "\tDistinct IP addresses using DES: ", int(keys %addr_uses_des), "\n";
+print "\tTop IP addresses using DES:\n";
+topten(\%addr_uses_des);
+print "\tDistinct principals using DES: ", int(keys %princ_uses_des), "\n";
+print "\tTop ten principals using DES:\n";
+topten(\%princ_uses_des);
+
+print "\n";
+
+printf("Requests to forward non-forwardable ticket: $forward_non_forward\n");
+
+
+exit 0;
+
+my $last_addr = "";
+my $last_principal = "";
+
+sub process_line {
+ local($_) = @_;
+ #
+ # Eat these lines that are output as a result of startup (but
+ # log the number of restarts)
+ #
+ if (/AS-REQ \(krb4\) (.*) from IPv([46]):([0-9\.:a-fA-F]+) for krbtgt.*$/){
+ $v4_req++;
+ $v4_req_addr{$3}++;
+ $v4_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+ $last_addr = $3;
+ $last_principal = $1;
+ $ip{$2}++;
+ } elsif (/AS-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+ $as_req++;
+ $as_req_client{$1}++;
+ $as_req_server{$4}++;
+ $as_req_addr{$3}++;
+ $as_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+ $last_addr = $3;
+ $last_principal = $1;
+ $ip{$2}++;
+ } elsif (/TGS-REQ \(krb4\)/) {
+ #Nothing
+ } elsif (/TGS-REQ (.+) from IPv([46]):([0-9\.:a-fA-F]+) for (.*?)( \[.*\]){0,1}$/) {
+ $tgs_req++;
+ $tgs_req_client{$1}++;
+ $tgs_req_server{$4}++;
+ $tgs_req_addr{$3}++;
+ $tgs_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+ $last_addr = $3;
+ $last_principal = $1;
+ $ip{$2}++;
+
+ my $source = $1;
+ my $dest = $4;
+
+ if (!islocalrealm($source)) {
+ $tgs_xrealm_in++;
+ $tgs_xrealm_in_princ{$source}++;
+ if ($source =~ /[^@]+@([^@]+)/ ) {
+ $tgs_xrealm_in_realm{$1}++;
+ }
+ }
+ if ($dest =~ /krbtgt\/([^@]+)@[^@]+/) {
+ if (!islocalrealm($1)) {
+ $tgs_xrealm_out++;
+ $tgs_xrealm_out_realm{$1}++;
+ $tgs_xrealm_out_princ{$source}++;
+ }
+ }
+ } elsif (/524-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) {
+ $five24_req++;
+ $five24_req_client{$1}++;
+ $five24_req_server{$4}++;
+ $five24_req_addr{$3}++;
+ $five24_req_addr_nonlocal{$3}++ if (!islocaladdr($3));
+ $last_addr = $3;
+ $last_principal = $1;
+ $ip{$2}++;
+ } elsif (/TCP data of strange type from IPv[46]:([0-9\.:a-fA-F]+)/) {
+ $strange_tcp_data{$1}++;
+ } elsif (/Lookup (.*) failed: No such entry in the database/) {
+ $no_such_princ++;
+ $no_such_princ_addr{$last_addr}++;
+ $no_such_princ_addr_nonlocal{$last_addr}++ if (!islocaladdr($last_addr));
+ $no_such_princ_princ{$1}++;
+ } elsif (/Lookup .* succeeded$/) {
+ # Nothing
+ } elsif (/Malformed HTTP request from IPv[46]:([0-9\.:a-fA-F]+)$/) {
+ $http_malformed++;
+ $http_malformed_addr{$1}++;
+ } elsif (/TCP-connection from IPv[46]:([0-9\.:a-fA-F]+) expired after [0-9]+ bytes/) {
