From 4f5791ebd03eaec1c7da0865a383175b05102712 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 May 2024 19:47:29 +0200 Subject: Adding upstream version 2:4.17.12+dfsg. Signed-off-by: Daniel Baumann --- .../heimdal/.github/ISSUE_TEMPLATE/bug_report.md | 38 + .../.github/ISSUE_TEMPLATE/feature_request.md | 20 + third_party/heimdal/.github/workflows/coverity.yml | 68 + third_party/heimdal/.github/workflows/linux.yml | 146 + third_party/heimdal/.github/workflows/osx.yml | 122 + .../heimdal/.github/workflows/scanbuild.yml | 67 + third_party/heimdal/.github/workflows/valgrind.yml | 71 + third_party/heimdal/.github/workflows/windows.yml | 92 + third_party/heimdal/.gitignore | 718 + third_party/heimdal/.travis.yml | 92 + third_party/heimdal/CODE_OF_CONDUCT.md | 76 + third_party/heimdal/ChangeLog | 485 + third_party/heimdal/ChangeLog.1998 | 3201 + third_party/heimdal/ChangeLog.1999 | 2194 + third_party/heimdal/ChangeLog.2000 | 1320 + third_party/heimdal/ChangeLog.2001 | 1122 + third_party/heimdal/ChangeLog.2002 | 726 + third_party/heimdal/ChangeLog.2003 | 1795 + third_party/heimdal/ChangeLog.2004 | 1485 + third_party/heimdal/ChangeLog.2005 | 2004 + third_party/heimdal/ChangeLog.2006 | 2047 + third_party/heimdal/ChangeLog.2007 | 1321 + third_party/heimdal/HEIMDAL-LICENCE.txt | 44 + third_party/heimdal/LICENSE | 33 + third_party/heimdal/Makefile.am | 70 + third_party/heimdal/Makefile.am.common | 4 + third_party/heimdal/NEWS | 1152 + third_party/heimdal/NTMakefile | 47 + third_party/heimdal/README | 19 + third_party/heimdal/README.fast | 13 + third_party/heimdal/README.md | 39 + third_party/heimdal/SECURITY.md | 90 + third_party/heimdal/TODO | 30 + third_party/heimdal/acinclude.m4 | 9 + third_party/heimdal/admin/ChangeLog | 70 + third_party/heimdal/admin/Makefile.am | 43 + third_party/heimdal/admin/NTMakefile | 74 + third_party/heimdal/admin/add.c | 158 + third_party/heimdal/admin/change.c | 297 + third_party/heimdal/admin/copy.c | 143 + third_party/heimdal/admin/destroy.c | 52 + third_party/heimdal/admin/get.c | 264 + third_party/heimdal/admin/ktutil-commands.in | 299 + third_party/heimdal/admin/ktutil-version.rc | 36 + third_party/heimdal/admin/ktutil.1 | 128 + third_party/heimdal/admin/ktutil.c | 177 + third_party/heimdal/admin/ktutil_locl.h | 74 + third_party/heimdal/admin/list.c | 172 + third_party/heimdal/admin/purge.c | 172 + third_party/heimdal/admin/remove.c | 93 + third_party/heimdal/admin/rename.c | 113 + third_party/heimdal/appl/Makefile.am | 23 + third_party/heimdal/appl/NTMakefile | 35 + third_party/heimdal/appl/afsutil/ChangeLog | 125 + third_party/heimdal/appl/afsutil/Makefile.am | 19 + third_party/heimdal/appl/afsutil/NTMakefile | 35 + third_party/heimdal/appl/afsutil/afslog.1 | 147 + third_party/heimdal/appl/afsutil/afslog.c | 303 + third_party/heimdal/appl/afsutil/pagsh.1 | 94 + third_party/heimdal/appl/afsutil/pagsh.c | 213 + third_party/heimdal/appl/dbutils/Makefile.am | 13 + third_party/heimdal/appl/dbutils/NTMakefile | 35 + third_party/heimdal/appl/dbutils/bsearch.1 | 115 + third_party/heimdal/appl/dbutils/bsearch.c | 205 + third_party/heimdal/appl/dceutils/ChangeLog | 39 + third_party/heimdal/appl/dceutils/Makefile.am | 37 + third_party/heimdal/appl/dceutils/NTMakefile | 35 + third_party/heimdal/appl/dceutils/README.dcedfs | 59 + third_party/heimdal/appl/dceutils/README.original | 335 + third_party/heimdal/appl/dceutils/dfspag.exp | 3 + third_party/heimdal/appl/dceutils/dpagaix.c | 23 + third_party/heimdal/appl/dceutils/k5dce.h | 165 + third_party/heimdal/appl/dceutils/k5dcecon.c | 792 + third_party/heimdal/appl/dceutils/testpag.c | 150 + third_party/heimdal/appl/gssmask/Makefile.am | 13 + third_party/heimdal/appl/gssmask/NTMakefile | 35 + third_party/heimdal/appl/gssmask/common.c | 97 + third_party/heimdal/appl/gssmask/common.h | 114 + third_party/heimdal/appl/gssmask/gssmaestro.c | 962 + third_party/heimdal/appl/gssmask/gssmask.c | 1268 + third_party/heimdal/appl/gssmask/protocol.h | 317 + third_party/heimdal/appl/kf/Makefile.am | 20 + third_party/heimdal/appl/kf/NTMakefile | 35 + third_party/heimdal/appl/kf/kf.1 | 112 + third_party/heimdal/appl/kf/kf.c | 349 + third_party/heimdal/appl/kf/kf_locl.h | 81 + third_party/heimdal/appl/kf/kfd.8 | 85 + third_party/heimdal/appl/kf/kfd.c | 311 + third_party/heimdal/appl/otp/ChangeLog | 58 + third_party/heimdal/appl/otp/Makefile.am | 15 + third_party/heimdal/appl/otp/NTMakefile | 35 + third_party/heimdal/appl/otp/otp.1 | 90 + third_party/heimdal/appl/otp/otp.c | 371 + third_party/heimdal/appl/otp/otp_locl.h | 56 + third_party/heimdal/appl/otp/otpprint.1 | 82 + third_party/heimdal/appl/otp/otpprint.c | 136 + third_party/heimdal/appl/test/Makefile.am | 46 + third_party/heimdal/appl/test/NTMakefile | 35 + third_party/heimdal/appl/test/common.c | 180 + third_party/heimdal/appl/test/gss_common.c | 154 + third_party/heimdal/appl/test/gss_common.h | 49 + third_party/heimdal/appl/test/gssapi_client.c | 307 + third_party/heimdal/appl/test/gssapi_server.c | 401 + third_party/heimdal/appl/test/http_client.c | 513 + third_party/heimdal/appl/test/jgssapi_server.java | 148 + third_party/heimdal/appl/test/nt_gss_client.c | 167 + third_party/heimdal/appl/test/nt_gss_common.c | 135 + third_party/heimdal/appl/test/nt_gss_common.h | 45 + third_party/heimdal/appl/test/nt_gss_server.c | 244 + third_party/heimdal/appl/test/tcp_client.c | 132 + third_party/heimdal/appl/test/tcp_server.c | 205 + third_party/heimdal/appl/test/test_locl.h | 89 + third_party/heimdal/appl/test/uu_client.c | 192 + third_party/heimdal/appl/test/uu_server.c | 195 + third_party/heimdal/apply_heimdal.sh | 84 + third_party/heimdal/appveyor.yml | 85 + third_party/heimdal/autogen.sh | 17 + third_party/heimdal/cf/ChangeLog | 1295 + third_party/heimdal/cf/Makefile.am.common | 294 + third_party/heimdal/cf/aix.m4 | 62 + third_party/heimdal/cf/auth-modules.m4 | 45 + third_party/heimdal/cf/ax_check_sign.m4 | 54 + third_party/heimdal/cf/broken-getaddrinfo.m4 | 26 + third_party/heimdal/cf/broken-realloc.m4 | 25 + third_party/heimdal/cf/broken-snprintf.m4 | 63 + third_party/heimdal/cf/broken.m4 | 12 + third_party/heimdal/cf/broken2.m4 | 25 + third_party/heimdal/cf/c-attribute.m4 | 28 + third_party/heimdal/cf/c-function.m4 | 33 + third_party/heimdal/cf/check-compile-et.m4 | 114 + third_party/heimdal/cf/check-compile-flag.m4 | 53 + third_party/heimdal/cf/check-getpwnam_r-posix.m4 | 74 + third_party/heimdal/cf/check-man.m4 | 57 + third_party/heimdal/cf/check-netinet-ip-and-tcp.m4 | 33 + third_party/heimdal/cf/check-type-extra.m4 | 23 + third_party/heimdal/cf/check-var.m4 | 28 + third_party/heimdal/cf/crypto.m4 | 166 + third_party/heimdal/cf/db.m4 | 268 + third_party/heimdal/cf/destdirs.m4 | 18 + third_party/heimdal/cf/dispatch.m4 | 23 + third_party/heimdal/cf/dlopen.m4 | 19 + third_party/heimdal/cf/find-func-no-libs.m4 | 9 + third_party/heimdal/cf/find-func-no-libs2.m4 | 62 + third_party/heimdal/cf/find-func.m4 | 9 + third_party/heimdal/cf/find-if-not-broken.m4 | 12 + third_party/heimdal/cf/framework-corefoundation.m4 | 28 + third_party/heimdal/cf/framework-security.m4 | 31 + third_party/heimdal/cf/have-pragma-weak.m4 | 37 + third_party/heimdal/cf/have-struct-field.m4 | 21 + third_party/heimdal/cf/have-type.m4 | 30 + third_party/heimdal/cf/have-types.m4 | 12 + third_party/heimdal/cf/install-catman.sh | 74 + third_party/heimdal/cf/irix.m4 | 15 + third_party/heimdal/cf/krb-bigendian.m4 | 62 + third_party/heimdal/cf/krb-func-getlogin.m4 | 32 + third_party/heimdal/cf/krb-ipv6.m4 | 154 + third_party/heimdal/cf/krb-prog-ln-s.m4 | 28 + third_party/heimdal/cf/krb-prog-perl.m4 | 21 + third_party/heimdal/cf/krb-prog-ranlib.m4 | 8 + third_party/heimdal/cf/krb-prog-yacc.m4 | 18 + third_party/heimdal/cf/krb-readline.m4 | 28 + third_party/heimdal/cf/krb-struct-spwd.m4 | 21 + third_party/heimdal/cf/krb-struct-winsize.m4 | 25 + third_party/heimdal/cf/krb-sys-aix.m4 | 15 + third_party/heimdal/cf/krb-sys-nextstep.m4 | 18 + third_party/heimdal/cf/largefile.m4 | 16 + third_party/heimdal/cf/make-proto.pl | 528 + third_party/heimdal/cf/maybe-valgrind.sh | 68 + third_party/heimdal/cf/mips-abi.m4 | 87 + third_party/heimdal/cf/misc.m4 | 15 + third_party/heimdal/cf/need-proto.m4 | 22 + third_party/heimdal/cf/osfc2.m4 | 14 + third_party/heimdal/cf/otp.m4 | 27 + third_party/heimdal/cf/pkg.m4 | 157 + third_party/heimdal/cf/proto-compat.m4 | 21 + third_party/heimdal/cf/pthreads.m4 | 117 + third_party/heimdal/cf/resolv.m4 | 118 + third_party/heimdal/cf/retsigtype.m4 | 18 + third_party/heimdal/cf/roken-frag.m4 | 766 + third_party/heimdal/cf/roken-h-process.pl | 184 + third_party/heimdal/cf/roken.m4 | 64 + third_party/heimdal/cf/socket-wrapper.m4 | 16 + third_party/heimdal/cf/sunos.m4 | 29 + third_party/heimdal/cf/symbol-version.py | 85 + third_party/heimdal/cf/telnet.m4 | 75 + third_party/heimdal/cf/test-package.m4 | 135 + third_party/heimdal/cf/valgrind-suppressions | 168 + third_party/heimdal/cf/vararray.m4 | 16 + third_party/heimdal/cf/version-script.m4 | 39 + .../heimdal/cf/w32-check-exported-symbols.pl | 129 + third_party/heimdal/cf/w32-def-from-dll.pl | 212 + third_party/heimdal/cf/w32-detect-vc-version.pl | 49 + third_party/heimdal/cf/w32-hh-toc-from-info.pl | 124 + .../heimdal/cf/w32-list-externs-from-objs.pl | 114 + third_party/heimdal/cf/wflags.m4 | 33 + third_party/heimdal/cf/win32.m4 | 16 + third_party/heimdal/cf/with-all.m4 | 42 + third_party/heimdal/configure.ac | 818 + third_party/heimdal/doc/Makefile.am | 163 + third_party/heimdal/doc/NTMakefile | 126 + third_party/heimdal/doc/ack.texi | 124 + third_party/heimdal/doc/apps.texi | 270 + third_party/heimdal/doc/base.din | 15 + third_party/heimdal/doc/base.hhp | 8 + third_party/heimdal/doc/copyright.texi | 521 + third_party/heimdal/doc/doxytmpl.dxy | 248 + third_party/heimdal/doc/footer.html | 4 + third_party/heimdal/doc/gssapi.din | 16 + third_party/heimdal/doc/hcrypto.din | 16 + third_party/heimdal/doc/hdb.din | 15 + third_party/heimdal/doc/header.html | 10 + third_party/heimdal/doc/heimdal.css | 53 + third_party/heimdal/doc/heimdal.hhp | 8 + third_party/heimdal/doc/heimdal.texi | 153 + third_party/heimdal/doc/hx509.din | 15 + third_party/heimdal/doc/hx509.hhp | 8 + third_party/heimdal/doc/hx509.texi | 786 + third_party/heimdal/doc/init-creds | 374 + third_party/heimdal/doc/install.texi | 8 + third_party/heimdal/doc/intro.texi | 98 + third_party/heimdal/doc/kerberos4.texi | 173 + third_party/heimdal/doc/krb5.din | 16 + third_party/heimdal/doc/latin1.tex | 95 + third_party/heimdal/doc/layman.asc | 1855 + third_party/heimdal/doc/mdate-sh | 92 + third_party/heimdal/doc/migration.texi | 73 + third_party/heimdal/doc/misc.texi | 58 + third_party/heimdal/doc/ntlm.din | 16 + third_party/heimdal/doc/programming.texi | 7 + third_party/heimdal/doc/setup.texi | 1784 + third_party/heimdal/doc/vars.tin | 8 + third_party/heimdal/doc/whatis.texi | 214 + third_party/heimdal/doc/win2k.texi | 315 + third_party/heimdal/doc/wind.din | 15 + third_party/heimdal/etc/Makefile.am | 5 + third_party/heimdal/etc/NTMakefile | 35 + third_party/heimdal/etc/services.append | 29 + third_party/heimdal/import-lorikeet.sh | 151 + third_party/heimdal/include/Makefile.am | 148 + third_party/heimdal/include/NTMakefile | 122 + third_party/heimdal/include/bits.c | 329 + third_party/heimdal/include/config.h.w32 | 1494 + third_party/heimdal/include/crypto-headers.h | 25 + third_party/heimdal/include/gssapi/Makefile.am | 7 + third_party/heimdal/include/gssapi/NTMakefile | 34 + third_party/heimdal/include/hcrypto/Makefile.am | 31 + third_party/heimdal/include/hcrypto/NTMakefile | 34 + third_party/heimdal/include/heim_threads.h | 370 + third_party/heimdal/include/heimqueue.h | 270 + third_party/heimdal/include/kadm5/Makefile.am | 8 + third_party/heimdal/include/kadm5/NTMakefile | 34 + third_party/heimdal/include/krb5-types.cross | 67 + third_party/heimdal/kadmin/ChangeLog | 1048 + third_party/heimdal/kadmin/Makefile.am | 98 + third_party/heimdal/kadmin/NTMakefile | 135 + third_party/heimdal/kadmin/add-random-users.c | 184 + third_party/heimdal/kadmin/add_enctype.c | 171 + third_party/heimdal/kadmin/ank.c | 525 + third_party/heimdal/kadmin/check.c | 264 + third_party/heimdal/kadmin/cpw.c | 215 + third_party/heimdal/kadmin/del.c | 215 + third_party/heimdal/kadmin/del_enctype.c | 132 + third_party/heimdal/kadmin/dump.c | 87 + third_party/heimdal/kadmin/ext.c | 215 + third_party/heimdal/kadmin/get.c | 642 + third_party/heimdal/kadmin/init.c | 351 + third_party/heimdal/kadmin/kadm_conn.c | 301 + third_party/heimdal/kadmin/kadmin-commands.in | 728 + third_party/heimdal/kadmin/kadmin-version.rc | 36 + third_party/heimdal/kadmin/kadmin.1 | 624 + third_party/heimdal/kadmin/kadmin.c | 309 + third_party/heimdal/kadmin/kadmin_locl.h | 167 + third_party/heimdal/kadmin/kadmind-version.rc | 36 + third_party/heimdal/kadmin/kadmind.8 | 194 + third_party/heimdal/kadmin/kadmind.c | 222 + third_party/heimdal/kadmin/load.c | 650 + third_party/heimdal/kadmin/mod.c | 826 + third_party/heimdal/kadmin/prune.c | 63 + third_party/heimdal/kadmin/pw_quality.c | 60 + third_party/heimdal/kadmin/random_password.c | 162 + third_party/heimdal/kadmin/rename.c | 61 + third_party/heimdal/kadmin/rpc.c | 1151 + third_party/heimdal/kadmin/server.c | 885 + third_party/heimdal/kadmin/stash.c | 162 + third_party/heimdal/kadmin/test_util.c | 90 + third_party/heimdal/kadmin/util.c | 762 + third_party/heimdal/kcm/Makefile.am | 45 + third_party/heimdal/kcm/NTMakefile | 35 + third_party/heimdal/kcm/acl.c | 201 + third_party/heimdal/kcm/acquire.c | 149 + third_party/heimdal/kcm/cache.c | 678 + third_party/heimdal/kcm/client.c | 223 + third_party/heimdal/kcm/config.c | 402 + third_party/heimdal/kcm/connect.c | 84 + third_party/heimdal/kcm/events.c | 444 + third_party/heimdal/kcm/glue.c | 303 + third_party/heimdal/kcm/headers.h | 90 + third_party/heimdal/kcm/kcm.8 | 168 + third_party/heimdal/kcm/kcm_locl.h | 185 + third_party/heimdal/kcm/log.c | 85 + third_party/heimdal/kcm/main.c | 123 + third_party/heimdal/kcm/protocol.c | 1814 + third_party/heimdal/kcm/renew.c | 133 + third_party/heimdal/kcm/sessions.c | 83 + third_party/heimdal/kdc/Makefile.am | 259 + third_party/heimdal/kdc/NTMakefile | 167 + .../heimdal/kdc/altsecid_gss_preauth_authorizer.c | 541 + third_party/heimdal/kdc/announce.c | 544 + third_party/heimdal/kdc/bx509d.8 | 283 + third_party/heimdal/kdc/bx509d.c | 2259 + third_party/heimdal/kdc/ca.c | 133 + third_party/heimdal/kdc/cjwt_token_validator.c | 343 + third_party/heimdal/kdc/config.c | 317 + third_party/heimdal/kdc/connect.c | 1319 + third_party/heimdal/kdc/csr_authorizer.c | 91 + third_party/heimdal/kdc/csr_authorizer_plugin.h | 74 + third_party/heimdal/kdc/default_config.c | 438 + third_party/heimdal/kdc/digest-service.c | 291 + third_party/heimdal/kdc/digest.c | 1520 + third_party/heimdal/kdc/fast.c | 911 + third_party/heimdal/kdc/gss_preauth.c | 1034 + .../heimdal/kdc/gss_preauth_authorizer_plugin.h | 75 + third_party/heimdal/kdc/headers.h | 118 + third_party/heimdal/kdc/hprop-version.rc | 36 + third_party/heimdal/kdc/hprop.8 | 130 + third_party/heimdal/kdc/hprop.c | 482 + third_party/heimdal/kdc/hprop.h | 59 + third_party/heimdal/kdc/hpropd-version.rc | 36 + third_party/heimdal/kdc/hpropd.8 | 87 + third_party/heimdal/kdc/hpropd.c | 291 + third_party/heimdal/kdc/httpkadmind.8 | 424 + third_party/heimdal/kdc/httpkadmind.c | 2341 + third_party/heimdal/kdc/ipc_csr_authorizer.c | 452 + third_party/heimdal/kdc/kdc-accessors.h | 369 + third_party/heimdal/kdc/kdc-audit.h | 67 + third_party/heimdal/kdc/kdc-plugin.c | 654 + third_party/heimdal/kdc/kdc-plugin.h | 132 + third_party/heimdal/kdc/kdc-replay.c | 214 + third_party/heimdal/kdc/kdc-tester.c | 510 + third_party/heimdal/kdc/kdc-version.rc | 36 + third_party/heimdal/kdc/kdc.8 | 217 + third_party/heimdal/kdc/kdc.h | 131 + third_party/heimdal/kdc/kdc_locl.h | 257 + third_party/heimdal/kdc/kerberos5.c | 2849 + third_party/heimdal/kdc/krb5tgs.c | 2243 + third_party/heimdal/kdc/kstash-version.rc | 36 + third_party/heimdal/kdc/kstash.8 | 92 + third_party/heimdal/kdc/kstash.c | 189 + third_party/heimdal/kdc/kx509.c | 1080 + third_party/heimdal/kdc/libkdc-exports.def | 100 + third_party/heimdal/kdc/libkdc-version.rc | 36 + third_party/heimdal/kdc/log.c | 110 + third_party/heimdal/kdc/main.c | 181 + third_party/heimdal/kdc/misc.c | 357 + third_party/heimdal/kdc/mit_dump.c | 227 + third_party/heimdal/kdc/mssfu.c | 567 + .../heimdal/kdc/negotiate_token_validator.c | 323 + third_party/heimdal/kdc/pkinit-ec.c | 318 + third_party/heimdal/kdc/pkinit.c | 2036 + third_party/heimdal/kdc/process.c | 583 + third_party/heimdal/kdc/set_dbinfo.c | 113 + third_party/heimdal/kdc/simple_csr_authorizer.c | 343 + third_party/heimdal/kdc/string2key-version.rc | 36 + third_party/heimdal/kdc/string2key.8 | 85 + third_party/heimdal/kdc/string2key.c | 189 + third_party/heimdal/kdc/test_csr_authorizer.c | 106 + third_party/heimdal/kdc/test_kdc_ca.c | 178 + third_party/heimdal/kdc/test_token_validator.c | 121 + third_party/heimdal/kdc/token_validator.c | 122 + third_party/heimdal/kdc/token_validator_plugin.h | 83 + third_party/heimdal/kdc/version-script.map | 106 + third_party/heimdal/kpasswd/Makefile.am | 30 + third_party/heimdal/kpasswd/NTMakefile | 51 + third_party/heimdal/kpasswd/kpasswd-generator.c | 216 + third_party/heimdal/kpasswd/kpasswd.1 | 68 + third_party/heimdal/kpasswd/kpasswd.c | 249 + third_party/heimdal/kpasswd/kpasswd_locl.h | 105 + third_party/heimdal/kpasswd/kpasswdd.8 | 110 + third_party/heimdal/kpasswd/kpasswdd.c | 905 + third_party/heimdal/krb5.conf | 16 + third_party/heimdal/kuser/Makefile.am | 103 + third_party/heimdal/kuser/NTMakefile | 139 + third_party/heimdal/kuser/copy_cred_cache.1 | 96 + third_party/heimdal/kuser/copy_cred_cache.c | 164 + third_party/heimdal/kuser/generate-requests.c | 146 + third_party/heimdal/kuser/heimtools-commands.in | 304 + third_party/heimdal/kuser/heimtools-version.rc | 36 + third_party/heimdal/kuser/heimtools.c | 165 + third_party/heimdal/kuser/kcpytkt.c | 178 + third_party/heimdal/kuser/kdecode_ticket.c | 161 + third_party/heimdal/kuser/kdeltkt.c | 172 + third_party/heimdal/kuser/kdestroy-version.rc | 36 + third_party/heimdal/kuser/kdestroy.1 | 75 + third_party/heimdal/kuser/kdestroy.c | 172 + third_party/heimdal/kuser/kdigest-commands.in | 280 + third_party/heimdal/kuser/kdigest-version.rc | 36 + third_party/heimdal/kuser/kdigest.8 | 257 + third_party/heimdal/kuser/kdigest.c | 572 + third_party/heimdal/kuser/kgetcred-version.rc | 36 + third_party/heimdal/kuser/kgetcred.1 | 188 + third_party/heimdal/kuser/kgetcred.c | 371 + third_party/heimdal/kuser/kimpersonate-version.rc | 36 + third_party/heimdal/kuser/kimpersonate.8 | 130 + third_party/heimdal/kuser/kimpersonate.c | 395 + third_party/heimdal/kuser/kinit-version.rc | 36 + third_party/heimdal/kuser/kinit.1 | 298 + third_party/heimdal/kuser/kinit.c | 1919 + third_party/heimdal/kuser/klist.1 | 135 + third_party/heimdal/kuser/klist.c | 690 + third_party/heimdal/kuser/kswitch.1 | 85 + third_party/heimdal/kuser/kswitch.c | 179 + third_party/heimdal/kuser/kuser_locl.h | 117 + third_party/heimdal/kuser/kverify.c | 130 + third_party/heimdal/kuser/kvno.c | 278 + third_party/heimdal/kuser/kx509.1 | 133 + third_party/heimdal/kuser/kx509.c | 303 + third_party/heimdal/lib/Makefile.am | 50 + third_party/heimdal/lib/NTMakefile | 79 + third_party/heimdal/lib/asn1/ChangeLog | 1665 + third_party/heimdal/lib/asn1/MANUAL.md | 1287 + third_party/heimdal/lib/asn1/Makefile.am | 567 + third_party/heimdal/lib/asn1/NTMakefile | 548 + third_party/heimdal/lib/asn1/README-X681.md | 1124 + third_party/heimdal/lib/asn1/README-template.md | 278 + third_party/heimdal/lib/asn1/README.md | 1327 + third_party/heimdal/lib/asn1/asn1-common.h | 90 + third_party/heimdal/lib/asn1/asn1-template.h | 305 + .../heimdal/lib/asn1/asn1_compile-version.rc | 36 + third_party/heimdal/lib/asn1/asn1_compile.1 | 350 + third_party/heimdal/lib/asn1/asn1_err.et | 29 + third_party/heimdal/lib/asn1/asn1_gen.c | 187 + third_party/heimdal/lib/asn1/asn1_print.1 | 135 + third_party/heimdal/lib/asn1/asn1_print.c | 692 + third_party/heimdal/lib/asn1/asn1parse.y | 2034 + third_party/heimdal/lib/asn1/canthandle.asn1 | 15 + third_party/heimdal/lib/asn1/check-ber.c | 280 + third_party/heimdal/lib/asn1/check-common.c | 422 + third_party/heimdal/lib/asn1/check-common.h | 92 + third_party/heimdal/lib/asn1/check-der.c | 1210 + third_party/heimdal/lib/asn1/check-gen.c | 2685 + third_party/heimdal/lib/asn1/check-gen.h | 9 + third_party/heimdal/lib/asn1/check-template.c | 532 + third_party/heimdal/lib/asn1/check-timegm.c | 81 + third_party/heimdal/lib/asn1/cms.asn1 | 149 + third_party/heimdal/lib/asn1/cms.opt | 2 + third_party/heimdal/lib/asn1/crmf.asn1 | 110 + third_party/heimdal/lib/asn1/crmf.opt | 0 third_party/heimdal/lib/asn1/der.c | 142 + third_party/heimdal/lib/asn1/der.h | 107 + third_party/heimdal/lib/asn1/der_cmp.c | 159 + third_party/heimdal/lib/asn1/der_copy.c | 245 + third_party/heimdal/lib/asn1/der_format.c | 170 + third_party/heimdal/lib/asn1/der_free.c | 156 + third_party/heimdal/lib/asn1/der_get.c | 798 + third_party/heimdal/lib/asn1/der_length.c | 305 + third_party/heimdal/lib/asn1/der_locl.h | 63 + third_party/heimdal/lib/asn1/der_print.c | 229 + third_party/heimdal/lib/asn1/der_put.c | 705 + third_party/heimdal/lib/asn1/digest.asn1 | 179 + third_party/heimdal/lib/asn1/extra.c | 285 + .../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes .../heimdal/lib/asn1/fuzz-inputs/minimal-ek.crt | Bin 0 -> 643 bytes .../heimdal/lib/asn1/fuzz-inputs/x690sample.der | 5 + third_party/heimdal/lib/asn1/fuzzer.c | 742 + third_party/heimdal/lib/asn1/gen.c | 2016 + third_party/heimdal/lib/asn1/gen_copy.c | 290 + third_party/heimdal/lib/asn1/gen_decode.c | 841 + third_party/heimdal/lib/asn1/gen_encode.c | 747 + third_party/heimdal/lib/asn1/gen_free.c | 240 + third_party/heimdal/lib/asn1/gen_glue.c | 162 + third_party/heimdal/lib/asn1/gen_length.c | 309 + third_party/heimdal/lib/asn1/gen_locl.h | 192 + third_party/heimdal/lib/asn1/gen_print.c | 43 + third_party/heimdal/lib/asn1/gen_seq.c | 127 + third_party/heimdal/lib/asn1/gen_template.c | 1675 + third_party/heimdal/lib/asn1/hash.c | 206 + third_party/heimdal/lib/asn1/hash.h | 87 + third_party/heimdal/lib/asn1/heim_asn1.h | 71 + third_party/heimdal/lib/asn1/krb5.asn1 | 1052 + third_party/heimdal/lib/asn1/krb5.opt | 9 + third_party/heimdal/lib/asn1/kx509.asn1 | 204 + third_party/heimdal/lib/asn1/lex.h | 42 + third_party/heimdal/lib/asn1/lex.l | 310 + third_party/heimdal/lib/asn1/libasn1-exports.def | 2649 + third_party/heimdal/lib/asn1/main.c | 487 + third_party/heimdal/lib/asn1/ocsp.asn1 | 113 + third_party/heimdal/lib/asn1/ocsp.opt | 2 + third_party/heimdal/lib/asn1/oid_resolution.c | 341 + third_party/heimdal/lib/asn1/pkcs10.asn1 | 64 + third_party/heimdal/lib/asn1/pkcs10.opt | 1 + third_party/heimdal/lib/asn1/pkcs12.asn1 | 81 + third_party/heimdal/lib/asn1/pkcs8.asn1 | 29 + third_party/heimdal/lib/asn1/pkcs9.asn1 | 29 + third_party/heimdal/lib/asn1/pkinit.asn1 | 200 + third_party/heimdal/lib/asn1/pku2u.asn1 | 30 + third_party/heimdal/lib/asn1/rfc2459.asn1 | 1210 + third_party/heimdal/lib/asn1/rfc2459.opt | 12 + third_party/heimdal/lib/asn1/rfc4108.asn1 | 207 + third_party/heimdal/lib/asn1/roken_rename.h | 46 + third_party/heimdal/lib/asn1/setchgpw2.asn1 | 193 + third_party/heimdal/lib/asn1/symbol.c | 173 + third_party/heimdal/lib/asn1/symbol.h | 265 + third_party/heimdal/lib/asn1/tcg.asn1 | 42 + third_party/heimdal/lib/asn1/template.c | 3075 + third_party/heimdal/lib/asn1/test.asn1 | 309 + third_party/heimdal/lib/asn1/test.gen | 14 + third_party/heimdal/lib/asn1/test.opt | 7 + third_party/heimdal/lib/asn1/timegm.c | 136 + third_party/heimdal/lib/asn1/version-script.map | 6 + third_party/heimdal/lib/asn1/x690sample.asn1 | 181 + third_party/heimdal/lib/base/Makefile.am | 95 + third_party/heimdal/lib/base/NTMakefile | 134 + third_party/heimdal/lib/base/array.c | 478 + third_party/heimdal/lib/base/baselocl.h | 98 + third_party/heimdal/lib/base/bool.c | 59 + third_party/heimdal/lib/base/bsearch.c | 888 + third_party/heimdal/lib/base/common_plugin.h | 105 + third_party/heimdal/lib/base/config_file.c | 1458 + third_party/heimdal/lib/base/config_reg.c | 658 + third_party/heimdal/lib/base/context.c | 394 + third_party/heimdal/lib/base/data.c | 166 + third_party/heimdal/lib/base/db.c | 1721 + third_party/heimdal/lib/base/dict.c | 305 + third_party/heimdal/lib/base/dll.c | 325 + third_party/heimdal/lib/base/error.c | 178 + third_party/heimdal/lib/base/error_string.c | 177 + third_party/heimdal/lib/base/expand_path.c | 725 + third_party/heimdal/lib/base/heim_err.et | 57 + third_party/heimdal/lib/base/heimbase-atomics.h | 255 + third_party/heimdal/lib/base/heimbase-svc.h | 83 + third_party/heimdal/lib/base/heimbase.c | 1081 + third_party/heimdal/lib/base/heimbase.h | 527 + third_party/heimdal/lib/base/heimbasepriv.h | 115 + third_party/heimdal/lib/base/json.c | 811 + third_party/heimdal/lib/base/log.c | 1074 + third_party/heimdal/lib/base/null.c | 53 + third_party/heimdal/lib/base/number.c | 136 + third_party/heimdal/lib/base/plugin.c | 785 + third_party/heimdal/lib/base/roken_rename.h | 61 + third_party/heimdal/lib/base/string.c | 260 + third_party/heimdal/lib/base/test_base.c | 962 + third_party/heimdal/lib/base/version-script.map | 208 + third_party/heimdal/lib/base/warn.c | 169 + third_party/heimdal/lib/com_err/ChangeLog | 235 + third_party/heimdal/lib/com_err/Makefile.am | 50 + third_party/heimdal/lib/com_err/NTMakefile | 91 + third_party/heimdal/lib/com_err/com_err.3 | 246 + third_party/heimdal/lib/com_err/com_err.c | 172 + third_party/heimdal/lib/com_err/com_err.h | 76 + third_party/heimdal/lib/com_err/com_right.h | 87 + .../heimdal/lib/com_err/compile_et-version.rc | 36 + third_party/heimdal/lib/com_err/compile_et.c | 243 + third_party/heimdal/lib/com_err/compile_et.h | 78 + third_party/heimdal/lib/com_err/error.c | 114 + third_party/heimdal/lib/com_err/lex.h | 39 + third_party/heimdal/lib/com_err/lex.l | 123 + .../heimdal/lib/com_err/libcom_err-exports.def | 14 + .../heimdal/lib/com_err/libcom_err-version.rc | 36 + third_party/heimdal/lib/com_err/parse.y | 175 + third_party/heimdal/lib/com_err/roken_rename.h | 62 + third_party/heimdal/lib/com_err/version-script.map | 20 + third_party/heimdal/lib/gss_preauth/Makefile.am | 25 + third_party/heimdal/lib/gss_preauth/NTMakefile | 70 + third_party/heimdal/lib/gss_preauth/README.md | 110 + third_party/heimdal/lib/gss_preauth/pa_client.c | 252 + third_party/heimdal/lib/gss_preauth/pa_common.c | 255 + third_party/heimdal/lib/gssapi/ChangeLog | 2970 + third_party/heimdal/lib/gssapi/Makefile.am | 468 + third_party/heimdal/lib/gssapi/NTMakefile | 747 + third_party/heimdal/lib/gssapi/gen-oid.pl | 149 + third_party/heimdal/lib/gssapi/gss-commands.in | 61 + third_party/heimdal/lib/gssapi/gss-token.1 | 108 + third_party/heimdal/lib/gssapi/gss-token.c | 678 + third_party/heimdal/lib/gssapi/gss_acquire_cred.3 | 688 + third_party/heimdal/lib/gssapi/gssapi.3 | 172 + third_party/heimdal/lib/gssapi/gssapi.h | 41 + third_party/heimdal/lib/gssapi/gssapi/gssapi.h | 1281 + .../heimdal/lib/gssapi/gssapi/gssapi_krb5.h | 225 + .../heimdal/lib/gssapi/gssapi/gssapi_netlogon.h | 50 + .../heimdal/lib/gssapi/gssapi/gssapi_ntlm.h | 41 + third_party/heimdal/lib/gssapi/gssapi/gssapi_oid.h | 262 + .../heimdal/lib/gssapi/gssapi/gssapi_spnego.h | 87 + third_party/heimdal/lib/gssapi/gssapi_mech.h | 725 + third_party/heimdal/lib/gssapi/gsstool.c | 264 + third_party/heimdal/lib/gssapi/krb5/8003.c | 313 + .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 978 + third_party/heimdal/lib/gssapi/krb5/acquire_cred.c | 686 + third_party/heimdal/lib/gssapi/krb5/add_cred.c | 254 + .../heimdal/lib/gssapi/krb5/address_to_krb5addr.c | 77 + third_party/heimdal/lib/gssapi/krb5/aeap.c | 178 + third_party/heimdal/lib/gssapi/krb5/arcfour.c | 1391 + .../heimdal/lib/gssapi/krb5/authorize_localname.c | 66 + .../heimdal/lib/gssapi/krb5/canonicalize_name.c | 58 + third_party/heimdal/lib/gssapi/krb5/ccache_name.c | 78 + third_party/heimdal/lib/gssapi/krb5/cfx.c | 1797 + third_party/heimdal/lib/gssapi/krb5/cfx.h | 65 + third_party/heimdal/lib/gssapi/krb5/compare_name.c | 53 + third_party/heimdal/lib/gssapi/krb5/compat.c | 125 + third_party/heimdal/lib/gssapi/krb5/context_time.c | 94 + third_party/heimdal/lib/gssapi/krb5/copy_ccache.c | 200 + third_party/heimdal/lib/gssapi/krb5/creds.c | 276 + third_party/heimdal/lib/gssapi/krb5/decapsulate.c | 216 + .../heimdal/lib/gssapi/krb5/delete_sec_context.c | 86 + third_party/heimdal/lib/gssapi/krb5/display_name.c | 72 + .../heimdal/lib/gssapi/krb5/display_status.c | 198 + .../heimdal/lib/gssapi/krb5/duplicate_cred.c | 168 + .../heimdal/lib/gssapi/krb5/duplicate_name.c | 58 + third_party/heimdal/lib/gssapi/krb5/encapsulate.c | 153 + third_party/heimdal/lib/gssapi/krb5/export_name.c | 92 + .../heimdal/lib/gssapi/krb5/export_sec_context.c | 257 + third_party/heimdal/lib/gssapi/krb5/external.c | 413 + third_party/heimdal/lib/gssapi/krb5/get_mic.c | 330 + third_party/heimdal/lib/gssapi/krb5/gkrb5_err.et | 33 + third_party/heimdal/lib/gssapi/krb5/gsskrb5_locl.h | 153 + third_party/heimdal/lib/gssapi/krb5/import_name.c | 294 + .../heimdal/lib/gssapi/krb5/import_sec_context.c | 221 + .../heimdal/lib/gssapi/krb5/indicate_mechs.c | 55 + third_party/heimdal/lib/gssapi/krb5/init.c | 82 + .../heimdal/lib/gssapi/krb5/init_sec_context.c | 1021 + .../heimdal/lib/gssapi/krb5/inquire_context.c | 110 + third_party/heimdal/lib/gssapi/krb5/inquire_cred.c | 225 + .../heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c | 78 + .../heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c | 81 + .../lib/gssapi/krb5/inquire_mechs_for_name.c | 55 + .../lib/gssapi/krb5/inquire_names_for_mech.c | 77 + .../lib/gssapi/krb5/inquire_sec_context_by_oid.c | 598 + third_party/heimdal/lib/gssapi/krb5/name_attrs.c | 1171 + third_party/heimdal/lib/gssapi/krb5/pname_to_uid.c | 70 + third_party/heimdal/lib/gssapi/krb5/prf.c | 148 + .../lib/gssapi/krb5/process_context_token.c | 66 + .../heimdal/lib/gssapi/krb5/release_buffer.c | 46 + third_party/heimdal/lib/gssapi/krb5/release_cred.c | 77 + third_party/heimdal/lib/gssapi/krb5/release_name.c | 53 + third_party/heimdal/lib/gssapi/krb5/sequence.c | 292 + .../heimdal/lib/gssapi/krb5/set_cred_option.c | 249 + .../lib/gssapi/krb5/set_sec_context_option.c | 353 + third_party/heimdal/lib/gssapi/krb5/store_cred.c | 372 + .../heimdal/lib/gssapi/krb5/test_acquire_cred.c | 187 + third_party/heimdal/lib/gssapi/krb5/test_cfx.c | 173 + third_party/heimdal/lib/gssapi/krb5/test_cred.c | 277 + third_party/heimdal/lib/gssapi/krb5/test_kcred.c | 155 + third_party/heimdal/lib/gssapi/krb5/test_oid.c | 51 + .../heimdal/lib/gssapi/krb5/test_sequence.c | 367 + third_party/heimdal/lib/gssapi/krb5/ticket_flags.c | 58 + third_party/heimdal/lib/gssapi/krb5/unwrap.c | 468 + third_party/heimdal/lib/gssapi/krb5/verify_mic.c | 360 + third_party/heimdal/lib/gssapi/krb5/wrap.c | 592 + .../heimdal/lib/gssapi/libgssapi-exports.def | 203 + .../heimdal/lib/gssapi/libgssapi-version.rc | 36 + third_party/heimdal/lib/gssapi/mech/compat.h | 94 + third_party/heimdal/lib/gssapi/mech/context.c | 361 + third_party/heimdal/lib/gssapi/mech/context.h | 51 + third_party/heimdal/lib/gssapi/mech/cred.c | 81 + third_party/heimdal/lib/gssapi/mech/cred.h | 65 + third_party/heimdal/lib/gssapi/mech/doxygen.c | 133 + .../lib/gssapi/mech/gss_accept_sec_context.c | 519 + .../heimdal/lib/gssapi/mech/gss_acquire_cred.c | 50 + .../lib/gssapi/mech/gss_acquire_cred_from.c | 302 + .../mech/gss_acquire_cred_impersonate_name.c | 51 + .../gssapi/mech/gss_acquire_cred_with_password.c | 85 + third_party/heimdal/lib/gssapi/mech/gss_add_cred.c | 58 + .../heimdal/lib/gssapi/mech/gss_add_cred_from.c | 292 + .../lib/gssapi/mech/gss_add_cred_with_password.c | 88 + .../lib/gssapi/mech/gss_add_oid_set_member.c | 87 + third_party/heimdal/lib/gssapi/mech/gss_aeap.c | 334 + .../lib/gssapi/mech/gss_authorize_localname.c | 187 + .../heimdal/lib/gssapi/mech/gss_buffer_set.c | 124 + .../lib/gssapi/mech/gss_canonicalize_name.c | 104 + .../heimdal/lib/gssapi/mech/gss_compare_name.c | 102 + .../heimdal/lib/gssapi/mech/gss_context_time.c | 40 + .../lib/gssapi/mech/gss_create_empty_oid_set.c | 51 + third_party/heimdal/lib/gssapi/mech/gss_cred.c | 326 + .../lib/gssapi/mech/gss_decapsulate_token.c | 72 + .../lib/gssapi/mech/gss_delete_name_attribute.c | 65 + .../lib/gssapi/mech/gss_delete_sec_context.c | 62 + .../heimdal/lib/gssapi/mech/gss_destroy_cred.c | 74 + .../heimdal/lib/gssapi/mech/gss_display_name.c | 82 + .../heimdal/lib/gssapi/mech/gss_display_name_ext.c | 68 + .../heimdal/lib/gssapi/mech/gss_display_status.c | 227 + .../heimdal/lib/gssapi/mech/gss_duplicate_cred.c | 153 + .../heimdal/lib/gssapi/mech/gss_duplicate_name.c | 93 + .../heimdal/lib/gssapi/mech/gss_duplicate_oid.c | 51 + .../lib/gssapi/mech/gss_duplicate_oid_set.c | 57 + .../lib/gssapi/mech/gss_encapsulate_token.c | 66 + .../heimdal/lib/gssapi/mech/gss_export_name.c | 113 + .../lib/gssapi/mech/gss_export_name_composite.c | 66 + .../lib/gssapi/mech/gss_export_sec_context.c | 147 + third_party/heimdal/lib/gssapi/mech/gss_get_mic.c | 51 + .../lib/gssapi/mech/gss_get_name_attribute.c | 83 + .../heimdal/lib/gssapi/mech/gss_get_neg_mechs.c | 54 + .../heimdal/lib/gssapi/mech/gss_import_name.c | 323 + .../lib/gssapi/mech/gss_import_sec_context.c | 147 + .../heimdal/lib/gssapi/mech/gss_indicate_mechs.c | 74 + .../heimdal/lib/gssapi/mech/gss_init_sec_context.c | 281 + .../heimdal/lib/gssapi/mech/gss_inquire_context.c | 120 + .../heimdal/lib/gssapi/mech/gss_inquire_cred.c | 218 + .../lib/gssapi/mech/gss_inquire_cred_by_mech.c | 92 + .../lib/gssapi/mech/gss_inquire_cred_by_oid.c | 90 + .../lib/gssapi/mech/gss_inquire_mechs_for_name.c | 76 + .../heimdal/lib/gssapi/mech/gss_inquire_name.c | 79 + .../lib/gssapi/mech/gss_inquire_names_for_mech.c | 73 + .../gssapi/mech/gss_inquire_sec_context_by_oid.c | 70 + third_party/heimdal/lib/gssapi/mech/gss_krb5.c | 927 + .../heimdal/lib/gssapi/mech/gss_mech_switch.c | 585 + third_party/heimdal/lib/gssapi/mech/gss_mo.c | 636 + third_party/heimdal/lib/gssapi/mech/gss_names.c | 262 + third_party/heimdal/lib/gssapi/mech/gss_oid.c | 370 + .../heimdal/lib/gssapi/mech/gss_oid_equal.c | 58 + .../heimdal/lib/gssapi/mech/gss_oid_to_str.c | 67 + .../heimdal/lib/gssapi/mech/gss_pname_to_uid.c | 197 + .../lib/gssapi/mech/gss_process_context_token.c | 41 + .../heimdal/lib/gssapi/mech/gss_pseudo_random.c | 70 + .../heimdal/lib/gssapi/mech/gss_release_buffer.c | 42 + .../heimdal/lib/gssapi/mech/gss_release_cred.c | 66 + .../heimdal/lib/gssapi/mech/gss_release_name.c | 63 + .../heimdal/lib/gssapi/mech/gss_release_oid.c | 46 + .../heimdal/lib/gssapi/mech/gss_release_oid_set.c | 44 + third_party/heimdal/lib/gssapi/mech/gss_rfc4121.c | 111 + third_party/heimdal/lib/gssapi/mech/gss_seal.c | 45 + .../heimdal/lib/gssapi/mech/gss_set_cred_option.c | 118 + .../lib/gssapi/mech/gss_set_name_attribute.c | 69 + .../heimdal/lib/gssapi/mech/gss_set_neg_mechs.c | 60 + .../lib/gssapi/mech/gss_set_sec_context_option.c | 102 + third_party/heimdal/lib/gssapi/mech/gss_sign.c | 41 + .../heimdal/lib/gssapi/mech/gss_store_cred.c | 57 + .../heimdal/lib/gssapi/mech/gss_store_cred_into.c | 181 + .../lib/gssapi/mech/gss_test_oid_set_member.c | 46 + third_party/heimdal/lib/gssapi/mech/gss_unseal.c | 43 + third_party/heimdal/lib/gssapi/mech/gss_unwrap.c | 56 + third_party/heimdal/lib/gssapi/mech/gss_utils.c | 324 + third_party/heimdal/lib/gssapi/mech/gss_verify.c | 42 + .../heimdal/lib/gssapi/mech/gss_verify_mic.c | 52 + third_party/heimdal/lib/gssapi/mech/gss_wrap.c | 71 + .../heimdal/lib/gssapi/mech/gss_wrap_size_limit.c | 52 + third_party/heimdal/lib/gssapi/mech/gssapi.asn1 | 12 + .../lib/gssapi/mech/gssspi_exchange_meta_data.c | 115 + .../lib/gssapi/mech/gssspi_query_mechanism_info.c | 55 + .../lib/gssapi/mech/gssspi_query_meta_data.c | 117 + third_party/heimdal/lib/gssapi/mech/mech.5 | 94 + third_party/heimdal/lib/gssapi/mech/mech_locl.h | 77 + third_party/heimdal/lib/gssapi/mech/mech_switch.h | 43 + third_party/heimdal/lib/gssapi/mech/name.h | 77 + third_party/heimdal/lib/gssapi/mech/utils.h | 82 + .../lib/gssapi/netlogon/accept_sec_context.c | 89 + .../heimdal/lib/gssapi/netlogon/acquire_cred.c | 186 + third_party/heimdal/lib/gssapi/netlogon/add_cred.c | 89 + .../lib/gssapi/netlogon/canonicalize_name.c | 46 + .../heimdal/lib/gssapi/netlogon/compare_name.c | 61 + .../heimdal/lib/gssapi/netlogon/context_time.c | 47 + third_party/heimdal/lib/gssapi/netlogon/crypto.c | 733 + .../lib/gssapi/netlogon/delete_sec_context.c | 62 + .../heimdal/lib/gssapi/netlogon/display_name.c | 67 + .../heimdal/lib/gssapi/netlogon/display_status.c | 55 + .../heimdal/lib/gssapi/netlogon/duplicate_cred.c | 54 + .../heimdal/lib/gssapi/netlogon/duplicate_name.c | 77 + .../heimdal/lib/gssapi/netlogon/export_name.c | 45 + .../lib/gssapi/netlogon/export_sec_context.c | 50 + third_party/heimdal/lib/gssapi/netlogon/external.c | 111 + .../heimdal/lib/gssapi/netlogon/import_name.c | 94 + .../lib/gssapi/netlogon/import_sec_context.c | 50 + .../heimdal/lib/gssapi/netlogon/indicate_mechs.c | 48 + .../heimdal/lib/gssapi/netlogon/init_sec_context.c | 289 + .../heimdal/lib/gssapi/netlogon/inquire_context.c | 76 + .../heimdal/lib/gssapi/netlogon/inquire_cred.c | 68 + .../lib/gssapi/netlogon/inquire_cred_by_mech.c | 66 + .../lib/gssapi/netlogon/inquire_mechs_for_name.c | 48 + .../lib/gssapi/netlogon/inquire_names_for_mech.c | 58 + .../heimdal/lib/gssapi/netlogon/iter_cred.c | 44 + third_party/heimdal/lib/gssapi/netlogon/netlogon.h | 150 + .../lib/gssapi/netlogon/process_context_token.c | 46 + third_party/heimdal/lib/gssapi/netlogon/regen.sh | 3 + .../heimdal/lib/gssapi/netlogon/release_cred.c | 54 + .../heimdal/lib/gssapi/netlogon/release_name.c | 54 + .../heimdal/lib/gssapi/ntlm/accept_sec_context.c | 256 + third_party/heimdal/lib/gssapi/ntlm/acquire_cred.c | 88 + third_party/heimdal/lib/gssapi/ntlm/add_cred.c | 60 + .../heimdal/lib/gssapi/ntlm/canonicalize_name.c | 45 + third_party/heimdal/lib/gssapi/ntlm/compare_name.c | 45 + third_party/heimdal/lib/gssapi/ntlm/context_time.c | 45 + third_party/heimdal/lib/gssapi/ntlm/creds.c | 159 + third_party/heimdal/lib/gssapi/ntlm/crypto.c | 636 + .../heimdal/lib/gssapi/ntlm/delete_sec_context.c | 69 + third_party/heimdal/lib/gssapi/ntlm/display_name.c | 71 + .../heimdal/lib/gssapi/ntlm/display_status.c | 54 + .../heimdal/lib/gssapi/ntlm/duplicate_cred.c | 57 + .../heimdal/lib/gssapi/ntlm/duplicate_name.c | 48 + third_party/heimdal/lib/gssapi/ntlm/export_name.c | 50 + .../heimdal/lib/gssapi/ntlm/export_sec_context.c | 50 + third_party/heimdal/lib/gssapi/ntlm/external.c | 140 + third_party/heimdal/lib/gssapi/ntlm/import_name.c | 112 + .../heimdal/lib/gssapi/ntlm/import_sec_context.c | 48 + .../heimdal/lib/gssapi/ntlm/indicate_mechs.c | 46 + .../heimdal/lib/gssapi/ntlm/init_sec_context.c | 536 + .../heimdal/lib/gssapi/ntlm/inquire_context.c | 68 + .../heimdal/lib/gssapi/ntlm/inquire_cred_by_mech.c | 58 + .../lib/gssapi/ntlm/inquire_mechs_for_name.c | 48 + .../lib/gssapi/ntlm/inquire_names_for_mech.c | 51 + .../lib/gssapi/ntlm/inquire_sec_context_by_oid.c | 90 + third_party/heimdal/lib/gssapi/ntlm/iter_cred.c | 99 + third_party/heimdal/lib/gssapi/ntlm/kdc.c | 435 + third_party/heimdal/lib/gssapi/ntlm/ntlm.h | 146 + .../lib/gssapi/ntlm/process_context_token.c | 44 + third_party/heimdal/lib/gssapi/ntlm/release_cred.c | 66 + third_party/heimdal/lib/gssapi/ntlm/release_name.c | 52 + .../lib/gssapi/ntlm/set_sec_context_option.c | 60 + third_party/heimdal/lib/gssapi/oid.txt | 173 + .../heimdal/lib/gssapi/sanon/accept_sec_context.c | 169 + .../heimdal/lib/gssapi/sanon/acquire_cred.c | 59 + third_party/heimdal/lib/gssapi/sanon/add_cred.c | 65 + .../heimdal/lib/gssapi/sanon/canonicalize_name.c | 48 + .../heimdal/lib/gssapi/sanon/compare_name.c | 54 + .../heimdal/lib/gssapi/sanon/context_time.c | 50 + third_party/heimdal/lib/gssapi/sanon/crypto.c | 333 + .../heimdal/lib/gssapi/sanon/delete_sec_context.c | 62 + .../heimdal/lib/gssapi/sanon/display_name.c | 50 + .../heimdal/lib/gssapi/sanon/display_status.c | 60 + .../heimdal/lib/gssapi/sanon/duplicate_cred.c | 43 + .../heimdal/lib/gssapi/sanon/duplicate_name.c | 43 + third_party/heimdal/lib/gssapi/sanon/export_cred.c | 40 + third_party/heimdal/lib/gssapi/sanon/export_name.c | 52 + .../heimdal/lib/gssapi/sanon/export_sec_context.c | 52 + third_party/heimdal/lib/gssapi/sanon/external.c | 270 + third_party/heimdal/lib/gssapi/sanon/import_cred.c | 42 + third_party/heimdal/lib/gssapi/sanon/import_name.c | 163 + .../heimdal/lib/gssapi/sanon/import_sec_context.c | 55 + .../heimdal/lib/gssapi/sanon/init_sec_context.c | 205 + .../heimdal/lib/gssapi/sanon/inquire_context.c | 75 + .../heimdal/lib/gssapi/sanon/inquire_cred.c | 58 + .../lib/gssapi/sanon/inquire_cred_by_mech.c | 74 + .../lib/gssapi/sanon/inquire_mechs_for_name.c | 54 + .../lib/gssapi/sanon/inquire_names_for_mech.c | 77 + .../lib/gssapi/sanon/inquire_sec_context_by_oid.c | 61 + third_party/heimdal/lib/gssapi/sanon/negoex.c | 131 + .../lib/gssapi/sanon/process_context_token.c | 42 + .../heimdal/lib/gssapi/sanon/release_cred.c | 42 + .../heimdal/lib/gssapi/sanon/release_name.c | 42 + third_party/heimdal/lib/gssapi/sanon/sanon_locl.h | 84 + .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 1024 + third_party/heimdal/lib/gssapi/spnego/compat.c | 684 + .../heimdal/lib/gssapi/spnego/context_storage.c | 492 + .../heimdal/lib/gssapi/spnego/context_stubs.c | 578 + third_party/heimdal/lib/gssapi/spnego/external.c | 165 + .../heimdal/lib/gssapi/spnego/init_sec_context.c | 841 + third_party/heimdal/lib/gssapi/spnego/negoex_ctx.c | 1041 + .../heimdal/lib/gssapi/spnego/negoex_err.et | 25 + .../heimdal/lib/gssapi/spnego/negoex_locl.h | 127 + .../heimdal/lib/gssapi/spnego/negoex_util.c | 1042 + third_party/heimdal/lib/gssapi/spnego/spnego.asn1 | 66 + third_party/heimdal/lib/gssapi/spnego/spnego.opt | 1 + .../heimdal/lib/gssapi/spnego/spnego_locl.h | 159 + third_party/heimdal/lib/gssapi/test_acquire_cred.c | 344 + .../heimdal/lib/gssapi/test_add_store_cred.c | 219 + third_party/heimdal/lib/gssapi/test_common.c | 71 + third_party/heimdal/lib/gssapi/test_common.h | 36 + third_party/heimdal/lib/gssapi/test_context.c | 1610 + third_party/heimdal/lib/gssapi/test_cred.c | 236 + third_party/heimdal/lib/gssapi/test_kcred.c | 198 + third_party/heimdal/lib/gssapi/test_names.c | 675 + third_party/heimdal/lib/gssapi/test_negoex_mech.c | 592 + third_party/heimdal/lib/gssapi/test_ntlm.c | 337 + third_party/heimdal/lib/gssapi/test_oid.c | 71 + third_party/heimdal/lib/gssapi/version-script.map | 210 + third_party/heimdal/lib/hcrypto/ChangeLog | 1227 + third_party/heimdal/lib/hcrypto/DESperate.txt | 108 + third_party/heimdal/lib/hcrypto/Makefile.am | 427 + third_party/heimdal/lib/hcrypto/NTMakefile | 274 + third_party/heimdal/lib/hcrypto/aes.c | 142 + third_party/heimdal/lib/hcrypto/aes.h | 83 + third_party/heimdal/lib/hcrypto/bn.c | 529 + third_party/heimdal/lib/hcrypto/bn.h | 139 + third_party/heimdal/lib/hcrypto/camellia-ntt.c | 1458 + third_party/heimdal/lib/hcrypto/camellia-ntt.h | 63 + third_party/heimdal/lib/hcrypto/camellia.c | 113 + third_party/heimdal/lib/hcrypto/camellia.h | 72 + third_party/heimdal/lib/hcrypto/common.c | 65 + third_party/heimdal/lib/hcrypto/common.h | 45 + third_party/heimdal/lib/hcrypto/des-tables.h | 196 + third_party/heimdal/lib/hcrypto/des.c | 1186 + third_party/heimdal/lib/hcrypto/des.h | 146 + third_party/heimdal/lib/hcrypto/destest.c | 621 + third_party/heimdal/lib/hcrypto/dh-ltm.c | 264 + third_party/heimdal/lib/hcrypto/dh-tfm.c | 248 + third_party/heimdal/lib/hcrypto/dh.c | 551 + third_party/heimdal/lib/hcrypto/dh.h | 148 + third_party/heimdal/lib/hcrypto/doxygen.c | 102 + third_party/heimdal/lib/hcrypto/dsa.c | 127 + third_party/heimdal/lib/hcrypto/dsa.h | 142 + third_party/heimdal/lib/hcrypto/ec.c | 178 + third_party/heimdal/lib/hcrypto/ec.h | 97 + third_party/heimdal/lib/hcrypto/ecdh.h | 47 + third_party/heimdal/lib/hcrypto/ecdsa.h | 52 + third_party/heimdal/lib/hcrypto/engine.c | 396 + third_party/heimdal/lib/hcrypto/engine.h | 120 + third_party/heimdal/lib/hcrypto/evp-cc.c | 943 + third_party/heimdal/lib/hcrypto/evp-cc.h | 102 + third_party/heimdal/lib/hcrypto/evp-crypt.c | 217 + third_party/heimdal/lib/hcrypto/evp-hcrypto.c | 854 + third_party/heimdal/lib/hcrypto/evp-hcrypto.h | 103 + third_party/heimdal/lib/hcrypto/evp-openssl.c | 644 + third_party/heimdal/lib/hcrypto/evp-openssl.h | 102 + third_party/heimdal/lib/hcrypto/evp-pkcs11.c | 832 + third_party/heimdal/lib/hcrypto/evp-pkcs11.h | 157 + third_party/heimdal/lib/hcrypto/evp-w32.c | 140 + third_party/heimdal/lib/hcrypto/evp-w32.h | 100 + third_party/heimdal/lib/hcrypto/evp-wincng.c | 727 + third_party/heimdal/lib/hcrypto/evp-wincng.h | 97 + third_party/heimdal/lib/hcrypto/evp.c | 1521 + third_party/heimdal/lib/hcrypto/evp.h | 361 + .../heimdal/lib/hcrypto/example_evp_cipher.c | 165 + third_party/heimdal/lib/hcrypto/gen-des.pl | 217 + third_party/heimdal/lib/hcrypto/hash.h | 74 + third_party/heimdal/lib/hcrypto/hmac.c | 178 + third_party/heimdal/lib/hcrypto/hmac.h | 86 + .../heimdal/lib/hcrypto/libhcrypto-exports.def | 354 + third_party/heimdal/lib/hcrypto/libtommath/LICENSE | 26 + .../heimdal/lib/hcrypto/libtommath/NTMakefile | 203 + .../heimdal/lib/hcrypto/libtommath/README.md | 44 + .../heimdal/lib/hcrypto/libtommath/appveyor.yml | 20 + .../heimdal/lib/hcrypto/libtommath/astylerc | 30 + .../heimdal/lib/hcrypto/libtommath/bn_cutoffs.c | 14 + .../heimdal/lib/hcrypto/libtommath/bn_deprecated.c | 321 + .../heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c | 31 + .../heimdal/lib/hcrypto/libtommath/bn_mp_abs.c | 26 + .../heimdal/lib/hcrypto/libtommath/bn_mp_add.c | 38 + .../heimdal/lib/hcrypto/libtommath/bn_mp_add_d.c | 89 + .../heimdal/lib/hcrypto/libtommath/bn_mp_addmod.c | 25 + .../heimdal/lib/hcrypto/libtommath/bn_mp_and.c | 56 + .../heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c | 27 + .../heimdal/lib/hcrypto/libtommath/bn_mp_clear.c | 20 + .../lib/hcrypto/libtommath/bn_mp_clear_multi.c | 19 + .../heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c | 26 + .../heimdal/lib/hcrypto/libtommath/bn_mp_cmp_d.c | 28 + .../heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c | 39 + .../heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c | 37 + .../lib/hcrypto/libtommath/bn_mp_complement.c | 12 + .../heimdal/lib/hcrypto/libtommath/bn_mp_copy.c | 47 + .../lib/hcrypto/libtommath/bn_mp_count_bits.c | 28 + .../heimdal/lib/hcrypto/libtommath/bn_mp_decr.c | 34 + .../heimdal/lib/hcrypto/libtommath/bn_mp_div.c | 250 + .../heimdal/lib/hcrypto/libtommath/bn_mp_div_2.c | 49 + .../heimdal/lib/hcrypto/libtommath/bn_mp_div_2d.c | 71 + .../heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c | 63 + .../heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c | 84 + .../lib/hcrypto/libtommath/bn_mp_dr_is_modulus.c | 27 + .../lib/hcrypto/libtommath/bn_mp_dr_reduce.c | 78 + .../lib/hcrypto/libtommath/bn_mp_dr_setup.c | 15 + .../lib/hcrypto/libtommath/bn_mp_error_to_string.c | 27 + .../heimdal/lib/hcrypto/libtommath/bn_mp_exch.c | 17 + .../lib/hcrypto/libtommath/bn_mp_expt_u32.c | 46 + .../heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c | 76 + .../lib/hcrypto/libtommath/bn_mp_exteuclid.c | 73 + .../heimdal/lib/hcrypto/libtommath/bn_mp_fread.c | 60 + .../lib/hcrypto/libtommath/bn_mp_from_sbin.c | 25 + .../lib/hcrypto/libtommath/bn_mp_from_ubin.c | 39 + .../heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c | 45 + .../heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c | 92 + .../lib/hcrypto/libtommath/bn_mp_get_double.c | 18 + .../heimdal/lib/hcrypto/libtommath/bn_mp_get_i32.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_get_i64.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_get_l.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_get_ll.c | 7 + .../lib/hcrypto/libtommath/bn_mp_get_mag_u32.c | 7 + .../lib/hcrypto/libtommath/bn_mp_get_mag_u64.c | 7 + .../lib/hcrypto/libtommath/bn_mp_get_mag_ul.c | 7 + .../lib/hcrypto/libtommath/bn_mp_get_mag_ull.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_grow.c | 38 + .../heimdal/lib/hcrypto/libtommath/bn_mp_incr.c | 30 + .../heimdal/lib/hcrypto/libtommath/bn_mp_init.c | 23 + .../lib/hcrypto/libtommath/bn_mp_init_copy.c | 21 + .../lib/hcrypto/libtommath/bn_mp_init_i32.c | 7 + .../lib/hcrypto/libtommath/bn_mp_init_i64.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_init_l.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_init_ll.c | 7 + .../lib/hcrypto/libtommath/bn_mp_init_multi.c | 41 + .../lib/hcrypto/libtommath/bn_mp_init_set.c | 16 + .../lib/hcrypto/libtommath/bn_mp_init_size.c | 24 + .../lib/hcrypto/libtommath/bn_mp_init_u32.c | 7 + .../lib/hcrypto/libtommath/bn_mp_init_u64.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_init_ul.c | 7 + .../lib/hcrypto/libtommath/bn_mp_init_ull.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c | 23 + .../lib/hcrypto/libtommath/bn_mp_is_square.c | 93 + .../heimdal/lib/hcrypto/libtommath/bn_mp_iseven.c | 10 + .../heimdal/lib/hcrypto/libtommath/bn_mp_isodd.c | 10 + .../lib/hcrypto/libtommath/bn_mp_kronecker.c | 129 + .../heimdal/lib/hcrypto/libtommath/bn_mp_lcm.c | 44 + .../heimdal/lib/hcrypto/libtommath/bn_mp_log_u32.c | 180 + .../heimdal/lib/hcrypto/libtommath/bn_mp_lshd.c | 51 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mod.c | 31 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mod_2d.c | 38 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mod_d.c | 10 + .../bn_mp_montgomery_calc_normalization.c | 44 + .../hcrypto/libtommath/bn_mp_montgomery_reduce.c | 102 + .../hcrypto/libtommath/bn_mp_montgomery_setup.c | 42 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mul.c | 52 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c | 64 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c | 69 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mul_d.c | 61 + .../heimdal/lib/hcrypto/libtommath/bn_mp_mulmod.c | 25 + .../heimdal/lib/hcrypto/libtommath/bn_mp_neg.c | 24 + .../heimdal/lib/hcrypto/libtommath/bn_mp_or.c | 56 + .../heimdal/lib/hcrypto/libtommath/bn_mp_pack.c | 69 + .../lib/hcrypto/libtommath/bn_mp_pack_count.c | 12 + .../lib/hcrypto/libtommath/bn_mp_prime_fermat.c | 47 + .../libtommath/bn_mp_prime_frobenius_underwood.c | 132 + .../lib/hcrypto/libtommath/bn_mp_prime_is_prime.c | 314 + .../hcrypto/libtommath/bn_mp_prime_miller_rabin.c | 91 + .../hcrypto/libtommath/bn_mp_prime_next_prime.c | 132 + .../libtommath/bn_mp_prime_rabin_miller_trials.c | 47 + .../lib/hcrypto/libtommath/bn_mp_prime_rand.c | 141 + .../bn_mp_prime_strong_lucas_selfridge.c | 289 + .../lib/hcrypto/libtommath/bn_mp_radix_size.c | 65 + .../lib/hcrypto/libtommath/bn_mp_radix_smap.c | 22 + .../heimdal/lib/hcrypto/libtommath/bn_mp_rand.c | 46 + .../lib/hcrypto/libtommath/bn_mp_read_radix.c | 79 + .../heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c | 83 + .../lib/hcrypto/libtommath/bn_mp_reduce_2k.c | 48 + .../lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c | 49 + .../lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c | 32 + .../hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c | 28 + .../lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c | 38 + .../lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c | 28 + .../lib/hcrypto/libtommath/bn_mp_reduce_setup.c | 17 + .../lib/hcrypto/libtommath/bn_mp_root_u32.c | 139 + .../heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c | 51 + .../lib/hcrypto/libtommath/bn_mp_sbin_size.c | 11 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set.c | 14 + .../lib/hcrypto/libtommath/bn_mp_set_double.c | 47 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_i32.