+ $tcp_conn_timeout++;
+ $tcp_conn_timeout_addr{$1}++;
+ } elsif (/Failed processing [0-9]+ byte request from IPv[46]:([0-9\.:a-fA-F]+)/) {
+ $failed_processing++;
+ $failed_processing_addr{$1}++;
+ } elsif (/connection closed before end of data after [0-9]+ bytes from IPv[46]:([0-9\.:a-fA-F]+)/) {
+ $connection_closed++;
+ $connection_closed_addr{$1}++;
+ } elsif (/HTTP request from IPv[46]:([0-9\.:a-fA-F]+) is non KDC request/) {
+ $http_non_kdc++;
+ $http_non_kdc_addr{$1}++;
+ } elsif (/returning a referral to realm (.*) for server (.*) that was not found/) {
+ $referrals++;
+ $referral_princ{$2}++;
+ $referral_realm{$1}++;
+ } elsif (/krb4 Cross-realm (.*) -> (.*) disabled/) {
+ $v4_cross++;
+ $v4_cross_realm{$1."->".$2}++;
+ } elsif (/524 cross-realm (.*) -> (.*) disabled/) {
+ $v4_cross++;
+ $v4_cross_realm{$1."->".$2}++;
+ } elsif (/cross-realm (.*) -> (.*): no transit through realm (.*)/) {
+ } elsif (/cross-realm (.*) -> (.*) via \[([^\]]+)\]/) {
+ $v5_cross++;
+ $v5_cross_realm{$1."->".$2}++;
+ } elsif (/cross-realm (.*) -> (.*)/) {
+ $v5_cross++;
+ $v5_cross_realm{$1."->".$2}++;
+ } elsif (/sending ([0-9]+) bytes to IPv[46]:([0-9\.:a-fA-F]+)/) {
+ $bw_addr{$2} += $1;
+ } elsif (/Using ([-a-z0-9]+)\/([-a-z0-9]+)/) {
+ $enctype_ticket{$1}++;
+ $enctype_session{$2}++;
+
+ my $ticket = $1;
+ my $session = $2;
+
+ if ($ticket =~ /des-cbc-(crc|md4|md5)/) {
+ $addr_uses_des{$last_addr}++;
+ $princ_uses_des{$last_principal}++;
+ }
+
+ } elsif (/Failed to decrypt PA-DATA -- (.+)$/) {
+ $pa_failed++;
+ $pa_failed_princ{$last_principal}++;
+ $pa_failed_addr{$last_addr}++;
+
+ } elsif (/Request to forward non-forwardable ticket/) {
+ $forward_non_forward++;
+ } elsif (/HTTP request:/) {
+ } elsif (/krb_rd_req: Incorrect network address/) {
+ } elsif (/krb_rd_req: Ticket expired \(krb_rd_req\)/) {
+ } elsif (/Ticket expired \(.*\)/) {
+ } elsif (/krb_rd_req: Can't decode authenticator \(krb_rd_req\)/) {
+ } elsif (/Request from wrong address/) {
+ # XXX
+ } elsif (/UNKNOWN --/) {
+ # XXX
+ } elsif (/Too large time skew -- (.*)$/) {
+ # XXX
+ } elsif (/No PA-ENC-TIMESTAMP --/) {
+ # XXX
+ } elsif (/Looking for pa-data --/) {
+ # XXX
+ } elsif (/Pre-authentication succeded -- (.+)$/) {
+ # XXX
+ } elsif (/Bad request for ([,a-zA-Z0-9]+) ticket/) {
+ # XXX
+ } elsif (/Failed to verify AP-REQ: Ticket expired/) {
+ # XXX
+ } elsif (/Client not found in database:/) {
+ # XXX
+ } elsif (/Server not found in database \(krb4\)/) {
+ } elsif (/Server not found in database:/) {
+ # XXX
+ } elsif (/newsyslog.*logfile turned over/) {
+ # Nothing
+ } elsif (/Requested flags:/) {
+ # Nothing
+ } elsif (/shutting down/) {
+ # Nothing
+ } elsif (/listening on IP/) {
+ # Nothing
+ } elsif (/commencing operation/) {
+ $restarts++;
+ }
+ #
+ # Log it if we didn't parse the line
+ #
+ else {
+ print "Unknown log file line: $_";
+ }
+}
+
+sub topten {
+ my ($list) = @_;
+ my @keys;
+
+ my $key;
+
+ @keys = (sort {$$list{$b} <=> $$list{$a}} (keys %{$list}));
+ splice @keys, 10;
+
+ foreach $key (@keys) {
+ print "\t\t$key - $$list{$key}\n";
+ }
+}
+
+sub islocaladdr (\$) {
+ my ($addr) = @_;
+ my $net;
+
+ foreach $net (@local_networks_re) {
+ return 1 if ($addr =~ /$net/);
+ }
+ return 0;
+}
+
+sub islocalrealm (\$) {
+ my ($princ) = @_;
+ my $realm;
+
+ foreach $realm (@local_realms) {
+ return 1 if ($princ eq $realm);
+ return 1 if ($princ =~ /[^@]+\@${realm}/);
+ }
+ return 0;
+}
diff --git a/third_party/heimdal/tools/krb5-config.1 b/third_party/heimdal/tools/krb5-config.1
new file mode 100644
index 0000000..ced45de
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-config.1
@@ -0,0 +1,90 @@
+.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 30, 2000
+.Dt KRB5-CONFIG 1
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5-config
+.Nd "give information on how to link code against Heimdal libraries"
+.Sh SYNOPSIS
+.Nm
+.Op Fl Fl prefix Ns Op = Ns Ar dir
+.Op Fl Fl exec-prefix Ns Op = Ns Ar dir
+.Op Fl Fl libs
+.Op Fl Fl cflags
+.Op Ar libraries
+.Sh DESCRIPTION
+.Nm
+tells the application programmer what special flags to use to compile
+and link programs against the libraries installed by Heimdal.
+.Pp
+Options supported:
+.Bl -tag -width Ds
+.It Fl Fl prefix Ns Op = Ns Ar dir
+Print the prefix if no
+.Ar dir
+is specified, otherwise set prefix to
+.Ar dir .
+.It Fl Fl exec-prefix Ns Op = Ns Ar dir
+Print the exec-prefix if no
+.Ar dir
+is specified, otherwise set exec-prefix to
+.Ar dir .
+.It Fl Fl libs
+Output the set of libraries that should be linked against. This also
+includes rpath flags with the expectation that the C compiler is used
+for final link-edits.
+.It Fl Fl cflags
+Output the set of flags to give to the C compiler when using the
+Heimdal libraries.
+.El
+.Pp
+By default
+.Nm
+will output the set of flags and libraries to be used by a normal
+program using the krb5 API. The user can also supply a library to be
+used, the supported ones are:
+.Bl -tag -width Ds
+.It krb5
+(the default)
+.It gssapi
+use the krb5 gssapi mechanism
+.It kadm-client
+use the client-side kadmin libraries
+.It kadm-server
+use the server-side kadmin libraries
+.El
+.Sh SEE ALSO
+.Xr cc 1
+.Sh HISTORY
+.Nm
+appeared in Heimdal 0.3d.
diff --git a/third_party/heimdal/tools/krb5-config.in b/third_party/heimdal/tools/krb5-config.in
new file mode 100644
index 0000000..6408530
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-config.in
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+cat <<'EOM'
+#!/bin/sh
+#
+# Copyright (c) 2000 - 2008 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+do_all=no
+do_libs=no
+do_lib_deps=no
+do_cflags=no
+do_usage=no
+print_prefix=no
+print_exec_prefix=no
+library=
+lib_krb5=no
+lib_gssapi=no
+lib_kadm_client=no
+lib_kadm_server=no
+lib_kafs=no
+
+if test $# -eq 0; then
+ do_usage=yes
+ usage_exit=1
+fi
+
+for i in $*; do
+ case $i in
+ --help)
+ do_usage=yes
+ usage_exit=0
+ ;;
+ --all)
+ do_all=yes
+ ;;
+ --vendor)
+ echo "Heimdal"
+ exit 0;
+ ;;
+ --version)
+ echo "@PACKAGE@ @VERSION@"
+ exit 0
+ ;;
+ --prefix=*)
+ prefix=`echo $i | sed 's/^--prefix=//'`
+ ;;
+ --prefix)
+ print_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
+ ;;
+ --exec-prefix)
+ print_exec_prefix=yes
+ ;;
+ --libs)
+ do_libs=yes
+ ;;
+ --deps)
+ do_lib_deps=yes
+ ;;
+ --cflags)
+ do_cflags=yes
+ ;;
+ krb5)
+ library=krb5
+ lib_krb5=yes
+ ;;
+ gssapi)
+ library=gssapi
+ lib_gssapi=yes
+ ;;
+ kadm-client)
+ library=kadm-client
+ lib_kadm_client=yes
+ ;;
+ kadm-server)
+ library=kadm-server
+ lib_kadm_server=yes
+ ;;
+ kafs)
+ library=kafs
+ lib_kafs=yes
+ ;;
+ *)
+ echo "unknown option: $i"
+ exit 1
+ ;;
+ esac
+done
+
+if test "$do_usage" = "yes"; then
+ echo "usage: $0 [options] [libraries]"
+ echo "options: [--help] show this message"
+ echo " [--all] display version, vendor, etc."
+ echo " [--version] display version information"
+ echo " [--prefix] display the prefix of Kerberos"
+ echo " [--exec-prefix] display the exec_prefix of Kerberos"
+ echo " [--cflags] display the CFLAGS required"
+ echo " [--libs] display the libraries required to link"
+ echo " [--deps] display the dependent libs required"
+ echo " for static linking"
+ echo
+ echo "libraries: krb5 Kerberos 5 applications"
+ echo " gssapi GSSAPI applications"
+ echo " kadm-client libkadm5 client"
+ echo " kadm-server libkadm5 server"
+ echo " kafs kafs"
+ exit $usage_exit
+fi
+
+if test X"$library" = X; then
+ lib_krb5=yes
+fi
+
+if test "$prefix" = ""; then
+ prefix=@prefix@
+fi
+if test "$exec_prefix" = ""; then
+ exec_prefix=@exec_prefix@
+fi
+
+libdir=@libdir@
+includedir=@includedir@
+
+if test "$do_all" = "yes"; then
+ echo "Version: @PACKAGE@ @VERSION@"
+ echo "Vendor: Heimdal"
+ echo "Prefix: $prefix"
+ echo "Exec_prefix: $exec_prefix"
+ exit 0
+fi
+
+if test "$print_prefix" = "yes"; then
+ echo $prefix
+ exit 0
+fi
+
+if test "$print_exec_prefix" = "yes"; then
+ echo $exec_prefix
+ exit 0
+fi
+
+# The following rpath_flag setting code is distilled from MIT Kerberos'
+# src/config/shlib.conf. Some of this seems ancient and likely to be
+# wrong in some cases, but right for all the cases we probably care
+# about. Also, this will very likely be wrong depending on how the
+# caller will be doing link-edits (with what compiler-driver or
+# link-editor)! There's no fixing this.
+#
+# In principle this doesn't belong here: application should instead use
+# krb5-config --libdir to get the directory to use for the rpath, then
+# workout the rpath flags on their own. Of course, there's no --libdir
+# option... And MIT's krb5-config does include rpath flags.
+#
+# Compatibility with MIT is the winning consideration for now.
+EOM
+
+case "@CANONICAL_HOST@" in
+alpha*-dec-osf*)
+ rpath_flag='-Wl,-rpath -Wl,';;
+*-*-hpux*)
+ rpath_flag='-Wl,+b,';;
+*-*-irix* | mips-*-netbsd*)
+ rpath_flag='-Wl,-rpath -Wl,';;
+*-*-netbsd* | *-*-openbsd* | *-*-solaris*)
+ rpath_flag='-R';;
+*-*-linux* | *-*-gnu* | *-*-k*bsd*-gnu | *-*-freebsd*)
+ rpath_flag='-Wl,--enable-new-dtags -Wl,-rpath -Wl,';;
+*-*-aix*)
+ rpath_flag='-Wl,-blibpath:';;
+*)
+rpath_flag=;;
+esac
+
+echo "rpath_flag='$rpath_flag'"
+
+cat <<'EOM'
+
+if test "$do_libs" = "yes"; then
+ deplibs=""
+ if test "$lib_gssapi" = yes; then
+ lib_flags="$lib_flags -lgssapi"
+ deplibs="$deplibs -lheimntlm"
+ if test X"$do_lib_deps" = Xyes; then
+ lib_krb5=yes
+ fi
+ fi
+ if test "$lib_kadm_client" = yes; then
+ lib_flags="$lib_flags -lkadm5clnt"
+ if test X"$do_lib_deps" = Xyes; then
+ lib_krb5=yes
+ fi
+ fi
+ if test "$lib_kadm_server" = yes; then
+ lib_flags="$lib_flags -lkadm5srv"
+ deplibs="$deplibs @LIB_dbopen@"
+ if test X"$do_lib_deps" = Xyes; then
+ lib_krb5=yes
+ fi
+ fi
+ if test "$lib_kafs" = yes; then
+ lib_flags="$lib_flags -lkafs"
+ if test X"$do_lib_deps" = Xyes; then
+ lib_krb5=yes
+ fi
+ fi
+ if test "$lib_krb5" = yes; then
+ lib_flags="$lib_flags -lkrb5"
+ fi
+ deplibs="$deplibs @LIB_pkinit@ -lcom_err"
+ deplibs="$deplibs @LIB_hcrypto_appl@ -lasn1 -lwind -lheimbase -lroken"
+ deplibs="$deplibs @LIB_crypt@ @PTHREAD_LIBADD@ @LIB_dlopen@"
+ deplibs="$deplibs @LIB_door_create@ @LIBS@"
+ if test X"$do_lib_deps" = X"yes"; then
+ lib_flags="$lib_flags $deplibs"
+ fi
+ if test X"$libdir" != X/usr/lib; then
+ lib_flags="-L${libdir} $lib_flags"
+ if test X"$rpath_flag" != X; then
+ lib_flags="${rpath_flag}${libdir} $lib_flags"
+ fi
+ fi
+
+ echo ${lib_flags}
+fi
+if test "$do_cflags" = "yes"; then
+ cflags=""
+ if test X"${includedir}" != X/usr/include; then
+ cflags="-I${includedir} $cflags"
+ fi
+ echo $cflags
+fi
+
+exit 0
+EOM
diff --git a/third_party/heimdal/tools/krb5-gssapi.pc.in b/third_party/heimdal/tools/krb5-gssapi.pc.in
new file mode 100644
index 0000000..482b78f
--- /dev/null
+++ b/third_party/heimdal/tools/krb5-gssapi.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: krb5-gssapi
+Description: Kerberos implementation of the GSS API.
+Version: @VERSION@
+Requires: heimdal-gssapi
diff --git a/third_party/heimdal/tools/krb5.pc.in b/third_party/heimdal/tools/krb5.pc.in
new file mode 100644
index 0000000..5ed2007
--- /dev/null
+++ b/third_party/heimdal/tools/krb5.pc.in
@@ -0,0 +1,10 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+vendor=Heimdal
+
+Name: krb5
+Description: Heimdal implementation of the kerberos network authentication.
+Version: @VERSION@
+Requires: heimdal-krb5