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_i64.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_l.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_ll.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_u32.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_u64.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_ul.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_set_ull.c | 7 + .../heimdal/lib/hcrypto/libtommath/bn_mp_shrink.c | 22 + .../lib/hcrypto/libtommath/bn_mp_signed_rsh.c | 22 + .../heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c | 28 + .../heimdal/lib/hcrypto/libtommath/bn_mp_sqrmod.c | 25 + .../heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c | 67 + .../lib/hcrypto/libtommath/bn_mp_sqrtmod_prime.c | 118 + .../heimdal/lib/hcrypto/libtommath/bn_mp_sub.c | 40 + .../heimdal/lib/hcrypto/libtommath/bn_mp_sub_d.c | 74 + .../heimdal/lib/hcrypto/libtommath/bn_mp_submod.c | 25 + .../lib/hcrypto/libtommath/bn_mp_to_radix.c | 84 + .../heimdal/lib/hcrypto/libtommath/bn_mp_to_sbin.c | 22 + .../heimdal/lib/hcrypto/libtommath/bn_mp_to_ubin.c | 41 + .../lib/hcrypto/libtommath/bn_mp_ubin_size.c | 12 + .../heimdal/lib/hcrypto/libtommath/bn_mp_unpack.c | 49 + .../heimdal/lib/hcrypto/libtommath/bn_mp_xor.c | 56 + .../heimdal/lib/hcrypto/libtommath/bn_mp_zero.c | 13 + .../heimdal/lib/hcrypto/libtommath/bn_prime_tab.c | 61 + .../heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c | 91 + .../lib/hcrypto/libtommath/bn_s_mp_balance_mul.c | 81 + .../lib/hcrypto/libtommath/bn_s_mp_exptmod.c | 198 + .../lib/hcrypto/libtommath/bn_s_mp_exptmod_fast.c | 254 + .../lib/hcrypto/libtommath/bn_s_mp_get_bit.c | 21 + .../lib/hcrypto/libtommath/bn_s_mp_invmod_fast.c | 118 + .../lib/hcrypto/libtommath/bn_s_mp_invmod_slow.c | 119 + .../lib/hcrypto/libtommath/bn_s_mp_karatsuba_mul.c | 174 + .../lib/hcrypto/libtommath/bn_s_mp_karatsuba_sqr.c | 110 + .../libtommath/bn_s_mp_montgomery_reduce_fast.c | 159 + .../lib/hcrypto/libtommath/bn_s_mp_mul_digs.c | 74 + .../lib/hcrypto/libtommath/bn_s_mp_mul_digs_fast.c | 90 + .../lib/hcrypto/libtommath/bn_s_mp_mul_high_digs.c | 64 + .../libtommath/bn_s_mp_mul_high_digs_fast.c | 81 + .../libtommath/bn_s_mp_prime_is_divisible.c | 35 + .../lib/hcrypto/libtommath/bn_s_mp_rand_jenkins.c | 52 + .../lib/hcrypto/libtommath/bn_s_mp_rand_platform.c | 168 + .../lib/hcrypto/libtommath/bn_s_mp_reverse.c | 22 + .../heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c | 69 + .../lib/hcrypto/libtommath/bn_s_mp_sqr_fast.c | 97 + .../heimdal/lib/hcrypto/libtommath/bn_s_mp_sub.c | 71 + .../lib/hcrypto/libtommath/bn_s_mp_toom_mul.c | 215 + .../lib/hcrypto/libtommath/bn_s_mp_toom_sqr.c | 147 + .../heimdal/lib/hcrypto/libtommath/changes.txt | 497 + .../lib/hcrypto/libtommath/demo/mtest_opponent.c | 402 + .../heimdal/lib/hcrypto/libtommath/demo/shared.c | 42 + .../heimdal/lib/hcrypto/libtommath/demo/shared.h | 21 + .../heimdal/lib/hcrypto/libtommath/demo/test.c | 2522 + .../heimdal/lib/hcrypto/libtommath/demo/timing.c | 406 + .../heimdal/lib/hcrypto/libtommath/doc/bn.pdf | Bin 0 -> 430812 bytes .../heimdal/lib/hcrypto/libtommath/doc/bn.tex | 2507 + .../heimdal/lib/hcrypto/libtommath/etc/2kprime.1 | 2 + .../heimdal/lib/hcrypto/libtommath/etc/2kprime.c | 81 + .../heimdal/lib/hcrypto/libtommath/etc/drprime.c | 67 + .../heimdal/lib/hcrypto/libtommath/etc/drprimes.28 | 25 + .../lib/hcrypto/libtommath/etc/drprimes.txt | 9 + .../heimdal/lib/hcrypto/libtommath/etc/makefile | 44 + .../lib/hcrypto/libtommath/etc/makefile.icc | 67 + .../lib/hcrypto/libtommath/etc/makefile.msvc | 24 + .../heimdal/lib/hcrypto/libtommath/etc/mersenne.c | 138 + .../heimdal/lib/hcrypto/libtommath/etc/mont.c | 44 + .../heimdal/lib/hcrypto/libtommath/etc/pprime.c | 411 + .../heimdal/lib/hcrypto/libtommath/etc/prime.1024 | 414 + .../heimdal/lib/hcrypto/libtommath/etc/prime.512 | 205 + .../heimdal/lib/hcrypto/libtommath/etc/timer.asm | 37 + .../heimdal/lib/hcrypto/libtommath/etc/tune.c | 542 + .../heimdal/lib/hcrypto/libtommath/etc/tune_it.sh | 107 + third_party/heimdal/lib/hcrypto/libtommath/gen.pl | 20 + .../heimdal/lib/hcrypto/libtommath/helper.pl | 482 + .../lib/hcrypto/libtommath/libtommath.pc.in | 10 + .../lib/hcrypto/libtommath/libtommath_VS2008.sln | 29 + .../hcrypto/libtommath/libtommath_VS2008.vcproj | 966 + .../heimdal/lib/hcrypto/libtommath/logs/README | 13 + .../heimdal/lib/hcrypto/libtommath/logs/add.log | 16 + .../heimdal/lib/hcrypto/libtommath/logs/addsub.png | Bin 0 -> 5921 bytes .../heimdal/lib/hcrypto/libtommath/logs/expt.log | 7 + .../heimdal/lib/hcrypto/libtommath/logs/expt.png | Bin 0 -> 7290 bytes .../lib/hcrypto/libtommath/logs/expt_2k.log | 6 + .../lib/hcrypto/libtommath/logs/expt_2kl.log | 3 + .../lib/hcrypto/libtommath/logs/expt_dr.log | 7 + .../heimdal/lib/hcrypto/libtommath/logs/graphs.dem | 16 + .../heimdal/lib/hcrypto/libtommath/logs/index.html | 27 + .../heimdal/lib/hcrypto/libtommath/logs/invmod.log | 8 + .../heimdal/lib/hcrypto/libtommath/logs/invmod.png | Bin 0 -> 6294 bytes .../heimdal/lib/hcrypto/libtommath/logs/mult.log | 84 + .../heimdal/lib/hcrypto/libtommath/logs/mult.png | Bin 0 -> 8308 bytes .../lib/hcrypto/libtommath/logs/mult_kara.log | 84 + .../heimdal/lib/hcrypto/libtommath/logs/sqr.log | 84 + .../lib/hcrypto/libtommath/logs/sqr_kara.log | 84 + .../heimdal/lib/hcrypto/libtommath/logs/sub.log | 16 + .../heimdal/lib/hcrypto/libtommath/makefile | 165 + .../heimdal/lib/hcrypto/libtommath/makefile.mingw | 109 + .../heimdal/lib/hcrypto/libtommath/makefile.msvc | 93 + .../heimdal/lib/hcrypto/libtommath/makefile.shared | 99 + .../heimdal/lib/hcrypto/libtommath/makefile.unix | 106 + .../lib/hcrypto/libtommath/makefile_include.mk | 166 + .../heimdal/lib/hcrypto/libtommath/mtest/logtab.h | 24 + .../lib/hcrypto/libtommath/mtest/mpi-config.h | 90 + .../lib/hcrypto/libtommath/mtest/mpi-types.h | 20 + .../heimdal/lib/hcrypto/libtommath/mtest/mpi.c | 3987 + .../heimdal/lib/hcrypto/libtommath/mtest/mpi.h | 233 + .../heimdal/lib/hcrypto/libtommath/mtest/mtest.c | 374 + .../heimdal/lib/hcrypto/libtommath/pre_gen/mpi.c | 9541 + .../heimdal/lib/hcrypto/libtommath/testme.sh | 394 + .../heimdal/lib/hcrypto/libtommath/tommath.def | 145 + .../heimdal/lib/hcrypto/libtommath/tommath.h | 781 + .../heimdal/lib/hcrypto/libtommath/tommath_class.h | 1319 + .../lib/hcrypto/libtommath/tommath_cutoffs.h | 13 + .../lib/hcrypto/libtommath/tommath_private.h | 303 + .../lib/hcrypto/libtommath/tommath_superclass.h | 110 + third_party/heimdal/lib/hcrypto/md2.c | 138 + third_party/heimdal/lib/hcrypto/md2.h | 63 + third_party/heimdal/lib/hcrypto/md4.c | 250 + third_party/heimdal/lib/hcrypto/md4.h | 62 + third_party/heimdal/lib/hcrypto/md5.c | 274 + third_party/heimdal/lib/hcrypto/md5.h | 62 + third_party/heimdal/lib/hcrypto/md5crypt_test.c | 75 + third_party/heimdal/lib/hcrypto/mdtest.c | 348 + third_party/heimdal/lib/hcrypto/passwd_dialog.aps | Bin 0 -> 30428 bytes third_party/heimdal/lib/hcrypto/passwd_dialog.clw | 34 + third_party/heimdal/lib/hcrypto/passwd_dialog.rc | 143 + third_party/heimdal/lib/hcrypto/passwd_dialog.res | Bin 0 -> 320 bytes third_party/heimdal/lib/hcrypto/passwd_dlg.c | 89 + third_party/heimdal/lib/hcrypto/passwd_dlg.h | 47 + third_party/heimdal/lib/hcrypto/pkcs12.c | 158 + third_party/heimdal/lib/hcrypto/pkcs12.h | 57 + third_party/heimdal/lib/hcrypto/pkcs5.c | 152 + third_party/heimdal/lib/hcrypto/rand-fortuna.c | 649 + third_party/heimdal/lib/hcrypto/rand-timer.c | 210 + third_party/heimdal/lib/hcrypto/rand-unix.c | 175 + third_party/heimdal/lib/hcrypto/rand-w32.c | 150 + third_party/heimdal/lib/hcrypto/rand.c | 402 + third_party/heimdal/lib/hcrypto/rand.h | 106 + third_party/heimdal/lib/hcrypto/randi.h | 49 + third_party/heimdal/lib/hcrypto/rc2.c | 240 + third_party/heimdal/lib/hcrypto/rc2.h | 71 + third_party/heimdal/lib/hcrypto/rc2test.c | 167 + third_party/heimdal/lib/hcrypto/rc4.c | 79 + third_party/heimdal/lib/hcrypto/rc4.h | 46 + third_party/heimdal/lib/hcrypto/rctest.c | 161 + third_party/heimdal/lib/hcrypto/resource.h | 18 + third_party/heimdal/lib/hcrypto/rijndael-alg-fst.c | 1223 + third_party/heimdal/lib/hcrypto/rijndael-alg-fst.h | 46 + third_party/heimdal/lib/hcrypto/rnd_keys.c | 138 + third_party/heimdal/lib/hcrypto/rsa-gmp.c | 584 + third_party/heimdal/lib/hcrypto/rsa-ltm.c | 637 + third_party/heimdal/lib/hcrypto/rsa-tfm.c | 573 + third_party/heimdal/lib/hcrypto/rsa.c | 706 + third_party/heimdal/lib/hcrypto/rsa.h | 184 + third_party/heimdal/lib/hcrypto/rsakey.der | Bin 0 -> 609 bytes third_party/heimdal/lib/hcrypto/rsakey2048.der | Bin 0 -> 1192 bytes third_party/heimdal/lib/hcrypto/rsakey4096.der | Bin 0 -> 2349 bytes third_party/heimdal/lib/hcrypto/sha.c | 300 + third_party/heimdal/lib/hcrypto/sha.h | 115 + third_party/heimdal/lib/hcrypto/sha256.c | 233 + third_party/heimdal/lib/hcrypto/sha512.c | 301 + third_party/heimdal/lib/hcrypto/test_bn.c | 392 + third_party/heimdal/lib/hcrypto/test_bulk.c | 314 + third_party/heimdal/lib/hcrypto/test_cipher.c | 436 + third_party/heimdal/lib/hcrypto/test_crypto.in | 120 + third_party/heimdal/lib/hcrypto/test_dh.c | 472 + third_party/heimdal/lib/hcrypto/test_engine_dso.c | 329 + third_party/heimdal/lib/hcrypto/test_hmac.c | 74 + third_party/heimdal/lib/hcrypto/test_pkcs12.c | 138 + third_party/heimdal/lib/hcrypto/test_pkcs5.c | 147 + third_party/heimdal/lib/hcrypto/test_rand.c | 219 + third_party/heimdal/lib/hcrypto/test_rsa.c | 397 + third_party/heimdal/lib/hcrypto/ui.c | 218 + third_party/heimdal/lib/hcrypto/ui.h | 49 + third_party/heimdal/lib/hcrypto/undef.h | 169 + third_party/heimdal/lib/hcrypto/validate.c | 307 + third_party/heimdal/lib/hcrypto/version-script.map | 341 + third_party/heimdal/lib/hcrypto/x25519/NTMakefile | 46 + third_party/heimdal/lib/hcrypto/x25519/align.h | 7 + .../heimdal/lib/hcrypto/x25519/ed25519_ref10.c | 2886 + .../heimdal/lib/hcrypto/x25519/ed25519_ref10.h | 174 + .../lib/hcrypto/x25519/ed25519_ref10_fe_25_5.h | 1067 + .../lib/hcrypto/x25519/ed25519_ref10_fe_51.h | 539 + .../heimdal/lib/hcrypto/x25519/fe_25_5/base.h | 1344 + .../heimdal/lib/hcrypto/x25519/fe_25_5/base2.h | 40 + .../heimdal/lib/hcrypto/x25519/fe_25_5/constants.h | 40 + .../heimdal/lib/hcrypto/x25519/fe_25_5/fe.h | 220 + .../heimdal/lib/hcrypto/x25519/fe_51/base.h | 1344 + .../heimdal/lib/hcrypto/x25519/fe_51/base2.h | 40 + .../heimdal/lib/hcrypto/x25519/fe_51/constants.h | 41 + third_party/heimdal/lib/hcrypto/x25519/fe_51/fe.h | 116 + .../heimdal/lib/hcrypto/x25519/x25519_ref10.c | 209 + third_party/heimdal/lib/hcrypto/x25519_ref10.h | 55 + third_party/heimdal/lib/hdb/Makefile.am | 168 + third_party/heimdal/lib/hdb/NTMakefile | 189 + third_party/heimdal/lib/hdb/common.c | 1745 + third_party/heimdal/lib/hdb/data-mkey.mit.des3.be | Bin 0 -> 46 bytes third_party/heimdal/lib/hdb/data-mkey.mit.des3.le | Bin 0 -> 30 bytes third_party/heimdal/lib/hdb/db.c | 391 + third_party/heimdal/lib/hdb/db3.c | 495 + third_party/heimdal/lib/hdb/dbinfo.c | 291 + third_party/heimdal/lib/hdb/ext.c | 786 + third_party/heimdal/lib/hdb/hdb-keytab.c | 232 + third_party/heimdal/lib/hdb/hdb-ldap.c | 2117 + third_party/heimdal/lib/hdb/hdb-mdb.c | 692 + third_party/heimdal/lib/hdb/hdb-mitdb.c | 1500 + third_party/heimdal/lib/hdb/hdb-sqlite.c | 1075 + third_party/heimdal/lib/hdb/hdb.asn1 | 251 + third_party/heimdal/lib/hdb/hdb.c | 848 + third_party/heimdal/lib/hdb/hdb.h | 337 + third_party/heimdal/lib/hdb/hdb.opt | 5 + third_party/heimdal/lib/hdb/hdb.schema | 144 + third_party/heimdal/lib/hdb/hdb_err.et | 33 + third_party/heimdal/lib/hdb/hdb_locl.h | 73 + third_party/heimdal/lib/hdb/keys.c | 855 + third_party/heimdal/lib/hdb/keytab.c | 449 + third_party/heimdal/lib/hdb/libhdb-exports.def | 180 + third_party/heimdal/lib/hdb/libhdb-version.rc | 36 + third_party/heimdal/lib/hdb/mkey.c | 769 + third_party/heimdal/lib/hdb/ndbm.c | 406 + third_party/heimdal/lib/hdb/print.c | 597 + third_party/heimdal/lib/hdb/test_concurrency.c | 506 + third_party/heimdal/lib/hdb/test_dbinfo.c | 156 + third_party/heimdal/lib/hdb/test_hdbkeys.c | 124 + third_party/heimdal/lib/hdb/test_mkey.c | 55 + third_party/heimdal/lib/hdb/test_namespace.c | 941 + third_party/heimdal/lib/hdb/version-script.map | 189 + third_party/heimdal/lib/heimdal/NTMakefile | 98 + third_party/heimdal/lib/heimdal/heimdal-version.rc | 36 + third_party/heimdal/lib/hx509/ChangeLog | 2749 + third_party/heimdal/lib/hx509/Makefile.am | 398 + third_party/heimdal/lib/hx509/NTMakefile | 180 + third_party/heimdal/lib/hx509/TODO | 61 + third_party/heimdal/lib/hx509/ca.c | 3093 + third_party/heimdal/lib/hx509/cert.c | 3892 + third_party/heimdal/lib/hx509/char_map.h | 45 + third_party/heimdal/lib/hx509/cms.c | 1718 + third_party/heimdal/lib/hx509/collector.c | 331 + third_party/heimdal/lib/hx509/crypto-ec.c | 533 + third_party/heimdal/lib/hx509/crypto.c | 2804 + third_party/heimdal/lib/hx509/data/PKITS.pdf | Bin 0 -> 754584 bytes third_party/heimdal/lib/hx509/data/PKITS_data.zip | Bin 0 -> 2149008 bytes .../heimdal/lib/hx509/data/bleichenbacher-bad.pem | 12 + .../heimdal/lib/hx509/data/bleichenbacher-good.pem | 12 + .../hx509/data/bleichenbacher-sf-pad-correct.pem | 16 + third_party/heimdal/lib/hx509/data/ca.crt | 32 + third_party/heimdal/lib/hx509/data/ca.key | 52 + third_party/heimdal/lib/hx509/data/crl1.crl | 16 + third_party/heimdal/lib/hx509/data/crl1.der | Bin 0 -> 649 bytes third_party/heimdal/lib/hx509/data/eccurve.pem | 3 + third_party/heimdal/lib/hx509/data/gen-req.sh | 360 + third_party/heimdal/lib/hx509/data/https.crt | 116 + third_party/heimdal/lib/hx509/data/https.key | 52 + third_party/heimdal/lib/hx509/data/j.pem | 26 + third_party/heimdal/lib/hx509/data/kdc.crt | 122 + third_party/heimdal/lib/hx509/data/kdc.key | 52 + third_party/heimdal/lib/hx509/data/key.der | Bin 0 -> 609 bytes third_party/heimdal/lib/hx509/data/key2.der | Bin 0 -> 610 bytes third_party/heimdal/lib/hx509/data/mkcert.sh | 83 + third_party/heimdal/lib/hx509/data/n0ll.pem | 47 + third_party/heimdal/lib/hx509/data/nist-data | 91 + third_party/heimdal/lib/hx509/data/nist-data2 | 291 + third_party/heimdal/lib/hx509/data/nist-result2 | 31 + .../heimdal/lib/hx509/data/no-proxy-test.crt | 30 + .../heimdal/lib/hx509/data/no-proxy-test.key | 52 + third_party/heimdal/lib/hx509/data/ocsp-req1.der | Bin 0 -> 105 bytes third_party/heimdal/lib/hx509/data/ocsp-req2.der | Bin 0 -> 105 bytes .../heimdal/lib/hx509/data/ocsp-resp1-2.der | Bin 0 -> 999 bytes .../heimdal/lib/hx509/data/ocsp-resp1-3.der | Bin 0 -> 363 bytes .../heimdal/lib/hx509/data/ocsp-resp1-ca.der | Bin 0 -> 2159 bytes .../heimdal/lib/hx509/data/ocsp-resp1-keyhash.der | Bin 0 -> 2060 bytes .../lib/hx509/data/ocsp-resp1-ocsp-no-cert.der | Bin 0 -> 748 bytes .../heimdal/lib/hx509/data/ocsp-resp1-ocsp.der | Bin 0 -> 2078 bytes third_party/heimdal/lib/hx509/data/ocsp-resp1.der | Bin 0 -> 918 bytes third_party/heimdal/lib/hx509/data/ocsp-resp2.der | Bin 0 -> 2095 bytes .../heimdal/lib/hx509/data/ocsp-responder.crt | 119 + .../heimdal/lib/hx509/data/ocsp-responder.key | 52 + third_party/heimdal/lib/hx509/data/openssl.1.0.cnf | 190 + third_party/heimdal/lib/hx509/data/openssl.1.1.cnf | 185 + third_party/heimdal/lib/hx509/data/pkinit-ec.crt | 81 + third_party/heimdal/lib/hx509/data/pkinit-ec.key | 5 + .../heimdal/lib/hx509/data/pkinit-proxy-chain.crt | 149 + .../heimdal/lib/hx509/data/pkinit-proxy.crt | 30 + .../heimdal/lib/hx509/data/pkinit-proxy.key | 52 + third_party/heimdal/lib/hx509/data/pkinit-pw.key | 54 + third_party/heimdal/lib/hx509/data/pkinit.crt | 119 + third_party/heimdal/lib/hx509/data/pkinit.key | 52 + .../heimdal/lib/hx509/data/proxy-level-test.crt | 31 + .../heimdal/lib/hx509/data/proxy-level-test.key | 52 + third_party/heimdal/lib/hx509/data/proxy-test.crt | 30 + third_party/heimdal/lib/hx509/data/proxy-test.key | 52 + .../lib/hx509/data/proxy10-child-child-test.crt | 32 + .../lib/hx509/data/proxy10-child-child-test.key | 52 + .../heimdal/lib/hx509/data/proxy10-child-test.crt | 31 + .../heimdal/lib/hx509/data/proxy10-child-test.key | 52 + .../heimdal/lib/hx509/data/proxy10-test.crt | 30 + .../heimdal/lib/hx509/data/proxy10-test.key | 52 + third_party/heimdal/lib/hx509/data/revoke.crt | 116 + third_party/heimdal/lib/hx509/data/revoke.key | 52 + .../lib/hx509/data/secp256r1TestCA.cert.pem | 12 + .../heimdal/lib/hx509/data/secp256r1TestCA.key.pem | 5 + .../heimdal/lib/hx509/data/secp256r1TestCA.pem | 17 + .../lib/hx509/data/secp256r2TestClient.cert.pem | 12 + .../lib/hx509/data/secp256r2TestClient.key.pem | 5 + .../heimdal/lib/hx509/data/secp256r2TestClient.pem | 17 + .../lib/hx509/data/secp256r2TestServer.cert.pem | 12 + .../lib/hx509/data/secp256r2TestServer.key.pem | 5 + .../heimdal/lib/hx509/data/secp256r2TestServer.pem | 17 + .../heimdal/lib/hx509/data/sf-class2-root.pem | 24 + third_party/heimdal/lib/hx509/data/static-file | 84 + third_party/heimdal/lib/hx509/data/sub-ca.crt | 123 + third_party/heimdal/lib/hx509/data/sub-ca.key | 52 + third_party/heimdal/lib/hx509/data/sub-cert.crt | 116 + third_party/heimdal/lib/hx509/data/sub-cert.key | 52 + third_party/heimdal/lib/hx509/data/sub-cert.p12 | Bin 0 -> 7072 bytes third_party/heimdal/lib/hx509/data/tcg-devid.pem | 24 + third_party/heimdal/lib/hx509/data/tcg-ek-cp.pem | 24 + .../heimdal/lib/hx509/data/test-ds-only.crt | 117 + .../heimdal/lib/hx509/data/test-ds-only.key | 52 + .../heimdal/lib/hx509/data/test-enveloped-aes-128 | Bin 0 -> 3547 bytes .../heimdal/lib/hx509/data/test-enveloped-aes-256 | Bin 0 -> 3547 bytes .../heimdal/lib/hx509/data/test-enveloped-des | Bin 0 -> 3527 bytes .../heimdal/lib/hx509/data/test-enveloped-des-ede3 | Bin 0 -> 3530 bytes .../heimdal/lib/hx509/data/test-enveloped-rc2-128 | Bin 0 -> 3535 bytes .../heimdal/lib/hx509/data/test-enveloped-rc2-40 | Bin 0 -> 3536 bytes .../heimdal/lib/hx509/data/test-enveloped-rc2-64 | Bin 0 -> 3535 bytes .../heimdal/lib/hx509/data/test-ke-only.crt | 117 + .../heimdal/lib/hx509/data/test-ke-only.key | 52 + third_party/heimdal/lib/hx509/data/test-nopw.p12 | Bin 0 -> 5510 bytes third_party/heimdal/lib/hx509/data/test-pw.key | 54 + .../heimdal/lib/hx509/data/test-signed-data | Bin 0 -> 5057 bytes .../heimdal/lib/hx509/data/test-signed-data-noattr | Bin 0 -> 4826 bytes .../lib/hx509/data/test-signed-data-noattr-nocerts | Bin 0 -> 3537 bytes .../heimdal/lib/hx509/data/test-signed-sha-1 | Bin 0 -> 5037 bytes .../heimdal/lib/hx509/data/test-signed-sha-256 | Bin 0 -> 5057 bytes .../heimdal/lib/hx509/data/test-signed-sha-512 | Bin 0 -> 5090 bytes .../heimdal/lib/hx509/data/test.combined.crt | 168 + third_party/heimdal/lib/hx509/data/test.crt | 116 + third_party/heimdal/lib/hx509/data/test.key | 52 + third_party/heimdal/lib/hx509/data/test.p12 | Bin 0 -> 5608 bytes .../lib/hx509/data/win-u16-in-printablestring.der | Bin 0 -> 772 bytes .../lib/hx509/data/yutaka-pad-broken-ca.pem | 16 + .../lib/hx509/data/yutaka-pad-broken-cert.pem | 18 + .../heimdal/lib/hx509/data/yutaka-pad-ok-ca.pem | 16 + .../heimdal/lib/hx509/data/yutaka-pad-ok-cert.pem | 18 + third_party/heimdal/lib/hx509/data/yutaka-pad.key | 15 + third_party/heimdal/lib/hx509/doxygen.c | 85 + third_party/heimdal/lib/hx509/env.c | 245 + third_party/heimdal/lib/hx509/error.c | 220 + third_party/heimdal/lib/hx509/file.c | 387 + third_party/heimdal/lib/hx509/hx509.h | 221 + third_party/heimdal/lib/hx509/hx509_err.et | 110 + third_party/heimdal/lib/hx509/hx_locl.h | 330 + third_party/heimdal/lib/hx509/hxtool-commands.in | 1057 + third_party/heimdal/lib/hx509/hxtool-version.rc | 36 + third_party/heimdal/lib/hx509/hxtool.c | 3162 + third_party/heimdal/lib/hx509/keyset.c | 846 + third_party/heimdal/lib/hx509/ks_dir.c | 231 + third_party/heimdal/lib/hx509/ks_file.c | 800 + third_party/heimdal/lib/hx509/ks_keychain.c | 627 + third_party/heimdal/lib/hx509/ks_mem.c | 224 + third_party/heimdal/lib/hx509/ks_null.c | 101 + third_party/heimdal/lib/hx509/ks_p11.c | 1230 + third_party/heimdal/lib/hx509/ks_p12.c | 756 + third_party/heimdal/lib/hx509/libhx509-exports.def | 288 + third_party/heimdal/lib/hx509/lock.c | 252 + third_party/heimdal/lib/hx509/name.c | 1529 + third_party/heimdal/lib/hx509/peer.c | 237 + third_party/heimdal/lib/hx509/print.c | 1144 + third_party/heimdal/lib/hx509/quote.py | 101 + third_party/heimdal/lib/hx509/ref/pkcs11.h | 1722 + third_party/heimdal/lib/hx509/req.c | 1520 + third_party/heimdal/lib/hx509/revoke.c | 1650 + third_party/heimdal/lib/hx509/sel-gram.y | 130 + third_party/heimdal/lib/hx509/sel-lex.l | 148 + third_party/heimdal/lib/hx509/sel.c | 240 + third_party/heimdal/lib/hx509/sel.h | 100 + third_party/heimdal/lib/hx509/softp11.c | 1777 + third_party/heimdal/lib/hx509/test_ca.in | 480 + third_party/heimdal/lib/hx509/test_cert.in | 84 + third_party/heimdal/lib/hx509/test_chain.in | 256 + third_party/heimdal/lib/hx509/test_cms.in | 514 + third_party/heimdal/lib/hx509/test_crypto.in | 192 + third_party/heimdal/lib/hx509/test_expr.c | 87 + third_party/heimdal/lib/hx509/test_java_pkcs11.in | 73 + third_party/heimdal/lib/hx509/test_name.c | 468 + third_party/heimdal/lib/hx509/test_nist.in | 117 + third_party/heimdal/lib/hx509/test_nist2.in | 136 + third_party/heimdal/lib/hx509/test_nist_cert.in | 68 + third_party/heimdal/lib/hx509/test_nist_pkcs12.in | 77 + third_party/heimdal/lib/hx509/test_pkcs11.in | 62 + third_party/heimdal/lib/hx509/test_query.in | 203 + third_party/heimdal/lib/hx509/test_req.in | 135 + third_party/heimdal/lib/hx509/test_soft_pkcs11.c | 228 + third_party/heimdal/lib/hx509/test_windows.in | 89 + .../heimdal/lib/hx509/tst-crypto-available1 | 13 + .../heimdal/lib/hx509/tst-crypto-available2 | 5 + .../heimdal/lib/hx509/tst-crypto-available3 | 6 + third_party/heimdal/lib/hx509/tst-crypto-select | 1 + third_party/heimdal/lib/hx509/tst-crypto-select1 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select2 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select3 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select4 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select5 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select6 | 1 + third_party/heimdal/lib/hx509/tst-crypto-select7 | 1 + third_party/heimdal/lib/hx509/version-script.map | 302 + third_party/heimdal/lib/ipc/Makefile.am | 72 + third_party/heimdal/lib/ipc/client.c | 610 + third_party/heimdal/lib/ipc/common.c | 206 + third_party/heimdal/lib/ipc/heim-ipc.h | 133 + third_party/heimdal/lib/ipc/heim_ipc.defs | 66 + third_party/heimdal/lib/ipc/heim_ipc_async.defs | 56 + third_party/heimdal/lib/ipc/heim_ipc_reply.defs | 51 + third_party/heimdal/lib/ipc/heim_ipc_types.h | 44 + third_party/heimdal/lib/ipc/hi_locl.h | 83 + third_party/heimdal/lib/ipc/server.c | 1385 + third_party/heimdal/lib/ipc/tc.c | 138 + third_party/heimdal/lib/ipc/ts-http.c | 136 + third_party/heimdal/lib/ipc/ts.c | 116 + third_party/heimdal/lib/kadm5/ChangeLog | 1389 + third_party/heimdal/lib/kadm5/Makefile.am | 230 + third_party/heimdal/lib/kadm5/NTMakefile | 296 + third_party/heimdal/lib/kadm5/acl.c | 242 + third_party/heimdal/lib/kadm5/ad.c | 1489 + third_party/heimdal/lib/kadm5/admin.h | 271 + third_party/heimdal/lib/kadm5/bump_pw_expire.c | 59 + third_party/heimdal/lib/kadm5/check-cracklib.pl | 112 + third_party/heimdal/lib/kadm5/chpass_c.c | 175 + third_party/heimdal/lib/kadm5/chpass_s.c | 466 + third_party/heimdal/lib/kadm5/client_glue.c | 150 + third_party/heimdal/lib/kadm5/common_glue.c | 437 + third_party/heimdal/lib/kadm5/context_s.c | 312 + third_party/heimdal/lib/kadm5/create_c.c | 114 + third_party/heimdal/lib/kadm5/create_s.c | 357 + third_party/heimdal/lib/kadm5/default_keys.c | 121 + third_party/heimdal/lib/kadm5/delete_c.c | 88 + third_party/heimdal/lib/kadm5/delete_s.c | 145 + third_party/heimdal/lib/kadm5/destroy_c.c | 58 + third_party/heimdal/lib/kadm5/destroy_s.c | 91 + third_party/heimdal/lib/kadm5/ent_setup.c | 272 + third_party/heimdal/lib/kadm5/error.c | 48 + third_party/heimdal/lib/kadm5/flush.c | 48 + third_party/heimdal/lib/kadm5/flush_c.c | 41 + third_party/heimdal/lib/kadm5/flush_s.c | 41 + third_party/heimdal/lib/kadm5/free.c | 92 + third_party/heimdal/lib/kadm5/get_c.c | 96 + third_party/heimdal/lib/kadm5/get_princs_c.c | 119 + third_party/heimdal/lib/kadm5/get_princs_s.c | 127 + third_party/heimdal/lib/kadm5/get_s.c | 411 + third_party/heimdal/lib/kadm5/init_c.c | 868 + third_party/heimdal/lib/kadm5/init_s.c | 265 + third_party/heimdal/lib/kadm5/iprop-commands.in | 187 + third_party/heimdal/lib/kadm5/iprop-log-version.rc | 36 + third_party/heimdal/lib/kadm5/iprop-log.8 | 254 + third_party/heimdal/lib/kadm5/iprop-log.c | 653 + third_party/heimdal/lib/kadm5/iprop.8 | 208 + third_party/heimdal/lib/kadm5/iprop.h | 80 + .../heimdal/lib/kadm5/ipropd-master-version.rc | 36 + .../heimdal/lib/kadm5/ipropd-slave-version.rc | 36 + third_party/heimdal/lib/kadm5/ipropd_common.c | 266 + third_party/heimdal/lib/kadm5/ipropd_master.c | 1877 + third_party/heimdal/lib/kadm5/ipropd_slave.c | 1162 + third_party/heimdal/lib/kadm5/kadm5-hook.h | 151 + third_party/heimdal/lib/kadm5/kadm5-pwcheck.h | 73 + third_party/heimdal/lib/kadm5/kadm5_err.et | 114 + third_party/heimdal/lib/kadm5/kadm5_locl.h | 91 + third_party/heimdal/lib/kadm5/kadm5_pwcheck.3 | 159 + third_party/heimdal/lib/kadm5/keys.c | 132 + .../heimdal/lib/kadm5/libkadm5srv-exports.def | 91 + .../heimdal/lib/kadm5/libkadm5srv-version.rc | 36 + third_party/heimdal/lib/kadm5/log.c | 2756 + third_party/heimdal/lib/kadm5/marshall.c | 474 + third_party/heimdal/lib/kadm5/modify_c.c | 93 + third_party/heimdal/lib/kadm5/modify_s.c | 215 + third_party/heimdal/lib/kadm5/password_quality.c | 508 + third_party/heimdal/lib/kadm5/private.h | 208 + third_party/heimdal/lib/kadm5/privs_c.c | 89 + third_party/heimdal/lib/kadm5/privs_s.c | 44 + third_party/heimdal/lib/kadm5/prune_c.c | 73 + third_party/heimdal/lib/kadm5/prune_s.c | 149 + third_party/heimdal/lib/kadm5/randkey_c.c | 154 + third_party/heimdal/lib/kadm5/randkey_s.c | 204 + third_party/heimdal/lib/kadm5/rename_c.c | 94 + third_party/heimdal/lib/kadm5/rename_s.c | 188 + third_party/heimdal/lib/kadm5/sample_hook.c | 286 + .../heimdal/lib/kadm5/sample_passwd_check.c | 87 + third_party/heimdal/lib/kadm5/send_recv.c | 99 + third_party/heimdal/lib/kadm5/server_glue.c | 150 + third_party/heimdal/lib/kadm5/server_hooks.c | 97 + third_party/heimdal/lib/kadm5/set_keys.c | 420 + third_party/heimdal/lib/kadm5/set_modifier.c | 54 + third_party/heimdal/lib/kadm5/setkey3_s.c | 220 + third_party/heimdal/lib/kadm5/test_pw_quality.c | 99 + .../heimdal/lib/kadm5/version-script-client.map | 61 + third_party/heimdal/lib/kadm5/version-script.map | 96 + third_party/heimdal/lib/kafs/ChangeLog | 572 + third_party/heimdal/lib/kafs/Makefile.am | 96 + third_party/heimdal/lib/kafs/NTMakefile | 35 + third_party/heimdal/lib/kafs/afskrb5.c | 353 + third_party/heimdal/lib/kafs/afsl.exp | 6 + third_party/heimdal/lib/kafs/afslib.c | 53 + third_party/heimdal/lib/kafs/afslib.exp | 3 + third_party/heimdal/lib/kafs/afssys.c | 630 + third_party/heimdal/lib/kafs/afssysdefs.h | 109 + third_party/heimdal/lib/kafs/common.c | 469 + third_party/heimdal/lib/kafs/kafs.3 | 296 + third_party/heimdal/lib/kafs/kafs.h | 216 + third_party/heimdal/lib/kafs/kafs_locl.h | 163 + third_party/heimdal/lib/kafs/roken_rename.h | 64 + third_party/heimdal/lib/kafs/rxkad_kdf.c | 221 + third_party/heimdal/lib/kdfs/ChangeLog | 28 + third_party/heimdal/lib/kdfs/Makefile.am | 12 + third_party/heimdal/lib/kdfs/NTMakefile | 35 + third_party/heimdal/lib/kdfs/k5dfspag.c | 368 + third_party/heimdal/lib/krb5/Makefile.am | 455 + third_party/heimdal/lib/krb5/NTMakefile | 544 + third_party/heimdal/lib/krb5/acache.c | 1127 + third_party/heimdal/lib/krb5/acl.c | 293 + third_party/heimdal/lib/krb5/add_et_list.c | 54 + third_party/heimdal/lib/krb5/addr_families.c | 1574 + third_party/heimdal/lib/krb5/aes-test.c | 1056 + third_party/heimdal/lib/krb5/an2ln_plugin.h | 91 + third_party/heimdal/lib/krb5/aname_to_localname.c | 469 + third_party/heimdal/lib/krb5/appdefault.c | 140 + third_party/heimdal/lib/krb5/asn1_glue.c | 162 + third_party/heimdal/lib/krb5/auth_context.c | 621 + third_party/heimdal/lib/krb5/authdata.c | 124 + third_party/heimdal/lib/krb5/build_ap_req.c | 64 + third_party/heimdal/lib/krb5/build_auth.c | 267 + third_party/heimdal/lib/krb5/cache.c | 2300 + third_party/heimdal/lib/krb5/ccache_plugin.h | 46 + third_party/heimdal/lib/krb5/changepw.c | 860 + third_party/heimdal/lib/krb5/codec.c | 214 + third_party/heimdal/lib/krb5/config_file.c | 758 + third_party/heimdal/lib/krb5/constants.c | 67 + third_party/heimdal/lib/krb5/context.c | 1473 + third_party/heimdal/lib/krb5/convert_creds.c | 95 + third_party/heimdal/lib/krb5/copy_host_realm.c | 72 + third_party/heimdal/lib/krb5/crc.c | 69 + third_party/heimdal/lib/krb5/creds.c | 282 + third_party/heimdal/lib/krb5/crypto-aes-sha1.c | 177 + third_party/heimdal/lib/krb5/crypto-aes-sha2.c | 199 + third_party/heimdal/lib/krb5/crypto-algs.c | 94 + third_party/heimdal/lib/krb5/crypto-arcfour.c | 368 + third_party/heimdal/lib/krb5/crypto-des-common.c | 158 + third_party/heimdal/lib/krb5/crypto-des.c | 403 + third_party/heimdal/lib/krb5/crypto-des3.c | 292 + third_party/heimdal/lib/krb5/crypto-evp.c | 671 + third_party/heimdal/lib/krb5/crypto-null.c | 103 + third_party/heimdal/lib/krb5/crypto-pk.c | 295 + third_party/heimdal/lib/krb5/crypto-rand.c | 152 + third_party/heimdal/lib/krb5/crypto-stubs.c | 102 + third_party/heimdal/lib/krb5/crypto.c | 3264 + third_party/heimdal/lib/krb5/crypto.h | 231 + third_party/heimdal/lib/krb5/data.c | 228 + third_party/heimdal/lib/krb5/db_plugin.c | 41 + third_party/heimdal/lib/krb5/db_plugin.h | 68 + third_party/heimdal/lib/krb5/dcache.c | 855 + third_party/heimdal/lib/krb5/deprecated.c | 726 + third_party/heimdal/lib/krb5/derived-key-test.c | 145 + third_party/heimdal/lib/krb5/digest.c | 1165 + third_party/heimdal/lib/krb5/dll.c | 76 + third_party/heimdal/lib/krb5/doxygen.c | 700 + third_party/heimdal/lib/krb5/eai_to_heim_errno.c | 118 + third_party/heimdal/lib/krb5/enomem.c | 42 + third_party/heimdal/lib/krb5/error_string.c | 236 + third_party/heimdal/lib/krb5/expand_hostname.c | 177 + third_party/heimdal/lib/krb5/expand_path.c | 94 + third_party/heimdal/lib/krb5/fast.c | 962 + third_party/heimdal/lib/krb5/fcache.c | 1693 + third_party/heimdal/lib/krb5/free.c | 51 + third_party/heimdal/lib/krb5/free_host_realm.c | 59 + third_party/heimdal/lib/krb5/generate_seq_number.c | 48 + third_party/heimdal/lib/krb5/generate_subkey.c | 73 + third_party/heimdal/lib/krb5/get_addrs.c | 283 + third_party/heimdal/lib/krb5/get_cred.c | 2026 + .../heimdal/lib/krb5/get_default_principal.c | 95 + third_party/heimdal/lib/krb5/get_default_realm.c | 80 + third_party/heimdal/lib/krb5/get_for_creds.c | 367 + third_party/heimdal/lib/krb5/get_host_realm.c | 300 + third_party/heimdal/lib/krb5/get_in_tkt.c | 555 + third_party/heimdal/lib/krb5/get_port.c | 52 + third_party/heimdal/lib/krb5/init_creds.c | 436 + third_party/heimdal/lib/krb5/init_creds_pw.c | 4011 + third_party/heimdal/lib/krb5/k524_err.et | 20 + third_party/heimdal/lib/krb5/k5e1_err.et | 13 + third_party/heimdal/lib/krb5/kcm.c | 1506 + third_party/heimdal/lib/krb5/kcm.h | 87 + third_party/heimdal/lib/krb5/kerberos.8 | 115 + third_party/heimdal/lib/krb5/keyblock.c | 203 + third_party/heimdal/lib/krb5/keytab.c | 975 + third_party/heimdal/lib/krb5/keytab_any.c | 260 + third_party/heimdal/lib/krb5/keytab_file.c | 856 + third_party/heimdal/lib/krb5/keytab_keyfile.c | 456 + third_party/heimdal/lib/krb5/keytab_memory.c | 231 + third_party/heimdal/lib/krb5/krb5-plugin.7 | 359 + third_party/heimdal/lib/krb5/krb5-v4compat.h | 139 + third_party/heimdal/lib/krb5/krb5.conf.5 | 1442 + third_party/heimdal/lib/krb5/krb5.h | 1069 + third_party/heimdal/lib/krb5/krb5.moduli | 3 + .../heimdal/lib/krb5/krb524_convert_creds_kdc.3 | 86 + .../heimdal/lib/krb5/krb5_425_conv_principal.3 | 224 + third_party/heimdal/lib/krb5/krb5_acl_match_file.3 | 111 + .../heimdal/lib/krb5/krb5_aname_to_localname.3 | 80 + third_party/heimdal/lib/krb5/krb5_appdefault.3 | 88 + third_party/heimdal/lib/krb5/krb5_auth_context.3 | 395 + .../heimdal/lib/krb5/krb5_c_make_checksum.3 | 297 + third_party/heimdal/lib/krb5/krb5_ccapi.h | 239 + .../heimdal/lib/krb5/krb5_check_transited.3 | 106 + .../heimdal/lib/krb5/krb5_create_checksum.3 | 226 + third_party/heimdal/lib/krb5/krb5_creds.3 | 119 + third_party/heimdal/lib/krb5/krb5_digest.3 | 260 + .../heimdal/lib/krb5/krb5_eai_to_heim_errno.3 | 68 + third_party/heimdal/lib/krb5/krb5_encrypt.3 | 278 + third_party/heimdal/lib/krb5/krb5_err.et | 314 + third_party/heimdal/lib/krb5/krb5_find_padata.3 | 87 + .../heimdal/lib/krb5/krb5_generate_random_block.3 | 57 + .../heimdal/lib/krb5/krb5_get_all_client_addrs.3 | 74 + .../heimdal/lib/krb5/krb5_get_credentials.3 | 181 + third_party/heimdal/lib/krb5/krb5_get_creds.3 | 173 + .../heimdal/lib/krb5/krb5_get_forwarded_creds.3 | 79 + third_party/heimdal/lib/krb5/krb5_get_in_cred.3 | 274 + third_party/heimdal/lib/krb5/krb5_get_init_creds.3 | 403 + third_party/heimdal/lib/krb5/krb5_get_krbhst.3 | 86 + third_party/heimdal/lib/krb5/krb5_getportbyname.3 | 67 + third_party/heimdal/lib/krb5/krb5_init_context.3 | 308 + third_party/heimdal/lib/krb5/krb5_is_thread_safe.3 | 58 + third_party/heimdal/lib/krb5/krb5_krbhst_init.3 | 174 + third_party/heimdal/lib/krb5/krb5_locl.h | 485 + third_party/heimdal/lib/krb5/krb5_mk_req.3 | 187 + third_party/heimdal/lib/krb5/krb5_mk_safe.3 | 82 + third_party/heimdal/lib/krb5/krb5_openlog.3 | 305 + third_party/heimdal/lib/krb5/krb5_parse_name.3 | 67 + third_party/heimdal/lib/krb5/krb5_principal.3 | 371 + third_party/heimdal/lib/krb5/krb5_rcache.3 | 163 + third_party/heimdal/lib/krb5/krb5_rd_error.3 | 98 + third_party/heimdal/lib/krb5/krb5_rd_safe.3 | 81 + .../heimdal/lib/krb5/krb5_set_default_realm.3 | 164 + third_party/heimdal/lib/krb5/krb5_set_password.3 | 143 + third_party/heimdal/lib/krb5/krb5_string_to_key.3 | 156 + third_party/heimdal/lib/krb5/krb5_timeofday.3 | 118 + .../heimdal/lib/krb5/krb5_verify_init_creds.3 | 103 + third_party/heimdal/lib/krb5/krb5_verify_user.3 | 241 + third_party/heimdal/lib/krb5/krb_err.et | 63 + third_party/heimdal/lib/krb5/krbhst-test.c | 109 + third_party/heimdal/lib/krb5/krbhst.c | 1275 + third_party/heimdal/lib/krb5/krcache.c | 2075 + third_party/heimdal/lib/krb5/kuserok.c | 753 + third_party/heimdal/lib/krb5/kuserok_plugin.h | 91 + third_party/heimdal/lib/krb5/kx509.c | 1323 + third_party/heimdal/lib/krb5/kx509_err.et | 39 + .../heimdal/lib/krb5/libkrb5-exports.def.in | 895 + third_party/heimdal/lib/krb5/locate_plugin.h | 81 + third_party/heimdal/lib/krb5/log.c | 252 + third_party/heimdal/lib/krb5/mcache.c | 623 + third_party/heimdal/lib/krb5/misc.c | 111 + third_party/heimdal/lib/krb5/mit_glue.c | 434 + third_party/heimdal/lib/krb5/mk_cred.c | 324 + third_party/heimdal/lib/krb5/mk_error.c | 117 + third_party/heimdal/lib/krb5/mk_priv.c | 151 + third_party/heimdal/lib/krb5/mk_rep.c | 119 + third_party/heimdal/lib/krb5/mk_req.c | 114 + third_party/heimdal/lib/krb5/mk_req_ext.c | 151 + third_party/heimdal/lib/krb5/mk_safe.c | 139 + third_party/heimdal/lib/krb5/n-fold-test.c | 119 + third_party/heimdal/lib/krb5/n-fold.c | 150 + third_party/heimdal/lib/krb5/net_read.c | 53 + third_party/heimdal/lib/krb5/net_write.c | 118 + third_party/heimdal/lib/krb5/pac.c | 2130 + third_party/heimdal/lib/krb5/padata.c | 62 + third_party/heimdal/lib/krb5/parse-name-test.c | 192 + third_party/heimdal/lib/krb5/pcache.c | 81 + third_party/heimdal/lib/krb5/pkinit-ec.c | 241 + third_party/heimdal/lib/krb5/pkinit.c | 2674 + third_party/heimdal/lib/krb5/plugin.c | 208 + third_party/heimdal/lib/krb5/principal.c | 2205 + third_party/heimdal/lib/krb5/prog_setup.c | 64 + third_party/heimdal/lib/krb5/prompter_posix.c | 72 + third_party/heimdal/lib/krb5/pseudo-random-test.c | 112 + third_party/heimdal/lib/krb5/rd_cred.c | 348 + third_party/heimdal/lib/krb5/rd_error.c | 125 + third_party/heimdal/lib/krb5/rd_priv.c | 184 + third_party/heimdal/lib/krb5/rd_rep.c | 121 + third_party/heimdal/lib/krb5/rd_req.c | 1108 + third_party/heimdal/lib/krb5/rd_safe.c | 214 + third_party/heimdal/lib/krb5/read_message.c | 104 + third_party/heimdal/lib/krb5/recvauth.c | 264 + third_party/heimdal/lib/krb5/replay.c | 328 + third_party/heimdal/lib/krb5/salt-aes-sha1.c | 102 + third_party/heimdal/lib/krb5/salt-aes-sha2.c | 135 + third_party/heimdal/lib/krb5/salt-arcfour.c | 107 + third_party/heimdal/lib/krb5/salt-des.c | 222 + third_party/heimdal/lib/krb5/salt-des3.c | 146 + third_party/heimdal/lib/krb5/salt.c | 362 + third_party/heimdal/lib/krb5/scache.c | 1599 + third_party/heimdal/lib/krb5/send_to_kdc.c | 1357 + third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 70 + third_party/heimdal/lib/krb5/sendauth.c | 255 + third_party/heimdal/lib/krb5/set_default_realm.c | 85 + third_party/heimdal/lib/krb5/sock_principal.c | 68 + third_party/heimdal/lib/krb5/sp800-108-kdf.c | 100 + third_party/heimdal/lib/krb5/store-int.c | 67 + third_party/heimdal/lib/krb5/store-int.h | 50 + third_party/heimdal/lib/krb5/store-test.c | 117 + third_party/heimdal/lib/krb5/store.c | 2041 + third_party/heimdal/lib/krb5/store_emem.c | 214 + third_party/heimdal/lib/krb5/store_fd.c | 200 + third_party/heimdal/lib/krb5/store_mem.c | 212 + third_party/heimdal/lib/krb5/store_sock.c | 160 + third_party/heimdal/lib/krb5/store_stdio.c | 264 + third_party/heimdal/lib/krb5/string-to-key-test.c | 140 + third_party/heimdal/lib/krb5/test_acl.c | 118 + third_party/heimdal/lib/krb5/test_addr.c | 239 + third_party/heimdal/lib/krb5/test_alname.c | 219 + third_party/heimdal/lib/krb5/test_ap-req.c | 228 + third_party/heimdal/lib/krb5/test_canon.c | 177 + third_party/heimdal/lib/krb5/test_cc.c | 1218 + third_party/heimdal/lib/krb5/test_config.c | 246 + .../heimdal/lib/krb5/test_config_strings.cfg | 12 + third_party/heimdal/lib/krb5/test_crypto.c | 216 + .../heimdal/lib/krb5/test_crypto_wrapping.c | 168 + third_party/heimdal/lib/krb5/test_expand_toks.c | 104 + third_party/heimdal/lib/krb5/test_forward.c | 134 + third_party/heimdal/lib/krb5/test_fx.c | 253 + third_party/heimdal/lib/krb5/test_get_addrs.c | 111 + third_party/heimdal/lib/krb5/test_gic.c | 148 + third_party/heimdal/lib/krb5/test_hostname.c | 150 + third_party/heimdal/lib/krb5/test_keytab.c | 291 + third_party/heimdal/lib/krb5/test_kuserok.c | 109 + third_party/heimdal/lib/krb5/test_mem.c | 71 + third_party/heimdal/lib/krb5/test_mkforwardable.c | 191 + third_party/heimdal/lib/krb5/test_pac.c | 1255 + third_party/heimdal/lib/krb5/test_pkinit_dh2key.c | 216 + third_party/heimdal/lib/krb5/test_pknistkdf.c | 373 + third_party/heimdal/lib/krb5/test_plugin.c | 131 + third_party/heimdal/lib/krb5/test_prf.c | 100 + third_party/heimdal/lib/krb5/test_princ.c | 365 + third_party/heimdal/lib/krb5/test_renew.c | 119 + third_party/heimdal/lib/krb5/test_rfc3961.c | 522 + third_party/heimdal/lib/krb5/test_set_kvno0.c | 182 + third_party/heimdal/lib/krb5/test_store.c | 364 + third_party/heimdal/lib/krb5/test_time.c | 85 + third_party/heimdal/lib/krb5/test_x500.c | 110 + third_party/heimdal/lib/krb5/ticket.c | 967 + third_party/heimdal/lib/krb5/time.c | 138 + third_party/heimdal/lib/krb5/transited.c | 699 + third_party/heimdal/lib/krb5/verify_init.c | 246 + .../heimdal/lib/krb5/verify_krb5_conf-version.rc | 36 + third_party/heimdal/lib/krb5/verify_krb5_conf.8 | 95 + third_party/heimdal/lib/krb5/verify_krb5_conf.c | 795 + third_party/heimdal/lib/krb5/verify_user.c | 258 + third_party/heimdal/lib/krb5/version-script.map | 886 + third_party/heimdal/lib/krb5/version.c | 39 + third_party/heimdal/lib/krb5/warn.c | 330 + third_party/heimdal/lib/krb5/write_message.c | 87 + third_party/heimdal/lib/libedit/COPYING | 30 + third_party/heimdal/lib/libedit/ChangeLog | 300 + third_party/heimdal/lib/libedit/INSTALL | 229 + third_party/heimdal/lib/libedit/Makefile.am | 9 + third_party/heimdal/lib/libedit/THANKS | 1 + third_party/heimdal/lib/libedit/acinclude.m4 | 66 + third_party/heimdal/lib/libedit/config.h.in | 218 + third_party/heimdal/lib/libedit/configure.ac | 111 + third_party/heimdal/lib/libedit/doc/Makefile.am | 33 + .../heimdal/lib/libedit/doc/editline.3.roff | 883 + third_party/heimdal/lib/libedit/doc/editrc.5.roff | 490 + third_party/heimdal/lib/libedit/doc/mdoc2man.awk | 459 + .../heimdal/lib/libedit/examples/Makefile.am | 14 + third_party/heimdal/lib/libedit/examples/fileman.c | 496 + third_party/heimdal/lib/libedit/examples/tc1.c | 309 + third_party/heimdal/lib/libedit/examples/wtc1.c | 269 + third_party/heimdal/lib/libedit/libedit.pc.in | 12 + third_party/heimdal/lib/libedit/src/Makefile.am | 43 + third_party/heimdal/lib/libedit/src/chared.c | 753 + third_party/heimdal/lib/libedit/src/chared.h | 155 + third_party/heimdal/lib/libedit/src/chartype.c | 340 + third_party/heimdal/lib/libedit/src/chartype.h | 114 + third_party/heimdal/lib/libedit/src/common.c | 835 + third_party/heimdal/lib/libedit/src/editline.3 | 997 + third_party/heimdal/lib/libedit/src/editline.7 | 935 + third_party/heimdal/lib/libedit/src/editrc.5 | 317 + third_party/heimdal/lib/libedit/src/el.c | 640 + third_party/heimdal/lib/libedit/src/el.h | 153 + third_party/heimdal/lib/libedit/src/eln.c | 388 + third_party/heimdal/lib/libedit/src/emacs.c | 512 + third_party/heimdal/lib/libedit/src/filecomplete.c | 573 + third_party/heimdal/lib/libedit/src/filecomplete.h | 44 + third_party/heimdal/lib/libedit/src/getline.c | 128 + third_party/heimdal/lib/libedit/src/hist.c | 245 + third_party/heimdal/lib/libedit/src/hist.h | 79 + third_party/heimdal/lib/libedit/src/histedit.h | 313 + third_party/heimdal/lib/libedit/src/history.c | 1157 + third_party/heimdal/lib/libedit/src/historyn.c | 3 + third_party/heimdal/lib/libedit/src/keymacro.c | 669 + third_party/heimdal/lib/libedit/src/keymacro.h | 76 + third_party/heimdal/lib/libedit/src/makelist | 177 + third_party/heimdal/lib/libedit/src/map.c | 1427 + third_party/heimdal/lib/libedit/src/map.h | 79 + third_party/heimdal/lib/libedit/src/parse.c | 289 + third_party/heimdal/lib/libedit/src/parse.h | 48 + third_party/heimdal/lib/libedit/src/prompt.c | 199 + third_party/heimdal/lib/libedit/src/prompt.h | 58 + third_party/heimdal/lib/libedit/src/read.c | 628 + third_party/heimdal/lib/libedit/src/read.h | 45 + third_party/heimdal/lib/libedit/src/readline.c | 2367 + .../heimdal/lib/libedit/src/readline/readline.h | 227 + third_party/heimdal/lib/libedit/src/refresh.c | 1187 + third_party/heimdal/lib/libedit/src/refresh.h | 57 + third_party/heimdal/lib/libedit/src/search.c | 641 + third_party/heimdal/lib/libedit/src/search.h | 64 + third_party/heimdal/lib/libedit/src/shlib_version | 5 + third_party/heimdal/lib/libedit/src/sig.c | 205 + third_party/heimdal/lib/libedit/src/sig.h | 70 + third_party/heimdal/lib/libedit/src/sys.h | 112 + third_party/heimdal/lib/libedit/src/terminal.c | 1691 + third_party/heimdal/lib/libedit/src/terminal.h | 125 + third_party/heimdal/lib/libedit/src/tokenizer.c | 466 + third_party/heimdal/lib/libedit/src/tokenizern.c | 3 + third_party/heimdal/lib/libedit/src/tty.c | 1342 + third_party/heimdal/lib/libedit/src/tty.h | 481 + third_party/heimdal/lib/libedit/src/unvis.c | 553 + third_party/heimdal/lib/libedit/src/vi.c | 1157 + third_party/heimdal/lib/libedit/src/vis.c | 728 + third_party/heimdal/lib/libedit/src/vis.h | 120 + third_party/heimdal/lib/libedit/src/wcsdup.c | 43 + third_party/heimdal/lib/ntlm/ChangeLog | 120 + third_party/heimdal/lib/ntlm/Makefile.am | 49 + third_party/heimdal/lib/ntlm/NTMakefile | 90 + third_party/heimdal/lib/ntlm/apop.c | 263 + third_party/heimdal/lib/ntlm/digest.c | 994 + third_party/heimdal/lib/ntlm/heim-auth.h | 135 + third_party/heimdal/lib/ntlm/heimntlm.h | 166 + .../heimdal/lib/ntlm/libheimntlm-exports.def | 24 + .../heimdal/lib/ntlm/libheimntlm-version.rc | 36 + third_party/heimdal/lib/ntlm/ntlm.c | 2030 + third_party/heimdal/lib/ntlm/ntlm_err.et | 60 + third_party/heimdal/lib/ntlm/test_commonauth.c | 425 + third_party/heimdal/lib/ntlm/test_ntlm.c | 617 + third_party/heimdal/lib/ntlm/version-script.map | 30 + third_party/heimdal/lib/otp/ChangeLog | 128 + third_party/heimdal/lib/otp/Makefile.am | 90 + third_party/heimdal/lib/otp/NTMakefile | 35 + third_party/heimdal/lib/otp/otp.c | 63 + third_party/heimdal/lib/otp/otp.h | 101 + third_party/heimdal/lib/otp/otp_challenge.c | 68 + third_party/heimdal/lib/otp/otp_db.c | 233 + third_party/heimdal/lib/otp/otp_locl.h | 70 + third_party/heimdal/lib/otp/otp_md.c | 231 + third_party/heimdal/lib/otp/otp_md.h | 46 + third_party/heimdal/lib/otp/otp_parse.c | 2522 + third_party/heimdal/lib/otp/otp_print.c | 99 + third_party/heimdal/lib/otp/otp_verify.c | 78 + third_party/heimdal/lib/otp/otptest.c | 142 + third_party/heimdal/lib/otp/roken_rename.h | 73 + third_party/heimdal/lib/otp/version-script.map | 25 + third_party/heimdal/lib/roken/ChangeLog | 2229 + third_party/heimdal/lib/roken/Makefile.am | 290 + third_party/heimdal/lib/roken/NTMakefile | 312 + third_party/heimdal/lib/roken/base32-test.c | 106 + third_party/heimdal/lib/roken/base32.c | 315 + third_party/heimdal/lib/roken/base32.h | 61 + third_party/heimdal/lib/roken/base64-test.c | 97 + third_party/heimdal/lib/roken/base64.c | 258 + third_party/heimdal/lib/roken/base64.h | 55 + third_party/heimdal/lib/roken/bswap.c | 74 + third_party/heimdal/lib/roken/chown.c | 42 + third_party/heimdal/lib/roken/cloexec.c | 75 + third_party/heimdal/lib/roken/closefrom.c | 57 + third_party/heimdal/lib/roken/clz.c | 69 + third_party/heimdal/lib/roken/concat.c | 110 + third_party/heimdal/lib/roken/copyhostent.c | 98 + third_party/heimdal/lib/roken/ct.c | 82 + third_party/heimdal/lib/roken/daemon.c | 80 + third_party/heimdal/lib/roken/detach.c | 226 + third_party/heimdal/lib/roken/dirent-test.c | 278 + third_party/heimdal/lib/roken/dirent.c | 235 + third_party/heimdal/lib/roken/dirent.hin | 66 + third_party/heimdal/lib/roken/dlfcn.hin | 109 + third_party/heimdal/lib/roken/dlfcn_w32.c | 700 + third_party/heimdal/lib/roken/doxygen.c | 44 + third_party/heimdal/lib/roken/dumpdata.c | 96 + third_party/heimdal/lib/roken/ecalloc.3 | 84 + third_party/heimdal/lib/roken/ecalloc.c | 53 + third_party/heimdal/lib/roken/emalloc.c | 53 + third_party/heimdal/lib/roken/environment.c | 162 + third_party/heimdal/lib/roken/eread.c | 51 + third_party/heimdal/lib/roken/erealloc.c | 53 + third_party/heimdal/lib/roken/err.c | 46 + third_party/heimdal/lib/roken/err.hin | 99 + third_party/heimdal/lib/roken/errx.c | 45 + third_party/heimdal/lib/roken/esetenv.c | 45 + third_party/heimdal/lib/roken/estrdup.c | 53 + third_party/heimdal/lib/roken/ewrite.c | 51 + third_party/heimdal/lib/roken/fchown.c | 42 + third_party/heimdal/lib/roken/flock.c | 154 + third_party/heimdal/lib/roken/fnmatch.c | 175 + third_party/heimdal/lib/roken/fnmatch.hin | 66 + third_party/heimdal/lib/roken/freeaddrinfo.c | 54 + third_party/heimdal/lib/roken/freehostent.c | 59 + third_party/heimdal/lib/roken/fseeko.c | 48 + third_party/heimdal/lib/roken/ftello.c | 48 + third_party/heimdal/lib/roken/gai_strerror.c | 74 + third_party/heimdal/lib/roken/get_window_size.c | 132 + third_party/heimdal/lib/roken/getaddrinfo-test.c | 151 + third_party/heimdal/lib/roken/getaddrinfo.c | 414 + .../heimdal/lib/roken/getaddrinfo_hostspec.c | 101 + third_party/heimdal/lib/roken/getarg.3 | 341 + third_party/heimdal/lib/roken/getarg.c | 607 + third_party/heimdal/lib/roken/getarg.h | 112 + third_party/heimdal/lib/roken/getauxval.c | 255 + third_party/heimdal/lib/roken/getauxval.h | 176 + third_party/heimdal/lib/roken/getcwd.c | 54 + third_party/heimdal/lib/roken/getdtablesize.c | 99 + third_party/heimdal/lib/roken/getegid.c | 46 + third_party/heimdal/lib/roken/geteuid.c | 46 + third_party/heimdal/lib/roken/getgid.c | 45 + third_party/heimdal/lib/roken/gethostname.c | 70 + third_party/heimdal/lib/roken/getifaddrs-test.c | 137 + third_party/heimdal/lib/roken/getifaddrs.c | 1309 + third_party/heimdal/lib/roken/getifaddrs_w32.c | 161 + third_party/heimdal/lib/roken/getipnodebyaddr.c | 71 + third_party/heimdal/lib/roken/getipnodebyname.c | 83 + third_party/heimdal/lib/roken/getnameinfo.c | 124 + .../heimdal/lib/roken/getnameinfo_verified.c | 94 + third_party/heimdal/lib/roken/getopt.c | 124 + third_party/heimdal/lib/roken/getprogname.c | 48 + third_party/heimdal/lib/roken/gettimeofday.c | 94 + third_party/heimdal/lib/roken/getuid.c | 45 + third_party/heimdal/lib/roken/getuserinfo.c | 334 + third_party/heimdal/lib/roken/getusershell.c | 185 + third_party/heimdal/lib/roken/h_errno.c | 38 + third_party/heimdal/lib/roken/hex-test.c | 115 + third_party/heimdal/lib/roken/hex.c | 114 + third_party/heimdal/lib/roken/hex.h | 57 + third_party/heimdal/lib/roken/hostent_find_fqdn.c | 56 + third_party/heimdal/lib/roken/hstrerror.c | 78 + third_party/heimdal/lib/roken/ifaddrs.hin | 79 + third_party/heimdal/lib/roken/inet_aton.c | 46 + third_party/heimdal/lib/roken/inet_ntop.c | 151 + third_party/heimdal/lib/roken/inet_pton.c | 116 + third_party/heimdal/lib/roken/initgroups.c | 42 + third_party/heimdal/lib/roken/innetgr.c | 45 + third_party/heimdal/lib/roken/install-sh | 251 + third_party/heimdal/lib/roken/issuid.c | 276 + third_party/heimdal/lib/roken/localtime_r.c | 60 + third_party/heimdal/lib/roken/lstat.c | 42 + third_party/heimdal/lib/roken/memmem.c | 72 + third_party/heimdal/lib/roken/memmove.c | 62 + third_party/heimdal/lib/roken/memset_s.c | 51 + third_party/heimdal/lib/roken/mergesort.c | 50 + third_party/heimdal/lib/roken/mergesort_r.c | 339 + third_party/heimdal/lib/roken/mini_inetd.c | 197 + third_party/heimdal/lib/roken/missing | 190 + third_party/heimdal/lib/roken/mkdir.c | 53 + third_party/heimdal/lib/roken/mkdtemp.c | 87 + third_party/heimdal/lib/roken/mkinstalldirs | 40 + third_party/heimdal/lib/roken/mkostemp.c | 87 + third_party/heimdal/lib/roken/mkstemp.c | 82 + third_party/heimdal/lib/roken/ndbm_wrap.c | 227 + third_party/heimdal/lib/roken/ndbm_wrap.h | 93 + third_party/heimdal/lib/roken/net_read.c | 118 + third_party/heimdal/lib/roken/net_write.c | 134 + third_party/heimdal/lib/roken/parse_bytes-test.c | 89 + third_party/heimdal/lib/roken/parse_bytes.c | 81 + third_party/heimdal/lib/roken/parse_bytes.h | 50 + third_party/heimdal/lib/roken/parse_reply-test.c | 126 + third_party/heimdal/lib/roken/parse_time-test.c | 118 + third_party/heimdal/lib/roken/parse_time.3 | 173 + third_party/heimdal/lib/roken/parse_time.c | 104 + third_party/heimdal/lib/roken/parse_time.h | 72 + third_party/heimdal/lib/roken/parse_units.c | 525 + third_party/heimdal/lib/roken/parse_units.h | 116 + third_party/heimdal/lib/roken/putenv.c | 79 + third_party/heimdal/lib/roken/qsort.c | 203 + third_party/heimdal/lib/roken/rand.c | 74 + third_party/heimdal/lib/roken/rcmd.c | 49 + third_party/heimdal/lib/roken/readv.c | 64 + third_party/heimdal/lib/roken/realloc.c | 47 + third_party/heimdal/lib/roken/recvmsg.c | 66 + third_party/heimdal/lib/roken/rename.c | 49 + third_party/heimdal/lib/roken/resolve-test.c | 309 + third_party/heimdal/lib/roken/resolve.c | 956 + third_party/heimdal/lib/roken/resolve.h | 251 + third_party/heimdal/lib/roken/rkpty.c | 392 + third_party/heimdal/lib/roken/roken-common.h | 566 + third_party/heimdal/lib/roken/roken.awk | 46 + third_party/heimdal/lib/roken/roken.h.in | 1330 + third_party/heimdal/lib/roken/roken_gethostby.c | 292 + third_party/heimdal/lib/roken/rtbl.3 | 201 + third_party/heimdal/lib/roken/rtbl.c | 558 + third_party/heimdal/lib/roken/rtbl.h | 124 + third_party/heimdal/lib/roken/search.hin | 44 + third_party/heimdal/lib/roken/secure_getenv.c | 47 + third_party/heimdal/lib/roken/secure_getenv.h | 42 + third_party/heimdal/lib/roken/sendmsg.c | 148 + third_party/heimdal/lib/roken/setegid.c | 54 + third_party/heimdal/lib/roken/setenv.c | 74 + third_party/heimdal/lib/roken/seteuid.c | 54 + third_party/heimdal/lib/roken/setprogname.c | 91 + third_party/heimdal/lib/roken/signal.c | 77 + third_party/heimdal/lib/roken/simple_exec.c | 325 + third_party/heimdal/lib/roken/simple_exec_w32.c | 431 + third_party/heimdal/lib/roken/sleep.c | 55 + third_party/heimdal/lib/roken/snprintf-test.c | 268 + third_party/heimdal/lib/roken/snprintf.c | 700 + third_party/heimdal/lib/roken/socket.c | 371 + third_party/heimdal/lib/roken/socket_wrapper.c | 1911 + third_party/heimdal/lib/roken/socket_wrapper.h | 146 + third_party/heimdal/lib/roken/sockstartup_w32.c | 75 + third_party/heimdal/lib/roken/stdbool.hin | 13 + third_party/heimdal/lib/roken/stdint.hin | 43 + third_party/heimdal/lib/roken/strcasecmp.c | 55 + third_party/heimdal/lib/roken/strcollect.c | 93 + third_party/heimdal/lib/roken/strdup.c | 47 + third_party/heimdal/lib/roken/strerror.c | 54 + third_party/heimdal/lib/roken/strerror_r.c | 84 + third_party/heimdal/lib/roken/strftime.c | 402 + third_party/heimdal/lib/roken/strlcat.c | 60 + third_party/heimdal/lib/roken/strlcpy.c | 73 + third_party/heimdal/lib/roken/strlwr.c | 50 + third_party/heimdal/lib/roken/strncasecmp.c | 59 + third_party/heimdal/lib/roken/strndup.c | 53 + third_party/heimdal/lib/roken/strnlen.c | 46 + third_party/heimdal/lib/roken/strpftime-test.c | 295 + third_party/heimdal/lib/roken/strpftime-test.h | 61 + third_party/heimdal/lib/roken/strpool.c | 114 + third_party/heimdal/lib/roken/strptime.c | 449 + third_party/heimdal/lib/roken/strsep.c | 58 + third_party/heimdal/lib/roken/strsep_copy.c | 66 + third_party/heimdal/lib/roken/strtok_r.c | 62 + third_party/heimdal/lib/roken/strtoll.c | 155 + third_party/heimdal/lib/roken/strtoull.c | 129 + third_party/heimdal/lib/roken/strupr.c | 50 + third_party/heimdal/lib/roken/swab.c | 50 + third_party/heimdal/lib/roken/syslog.hin | 248 + third_party/heimdal/lib/roken/syslogc.c | 339 + third_party/heimdal/lib/roken/test-auxval.c | 236 + third_party/heimdal/lib/roken/test-detach.c | 100 + third_party/heimdal/lib/roken/test-getuserinfo.c | 136 + third_party/heimdal/lib/roken/test-mem.c | 215 + third_party/heimdal/lib/roken/test-mem.h | 39 + third_party/heimdal/lib/roken/test-mini_inetd.c | 371 + third_party/heimdal/lib/roken/test-readenv.c | 115 + third_party/heimdal/lib/roken/timegm.c | 85 + third_party/heimdal/lib/roken/timeval.c | 286 + third_party/heimdal/lib/roken/tm2time.c | 58 + third_party/heimdal/lib/roken/tsearch-test.c | 125 + third_party/heimdal/lib/roken/tsearch.c | 175 + third_party/heimdal/lib/roken/unsetenv.c | 69 + third_party/heimdal/lib/roken/unvis.c | 283 + third_party/heimdal/lib/roken/verr.c | 44 + third_party/heimdal/lib/roken/verrx.c | 44 + third_party/heimdal/lib/roken/version-script.map | 238 + third_party/heimdal/lib/roken/versionsupport.h | 139 + third_party/heimdal/lib/roken/vis-extras.h | 27 + third_party/heimdal/lib/roken/vis.c | 649 + third_party/heimdal/lib/roken/vis.hin | 170 + third_party/heimdal/lib/roken/vsyslog.c | 113 + third_party/heimdal/lib/roken/vwarn.c | 43 + third_party/heimdal/lib/roken/vwarnx.c | 44 + third_party/heimdal/lib/roken/warn.c | 46 + third_party/heimdal/lib/roken/warnerr.c | 58 + third_party/heimdal/lib/roken/warnx.c | 45 + third_party/heimdal/lib/roken/win32_alloc.c | 76 + third_party/heimdal/lib/roken/win32_version.c | 128 + third_party/heimdal/lib/roken/write_pid.c | 117 + third_party/heimdal/lib/roken/writev.c | 61 + third_party/heimdal/lib/roken/xdbm.h | 52 + third_party/heimdal/lib/roken/xfree.c | 42 + third_party/heimdal/lib/sl/ChangeLog | 329 + third_party/heimdal/lib/sl/Makefile.am | 50 + third_party/heimdal/lib/sl/NTMakefile | 74 + third_party/heimdal/lib/sl/roken_rename.h | 67 + third_party/heimdal/lib/sl/sl.c | 499 + third_party/heimdal/lib/sl/sl.h | 71 + third_party/heimdal/lib/sl/sl_locl.h | 45 + third_party/heimdal/lib/sl/slc-gram.y | 791 + third_party/heimdal/lib/sl/slc-lex.l | 158 + third_party/heimdal/lib/sl/slc.h | 56 + third_party/heimdal/lib/sl/test_sl.c | 98 + third_party/heimdal/lib/sqlite/Makefile.am | 20 + third_party/heimdal/lib/sqlite/NTMakefile | 52 + third_party/heimdal/lib/sqlite/README | 25 + third_party/heimdal/lib/sqlite/sqlite3.c | 231382 ++++++++++++++++++ third_party/heimdal/lib/sqlite/sqlite3.h | 12229 + third_party/heimdal/lib/sqlite/sqlite3ext.h | 659 + third_party/heimdal/lib/vers/ChangeLog | 74 + third_party/heimdal/lib/vers/Makefile.am | 13 + third_party/heimdal/lib/vers/NTMakefile | 56 + third_party/heimdal/lib/vers/make-print-version.c | 66 + third_party/heimdal/lib/vers/print_version.c | 59 + third_party/heimdal/lib/vers/vers.h | 41 + third_party/heimdal/lib/wind/ChangeLog | 136 + .../lib/wind/CompositionExclusions-3.2.0.txt | 176 + .../heimdal/lib/wind/DerivedNormalizationProps.txt | 2574 + third_party/heimdal/lib/wind/Makefile.am | 147 + third_party/heimdal/lib/wind/NTMakefile | 159 + .../heimdal/lib/wind/NormalizationCorrections.txt | 43 + third_party/heimdal/lib/wind/NormalizationTest.txt | 17166 ++ third_party/heimdal/lib/wind/UnicodeData.py | 57 + third_party/heimdal/lib/wind/UnicodeData.txt | 15100 ++ third_party/heimdal/lib/wind/bidi.c | 92 + third_party/heimdal/lib/wind/combining.c | 62 + third_party/heimdal/lib/wind/doxygen.c | 47 + third_party/heimdal/lib/wind/errorlist.c | 77 + third_party/heimdal/lib/wind/gen-bidi.py | 102 + third_party/heimdal/lib/wind/gen-combining.py | 104 + third_party/heimdal/lib/wind/gen-errorlist.py | 121 + third_party/heimdal/lib/wind/gen-map.py | 158 + third_party/heimdal/lib/wind/gen-normalize.py | 211 + .../heimdal/lib/wind/gen-punycode-examples.py | 130 + third_party/heimdal/lib/wind/generate.py | 86 + third_party/heimdal/lib/wind/idn-lookup.c | 164 + third_party/heimdal/lib/wind/ldap.c | 91 + third_party/heimdal/lib/wind/libwind-exports.def | 27 + third_party/heimdal/lib/wind/map.c | 85 + third_party/heimdal/lib/wind/normalize.c | 325 + third_party/heimdal/lib/wind/punycode.c | 168 + third_party/heimdal/lib/wind/rfc3454.py | 60 + third_party/heimdal/lib/wind/rfc4518.py | 150 + third_party/heimdal/lib/wind/stringprep.c | 145 + third_party/heimdal/lib/wind/stringprep.py | 92 + third_party/heimdal/lib/wind/test-bidi.c | 81 + third_party/heimdal/lib/wind/test-ldap.c | 128 + third_party/heimdal/lib/wind/test-map.c | 98 + third_party/heimdal/lib/wind/test-normalize.c | 176 + third_party/heimdal/lib/wind/test-prohibited.c | 138 + third_party/heimdal/lib/wind/test-punycode.c | 83 + third_party/heimdal/lib/wind/test-rw.c | 186 + third_party/heimdal/lib/wind/test-utf8.c | 174 + third_party/heimdal/lib/wind/utf8.c | 527 + third_party/heimdal/lib/wind/util.py | 48 + third_party/heimdal/lib/wind/version-script.map | 29 + third_party/heimdal/lib/wind/wind.h | 86 + third_party/heimdal/lib/wind/wind_err.et | 23 + third_party/heimdal/lib/wind/windlocl.h | 67 + third_party/heimdal/packages/ChangeLog | 26 + third_party/heimdal/packages/Makefile.am | 7 + third_party/heimdal/packages/NTMakefile | 36 + third_party/heimdal/packages/mac/Info.plist | 36 + third_party/heimdal/packages/mac/Makefile.am | 9 + .../packages/mac/Resources/Description.plist | 10 + .../mac/Resources/English.lproj/Welcome.rtf | 8 + third_party/heimdal/packages/mac/mac.sh | 56 + third_party/heimdal/packages/windows/NTMakefile | 40 + .../assembly/Heimdal.Application.manifest.in | 12 + .../windows/assembly/Heimdal.Kerberos.manifest.in | 19 + .../heimdal/packages/windows/assembly/NTMakefile | 192 + .../windows/assembly/policy.Heimdal.Kerberos.in | 19 + .../heimdal/packages/windows/installer/NTMakefile | 292 + .../windows/installer/heimdal-assemblies.wxs | 52 + .../packages/windows/installer/heimdal-command.wxs | 277 + .../packages/windows/installer/heimdal-gss.wxs | 94 + .../windows/installer/heimdal-installer.wxs | 421 + .../packages/windows/installer/heimdal-policy.wxs | 51 + .../windows/installer/images/Heimdal_banner.bmp | Bin 0 -> 85894 bytes .../windows/installer/images/Heimdal_banner.png | Bin 0 -> 8222 bytes .../windows/installer/images/Heimdal_dialog.bmp | Bin 0 -> 461814 bytes .../windows/installer/images/Heimdal_dialog.png | Bin 0 -> 18168 bytes .../packages/windows/installer/lang/en-us.wxl | 15 + .../windows/installer/lang/license-en-us.rtf | Bin 0 -> 2007 bytes .../heimdal/packages/windows/sdk/NTMakefile | 181 + third_party/heimdal/po/Makefile.am | 76 + third_party/heimdal/po/gen-po.in | 39 + .../heimdal/po/heim_com_err-1750206208/de.po | 59 + .../heim_com_err-1750206208.pot | 56 + .../heimdal/po/heim_com_err-1765328384/de.po | 992 + .../heim_com_err-1765328384.pot | 979 + .../heimdal/po/heim_com_err-1765328384/sv_SE.mo | Bin 0 -> 1549 bytes .../heimdal/po/heim_com_err-1765328384/sv_SE.po | 980 + .../heimdal/po/heim_com_err-1980176640/de.po | 258 + .../heim_com_err-1980176640.pot | 256 + .../heimdal/po/heim_com_err-969269760/de.po | 73 + .../heim_com_err-969269760.pot | 71 + .../heimdal/po/heim_com_err1859794432/de.po | 95 + .../heim_com_err1859794432.pot | 91 + third_party/heimdal/po/heim_com_err35224064/de.po | 230 + .../heim_com_err35224064/heim_com_err35224064.pot | 225 + third_party/heimdal/po/heim_com_err36150272/de.po | 85 + .../heim_com_err36150272/heim_com_err36150272.pot | 82 + third_party/heimdal/po/heim_com_err39525376/de.po | 276 + .../heim_com_err39525376/heim_com_err39525376.pot | 274 + third_party/heimdal/po/heim_com_err43787520/de.po | 277 + .../heim_com_err43787520/heim_com_err43787520.pot | 262 + third_party/heimdal/po/heim_com_err569856/de.po | 427 + .../po/heim_com_err569856/heim_com_err569856.pot | 419 + third_party/heimdal/po/heimdal_krb5/de.po | 1618 + .../heimdal/po/heimdal_krb5/heimdal_krb5.pot | 1793 + third_party/heimdal/po/heimdal_krb5/sv_SE.mo | Bin 0 -> 1229 bytes third_party/heimdal/po/heimdal_krb5/sv_SE.po | 1759 + third_party/heimdal/po/heimdal_kuser/de.po | 424 + .../heimdal/po/heimdal_kuser/heimdal_kuser.pot | 416 + third_party/heimdal/po/heimdal_kuser/sv_SE.mo | Bin 0 -> 2272 bytes third_party/heimdal/po/heimdal_kuser/sv_SE.po | 412 + third_party/heimdal/po/localefiles | 3 + third_party/heimdal/rebase-lorikeet.sh | 103 + third_party/heimdal/tests/ChangeLog | 793 + third_party/heimdal/tests/Makefile.am | 13 + third_party/heimdal/tests/NTMakefile | 35 + third_party/heimdal/tests/bin/Makefile.am | 30 + third_party/heimdal/tests/bin/intr.c | 56 + third_party/heimdal/tests/bin/setup-env.in | 88 + third_party/heimdal/tests/can/Makefile.am | 58 + third_party/heimdal/tests/can/NTMakefile | 35 + third_party/heimdal/tests/can/apple-10.4.kadm | 4 + third_party/heimdal/tests/can/apple-10.4.req | Bin 0 -> 1199 bytes third_party/heimdal/tests/can/check-can.in | 66 + third_party/heimdal/tests/can/heim-0.8.kadm | 4 + third_party/heimdal/tests/can/heim-0.8.req | Bin 0 -> 1177 bytes third_party/heimdal/tests/can/krb5.conf.in | 29 + .../heimdal/tests/can/mit-pkinit-20070607.ca.crt | 23 + .../heimdal/tests/can/mit-pkinit-20070607.kadm | 3 + .../heimdal/tests/can/mit-pkinit-20070607.req | Bin 0 -> 2352 bytes .../heimdal/tests/can/mit-pkinit-20070607.xf | 31 + third_party/heimdal/tests/can/test_can.in | 79 + third_party/heimdal/tests/db/Makefile.am | 103 + third_party/heimdal/tests/db/NTMakefile | 35 + third_party/heimdal/tests/db/add-modify-delete.in | 140 + third_party/heimdal/tests/db/check-aliases.in | 134 + third_party/heimdal/tests/db/check-dbinfo.in | 52 + third_party/heimdal/tests/db/have-db.in | 72 + third_party/heimdal/tests/db/krb5-mit.conf.in | 18 + third_party/heimdal/tests/db/krb5.conf.in | 32 + third_party/heimdal/tests/db/loaddump-db.in | 134 + third_party/heimdal/tests/db/text-dump-0.7 | 7 + third_party/heimdal/tests/db/text-dump-known-ext | 7 + third_party/heimdal/tests/db/text-dump-no-ext | 7 + third_party/heimdal/tests/db/text-dump-unknown-ext | 7 + third_party/heimdal/tests/gss/Makefile.am | 103 + third_party/heimdal/tests/gss/NTMakefile | 35 + third_party/heimdal/tests/gss/check-basic.in | 219 + third_party/heimdal/tests/gss/check-context.in | 582 + third_party/heimdal/tests/gss/check-gss.in | 50 + third_party/heimdal/tests/gss/check-gssmask.in | 137 + third_party/heimdal/tests/gss/check-negoex.in | 278 + third_party/heimdal/tests/gss/check-ntlm.in | 168 + third_party/heimdal/tests/gss/check-spnego.in | 246 + third_party/heimdal/tests/gss/include-krb5.conf | 17 + third_party/heimdal/tests/gss/krb5.conf.in | 53 + third_party/heimdal/tests/gss/mech.in | 5 + .../heimdal/tests/gss/new_clients_k5.conf.in | 5 + third_party/heimdal/tests/gss/ntlm-user-file.txt | 2 + third_party/heimdal/tests/java/KerberosInit.java | 95 + third_party/heimdal/tests/java/Makefile.am | 46 + third_party/heimdal/tests/java/NTMakefile | 35 + third_party/heimdal/tests/java/check-kinit.in | 147 + third_party/heimdal/tests/java/have-java.sh | 58 + third_party/heimdal/tests/java/jaas.conf | 14 + third_party/heimdal/tests/java/krb5.conf.in | 32 + third_party/heimdal/tests/kdc/Makefile.am | 441 + third_party/heimdal/tests/kdc/NTMakefile | 35 + third_party/heimdal/tests/kdc/an2ln-db.txt | 144 + third_party/heimdal/tests/kdc/check-authz.in | 134 + third_party/heimdal/tests/kdc/check-bx509.in | 675 + third_party/heimdal/tests/kdc/check-canon.in | 210 + third_party/heimdal/tests/kdc/check-cc.in | 203 + third_party/heimdal/tests/kdc/check-delegation.in | 152 + third_party/heimdal/tests/kdc/check-des.in | 155 + third_party/heimdal/tests/kdc/check-digest.in | 291 + third_party/heimdal/tests/kdc/check-fast.in | 214 + third_party/heimdal/tests/kdc/check-hdb-mitdb.in | 111 + third_party/heimdal/tests/kdc/check-httpkadmind.in | 688 + third_party/heimdal/tests/kdc/check-iprop.in | 611 + third_party/heimdal/tests/kdc/check-kadmin.in | 412 + third_party/heimdal/tests/kdc/check-kdc-weak.in | 37 + third_party/heimdal/tests/kdc/check-kdc.in | 1097 + third_party/heimdal/tests/kdc/check-keys.in | 104 + third_party/heimdal/tests/kdc/check-kinit.in | 149 + third_party/heimdal/tests/kdc/check-kpasswdd.in | 194 + third_party/heimdal/tests/kdc/check-pkinit.in | 388 + third_party/heimdal/tests/kdc/check-referral.in | 231 + third_party/heimdal/tests/kdc/check-tester.in | 121 + third_party/heimdal/tests/kdc/check-uu.in | 131 + third_party/heimdal/tests/kdc/donotexists.txt | 1 + third_party/heimdal/tests/kdc/hdb-mitdb | Bin 0 -> 16384 bytes third_party/heimdal/tests/kdc/hdb-mitdb.kadm5 | Bin 0 -> 8192 bytes third_party/heimdal/tests/kdc/hdb-mitdb.mkey | Bin 0 -> 30 bytes third_party/heimdal/tests/kdc/heimdal.acl | 10 + third_party/heimdal/tests/kdc/iprop-acl | 1 + third_party/heimdal/tests/kdc/k5login/foo | 1 + third_party/heimdal/tests/kdc/k5login/mapped_user1 | 1 + third_party/heimdal/tests/kdc/kdc-tester1.json | 31 + third_party/heimdal/tests/kdc/kdc-tester2.json | 12 + third_party/heimdal/tests/kdc/kdc-tester3.json | 23 + third_party/heimdal/tests/kdc/kdc-tester4.json.in | 22 + third_party/heimdal/tests/kdc/krb5-authz.conf.in | 26 + third_party/heimdal/tests/kdc/krb5-authz2.conf.in | 27 + third_party/heimdal/tests/kdc/krb5-bx509.conf.in | 187 + third_party/heimdal/tests/kdc/krb5-canon.conf.in | 100 + third_party/heimdal/tests/kdc/krb5-canon2.conf.in | 97 + third_party/heimdal/tests/kdc/krb5-cccol.conf.in | 165 + .../heimdal/tests/kdc/krb5-hdb-mitdb.conf.in | 60 + .../heimdal/tests/kdc/krb5-httpkadmind.conf.in | 96 + third_party/heimdal/tests/kdc/krb5-kcm.conf.in | 165 + third_party/heimdal/tests/kdc/krb5-pkinit.conf.in | 80 + third_party/heimdal/tests/kdc/krb5.conf.in | 172 + third_party/heimdal/tests/kdc/krb5.conf.keys.in | 19 + third_party/heimdal/tests/kdc/leaks-kill.sh | 27 + third_party/heimdal/tests/kdc/ntlm-user-file.txt | 1 + third_party/heimdal/tests/kdc/pki-mapping | 2 + third_party/heimdal/tests/kdc/uuserver.txt | 4 + third_party/heimdal/tests/kdc/wait-kdc.sh | 65 + third_party/heimdal/tests/ldap/Makefile.am | 55 + third_party/heimdal/tests/ldap/NTMakefile | 35 + third_party/heimdal/tests/ldap/check-ldap.in | 153 + third_party/heimdal/tests/ldap/init.ldif | 44 + third_party/heimdal/tests/ldap/krb5.conf.in | 26 + third_party/heimdal/tests/ldap/samba.schema | 554 + third_party/heimdal/tests/ldap/slapd-init.in | 58 + third_party/heimdal/tests/ldap/slapd-stop | 18 + third_party/heimdal/tests/ldap/slapd.conf | 27 + third_party/heimdal/tests/plugin/Makefile.am | 48 + third_party/heimdal/tests/plugin/NTMakefile | 35 + third_party/heimdal/tests/plugin/check-pac.in | 174 + third_party/heimdal/tests/plugin/kdc_test_plugin.c | 207 + third_party/heimdal/tests/plugin/krb5.conf.in | 52 + third_party/heimdal/tools/Makefile.am | 65 + third_party/heimdal/tools/NTMakefile | 35 + third_party/heimdal/tools/cov.sh | 19 + third_party/heimdal/tools/coveralls-tool | 277 + third_party/heimdal/tools/fixgcov-source-paths.sh | 18 + third_party/heimdal/tools/heimdal-gssapi.pc.in | 14 + .../heimdal/tools/heimdal-kadm-client.pc.in | 11 + .../heimdal/tools/heimdal-kadm-server.pc.in | 12 + third_party/heimdal/tools/heimdal-krb5.pc.in | 12 + third_party/heimdal/tools/kadm-client.pc.in | 10 + third_party/heimdal/tools/kadm-server.pc.in | 10 + third_party/heimdal/tools/kafs.pc.in | 10 + third_party/heimdal/tools/kdc-log-analyze.pl | 549 + third_party/heimdal/tools/krb5-config.1 | 90 + third_party/heimdal/tools/krb5-config.in | 266 + third_party/heimdal/tools/krb5-gssapi.pc.in | 10 + third_party/heimdal/tools/krb5.pc.in | 10 + third_party/heimdal/windows/NTMakefile.config | 114 + third_party/heimdal/windows/NTMakefile.sdk | 130 + third_party/heimdal/windows/NTMakefile.version | 51 + third_party/heimdal/windows/NTMakefile.w32 | 620 + third_party/heimdal/windows/README.md | 165 + third_party/heimdal/windows/version.rc | 149 + 2368 files changed, 878748 insertions(+) create mode 100644 third_party/heimdal/.github/ISSUE_TEMPLATE/bug_report.md create mode 100644 third_party/heimdal/.github/ISSUE_TEMPLATE/feature_request.md create mode 100644 third_party/heimdal/.github/workflows/coverity.yml create mode 100644 third_party/heimdal/.github/workflows/linux.yml create mode 100644 third_party/heimdal/.github/workflows/osx.yml create mode 100644 third_party/heimdal/.github/workflows/scanbuild.yml create mode 100644 third_party/heimdal/.github/workflows/valgrind.yml create mode 100644 third_party/heimdal/.github/workflows/windows.yml create mode 100644 third_party/heimdal/.gitignore create mode 100644 third_party/heimdal/.travis.yml create mode 100644 third_party/heimdal/CODE_OF_CONDUCT.md create mode 100644 third_party/heimdal/ChangeLog create mode 100644 third_party/heimdal/ChangeLog.1998 create mode 100644 third_party/heimdal/ChangeLog.1999 create mode 100644 third_party/heimdal/ChangeLog.2000 create mode 100644 third_party/heimdal/ChangeLog.2001 create mode 100644 third_party/heimdal/ChangeLog.2002 create mode 100644 third_party/heimdal/ChangeLog.2003 create mode 100644 third_party/heimdal/ChangeLog.2004 create mode 100644 third_party/heimdal/ChangeLog.2005 create mode 100644 third_party/heimdal/ChangeLog.2006 create mode 100644 third_party/heimdal/ChangeLog.2007 create mode 100644 third_party/heimdal/HEIMDAL-LICENCE.txt create mode 100644 third_party/heimdal/LICENSE create mode 100644 third_party/heimdal/Makefile.am create mode 100644 third_party/heimdal/Makefile.am.common create mode 100644 third_party/heimdal/NEWS create mode 100644 third_party/heimdal/NTMakefile create mode 100644 third_party/heimdal/README create mode 100644 third_party/heimdal/README.fast create mode 100644 third_party/heimdal/README.md create mode 100644 third_party/heimdal/SECURITY.md create mode 100644 third_party/heimdal/TODO create mode 100644 third_party/heimdal/acinclude.m4 create mode 100644 third_party/heimdal/admin/ChangeLog create mode 100644 third_party/heimdal/admin/Makefile.am create mode 100644 third_party/heimdal/admin/NTMakefile create mode 100644 third_party/heimdal/admin/add.c create mode 100644 third_party/heimdal/admin/change.c create mode 100644 third_party/heimdal/admin/copy.c create mode 100644 third_party/heimdal/admin/destroy.c create mode 100644 third_party/heimdal/admin/get.c create mode 100644 third_party/heimdal/admin/ktutil-commands.in create mode 100644 third_party/heimdal/admin/ktutil-version.rc create mode 100644 third_party/heimdal/admin/ktutil.1 create mode 100644 third_party/heimdal/admin/ktutil.c create mode 100644 third_party/heimdal/admin/ktutil_locl.h create mode 100644 third_party/heimdal/admin/list.c create mode 100644 third_party/heimdal/admin/purge.c create mode 100644 third_party/heimdal/admin/remove.c create mode 100644 third_party/heimdal/admin/rename.c create mode 100644 third_party/heimdal/appl/Makefile.am create mode 100644 third_party/heimdal/appl/NTMakefile create mode 100644 third_party/heimdal/appl/afsutil/ChangeLog create mode 100644 third_party/heimdal/appl/afsutil/Makefile.am create mode 100644 third_party/heimdal/appl/afsutil/NTMakefile create mode 100644 third_party/heimdal/appl/afsutil/afslog.1 create mode 100644 third_party/heimdal/appl/afsutil/afslog.c create mode 100644 third_party/heimdal/appl/afsutil/pagsh.1 create mode 100644 third_party/heimdal/appl/afsutil/pagsh.c create mode 100644 third_party/heimdal/appl/dbutils/Makefile.am create mode 100644 third_party/heimdal/appl/dbutils/NTMakefile create mode 100644 third_party/heimdal/appl/dbutils/bsearch.1 create mode 100644 third_party/heimdal/appl/dbutils/bsearch.c create mode 100644 third_party/heimdal/appl/dceutils/ChangeLog create mode 100644 third_party/heimdal/appl/dceutils/Makefile.am create mode 100644 third_party/heimdal/appl/dceutils/NTMakefile create mode 100644 third_party/heimdal/appl/dceutils/README.dcedfs create mode 100644 third_party/heimdal/appl/dceutils/README.original create mode 100644 third_party/heimdal/appl/dceutils/dfspag.exp create mode 100644 third_party/heimdal/appl/dceutils/dpagaix.c create mode 100644 third_party/heimdal/appl/dceutils/k5dce.h create mode 100644 third_party/heimdal/appl/dceutils/k5dcecon.c create mode 100644 third_party/heimdal/appl/dceutils/testpag.c create mode 100644 third_party/heimdal/appl/gssmask/Makefile.am create mode 100644 third_party/heimdal/appl/gssmask/NTMakefile create mode 100644 third_party/heimdal/appl/gssmask/common.c create mode 100644 third_party/heimdal/appl/gssmask/common.h create mode 100644 third_party/heimdal/appl/gssmask/gssmaestro.c create mode 100644 third_party/heimdal/appl/gssmask/gssmask.c create mode 100644 third_party/heimdal/appl/gssmask/protocol.h create mode 100644 third_party/heimdal/appl/kf/Makefile.am create mode 100644 third_party/heimdal/appl/kf/NTMakefile create mode 100644 third_party/heimdal/appl/kf/kf.1 create mode 100644 third_party/heimdal/appl/kf/kf.c create mode 100644 third_party/heimdal/appl/kf/kf_locl.h create mode 100644 third_party/heimdal/appl/kf/kfd.8 create mode 100644 third_party/heimdal/appl/kf/kfd.c create mode 100644 third_party/heimdal/appl/otp/ChangeLog create mode 100644 third_party/heimdal/appl/otp/Makefile.am create mode 100644 third_party/heimdal/appl/otp/NTMakefile create mode 100644 third_party/heimdal/appl/otp/otp.1 create mode 100644 third_party/heimdal/appl/otp/otp.c create mode 100644 third_party/heimdal/appl/otp/otp_locl.h create mode 100644 third_party/heimdal/appl/otp/otpprint.1 create mode 100644 third_party/heimdal/appl/otp/otpprint.c create mode 100644 third_party/heimdal/appl/test/Makefile.am create mode 100644 third_party/heimdal/appl/test/NTMakefile create mode 100644 third_party/heimdal/appl/test/common.c create mode 100644 third_party/heimdal/appl/test/gss_common.c create mode 100644 third_party/heimdal/appl/test/gss_common.h create mode 100644 third_party/heimdal/appl/test/gssapi_client.c create mode 100644 third_party/heimdal/appl/test/gssapi_server.c create mode 100644 third_party/heimdal/appl/test/http_client.c create mode 100644 third_party/heimdal/appl/test/jgssapi_server.java create mode 100644 third_party/heimdal/appl/test/nt_gss_client.c create mode 100644 third_party/heimdal/appl/test/nt_gss_common.c create mode 100644 third_party/heimdal/appl/test/nt_gss_common.h create mode 100644 third_party/heimdal/appl/test/nt_gss_server.c create mode 100644 third_party/heimdal/appl/test/tcp_client.c create mode 100644 third_party/heimdal/appl/test/tcp_server.c create mode 100644 third_party/heimdal/appl/test/test_locl.h create mode 100644 third_party/heimdal/appl/test/uu_client.c create mode 100644 third_party/heimdal/appl/test/uu_server.c create mode 100755 third_party/heimdal/apply_heimdal.sh create mode 100644 third_party/heimdal/appveyor.yml create mode 100755 third_party/heimdal/autogen.sh create mode 100644 third_party/heimdal/cf/ChangeLog create mode 100644 third_party/heimdal/cf/Makefile.am.common create mode 100644 third_party/heimdal/cf/aix.m4 create mode 100644 third_party/heimdal/cf/auth-modules.m4 create mode 100644 third_party/heimdal/cf/ax_check_sign.m4 create mode 100644 third_party/heimdal/cf/broken-getaddrinfo.m4 create mode 100644 third_party/heimdal/cf/broken-realloc.m4 create mode 100644 third_party/heimdal/cf/broken-snprintf.m4 create mode 100644 third_party/heimdal/cf/broken.m4 create mode 100644 third_party/heimdal/cf/broken2.m4 create mode 100644 third_party/heimdal/cf/c-attribute.m4 create mode 100644 third_party/heimdal/cf/c-function.m4 create mode 100644 third_party/heimdal/cf/check-compile-et.m4 create mode 100644 third_party/heimdal/cf/check-compile-flag.m4 create mode 100644 third_party/heimdal/cf/check-getpwnam_r-posix.m4 create mode 100644 third_party/heimdal/cf/check-man.m4 create mode 100644 third_party/heimdal/cf/check-netinet-ip-and-tcp.m4 create mode 100644 third_party/heimdal/cf/check-type-extra.m4 create mode 100644 third_party/heimdal/cf/check-var.m4 create mode 100644 third_party/heimdal/cf/crypto.m4 create mode 100644 third_party/heimdal/cf/db.m4 create mode 100644 third_party/heimdal/cf/destdirs.m4 create mode 100644 third_party/heimdal/cf/dispatch.m4 create mode 100644 third_party/heimdal/cf/dlopen.m4 create mode 100644 third_party/heimdal/cf/find-func-no-libs.m4 create mode 100644 third_party/heimdal/cf/find-func-no-libs2.m4 create mode 100644 third_party/heimdal/cf/find-func.m4 create mode 100644 third_party/heimdal/cf/find-if-not-broken.m4 create mode 100644 third_party/heimdal/cf/framework-corefoundation.m4 create mode 100644 third_party/heimdal/cf/framework-security.m4 create mode 100644 third_party/heimdal/cf/have-pragma-weak.m4 create mode 100644 third_party/heimdal/cf/have-struct-field.m4 create mode 100644 third_party/heimdal/cf/have-type.m4 create mode 100644 third_party/heimdal/cf/have-types.m4 create mode 100644 third_party/heimdal/cf/install-catman.sh create mode 100644 third_party/heimdal/cf/irix.m4 create mode 100644 third_party/heimdal/cf/krb-bigendian.m4 create mode 100644 third_party/heimdal/cf/krb-func-getlogin.m4 create mode 100644 third_party/heimdal/cf/krb-ipv6.m4 create mode 100644 third_party/heimdal/cf/krb-prog-ln-s.m4 create mode 100644 third_party/heimdal/cf/krb-prog-perl.m4 create mode 100644 third_party/heimdal/cf/krb-prog-ranlib.m4 create mode 100644 third_party/heimdal/cf/krb-prog-yacc.m4 create mode 100644 third_party/heimdal/cf/krb-readline.m4 create mode 100644 third_party/heimdal/cf/krb-struct-spwd.m4 create mode 100644 third_party/heimdal/cf/krb-struct-winsize.m4 create mode 100644 third_party/heimdal/cf/krb-sys-aix.m4 create mode 100644 third_party/heimdal/cf/krb-sys-nextstep.m4 create mode 100644 third_party/heimdal/cf/largefile.m4 create mode 100644 third_party/heimdal/cf/make-proto.pl create mode 100755 third_party/heimdal/cf/maybe-valgrind.sh create mode 100644 third_party/heimdal/cf/mips-abi.m4 create mode 100644 third_party/heimdal/cf/misc.m4 create mode 100644 third_party/heimdal/cf/need-proto.m4 create mode 100644 third_party/heimdal/cf/osfc2.m4 create mode 100644 third_party/heimdal/cf/otp.m4 create mode 100644 third_party/heimdal/cf/pkg.m4 create mode 100644 third_party/heimdal/cf/proto-compat.m4 create mode 100644 third_party/heimdal/cf/pthreads.m4 create mode 100644 third_party/heimdal/cf/resolv.m4 create mode 100644 third_party/heimdal/cf/retsigtype.m4 create mode 100644 third_party/heimdal/cf/roken-frag.m4 create mode 100644 third_party/heimdal/cf/roken-h-process.pl create mode 100644 third_party/heimdal/cf/roken.m4 create mode 100644 third_party/heimdal/cf/socket-wrapper.m4 create mode 100644 third_party/heimdal/cf/sunos.m4 create mode 100644 third_party/heimdal/cf/symbol-version.py create mode 100644 third_party/heimdal/cf/telnet.m4 create mode 100644 third_party/heimdal/cf/test-package.m4 create mode 100644 third_party/heimdal/cf/valgrind-suppressions create mode 100644 third_party/heimdal/cf/vararray.m4 create mode 100644 third_party/heimdal/cf/version-script.m4 create mode 100644 third_party/heimdal/cf/w32-check-exported-symbols.pl create mode 100644 third_party/heimdal/cf/w32-def-from-dll.pl create mode 100644 third_party/heimdal/cf/w32-detect-vc-version.pl create mode 100644 third_party/heimdal/cf/w32-hh-toc-from-info.pl create mode 100644 third_party/heimdal/cf/w32-list-externs-from-objs.pl create mode 100644 third_party/heimdal/cf/wflags.m4 create mode 100644 third_party/heimdal/cf/win32.m4 create mode 100644 third_party/heimdal/cf/with-all.m4 create mode 100644 third_party/heimdal/configure.ac create mode 100644 third_party/heimdal/doc/Makefile.am create mode 100644 third_party/heimdal/doc/NTMakefile create mode 100644 third_party/heimdal/doc/ack.texi create mode 100644 third_party/heimdal/doc/apps.texi create mode 100644 third_party/heimdal/doc/base.din create mode 100644 third_party/heimdal/doc/base.hhp create mode 100644 third_party/heimdal/doc/copyright.texi create mode 100644 third_party/heimdal/doc/doxytmpl.dxy create mode 100644 third_party/heimdal/doc/footer.html create mode 100644 third_party/heimdal/doc/gssapi.din create mode 100644 third_party/heimdal/doc/hcrypto.din create mode 100644 third_party/heimdal/doc/hdb.din create mode 100644 third_party/heimdal/doc/header.html create mode 100644 third_party/heimdal/doc/heimdal.css create mode 100644 third_party/heimdal/doc/heimdal.hhp create mode 100644 third_party/heimdal/doc/heimdal.texi create mode 100644 third_party/heimdal/doc/hx509.din create mode 100644 third_party/heimdal/doc/hx509.hhp create mode 100644 third_party/heimdal/doc/hx509.texi create mode 100644 third_party/heimdal/doc/init-creds create mode 100644 third_party/heimdal/doc/install.texi create mode 100644 third_party/heimdal/doc/intro.texi create mode 100644 third_party/heimdal/doc/kerberos4.texi create mode 100644 third_party/heimdal/doc/krb5.din create mode 100644 third_party/heimdal/doc/latin1.tex create mode 100644 third_party/heimdal/doc/layman.asc create mode 100644 third_party/heimdal/doc/mdate-sh create mode 100644 third_party/heimdal/doc/migration.texi create mode 100644 third_party/heimdal/doc/misc.texi create mode 100644 third_party/heimdal/doc/ntlm.din create mode 100644 third_party/heimdal/doc/programming.texi create mode 100644 third_party/heimdal/doc/setup.texi create mode 100644 third_party/heimdal/doc/vars.tin create mode 100644 third_party/heimdal/doc/whatis.texi create mode 100644 third_party/heimdal/doc/win2k.texi create mode 100644 third_party/heimdal/doc/wind.din create mode 100644 third_party/heimdal/etc/Makefile.am create mode 100644 third_party/heimdal/etc/NTMakefile create mode 100644 third_party/heimdal/etc/services.append create mode 100755 third_party/heimdal/import-lorikeet.sh create mode 100644 third_party/heimdal/include/Makefile.am create mode 100644 third_party/heimdal/include/NTMakefile create mode 100644 third_party/heimdal/include/bits.c create mode 100644 third_party/heimdal/include/config.h.w32 create mode 100644 third_party/heimdal/include/crypto-headers.h create mode 100644 third_party/heimdal/include/gssapi/Makefile.am create mode 100644 third_party/heimdal/include/gssapi/NTMakefile create mode 100644 third_party/heimdal/include/hcrypto/Makefile.am create mode 100644 third_party/heimdal/include/hcrypto/NTMakefile create mode 100644 third_party/heimdal/include/heim_threads.h create mode 100644 third_party/heimdal/include/heimqueue.h create mode 100644 third_party/heimdal/include/kadm5/Makefile.am create mode 100644 third_party/heimdal/include/kadm5/NTMakefile create mode 100644 third_party/heimdal/include/krb5-types.cross create mode 100644 third_party/heimdal/kadmin/ChangeLog create mode 100644 third_party/heimdal/kadmin/Makefile.am create mode 100644 third_party/heimdal/kadmin/NTMakefile create mode 100644 third_party/heimdal/kadmin/add-random-users.c create mode 100644 third_party/heimdal/kadmin/add_enctype.c create mode 100644 third_party/heimdal/kadmin/ank.c create mode 100644 third_party/heimdal/kadmin/check.c create mode 100644 third_party/heimdal/kadmin/cpw.c create mode 100644 third_party/heimdal/kadmin/del.c create mode 100644 third_party/heimdal/kadmin/del_enctype.c create mode 100644 third_party/heimdal/kadmin/dump.c create mode 100644 third_party/heimdal/kadmin/ext.c create mode 100644 third_party/heimdal/kadmin/get.c create mode 100644 third_party/heimdal/kadmin/init.c create mode 100644 third_party/heimdal/kadmin/kadm_conn.c create mode 100644 third_party/heimdal/kadmin/kadmin-commands.in create mode 100644 third_party/heimdal/kadmin/kadmin-version.rc create mode 100644 third_party/heimdal/kadmin/kadmin.1 create mode 100644 third_party/heimdal/kadmin/kadmin.c create mode 100644 third_party/heimdal/kadmin/kadmin_locl.h create mode 100644 third_party/heimdal/kadmin/kadmind-version.rc create mode 100644 third_party/heimdal/kadmin/kadmind.8 create mode 100644 third_party/heimdal/kadmin/kadmind.c create mode 100644 third_party/heimdal/kadmin/load.c create mode 100644 third_party/heimdal/kadmin/mod.c create mode 100644 third_party/heimdal/kadmin/prune.c create mode 100644 third_party/heimdal/kadmin/pw_quality.c create mode 100644 third_party/heimdal/kadmin/random_password.c create mode 100644 third_party/heimdal/kadmin/rename.c create mode 100644 third_party/heimdal/kadmin/rpc.c create mode 100644 third_party/heimdal/kadmin/server.c create mode 100644 third_party/heimdal/kadmin/stash.c create mode 100644 third_party/heimdal/kadmin/test_util.c create mode 100644 third_party/heimdal/kadmin/util.c create mode 100644 third_party/heimdal/kcm/Makefile.am create mode 100644 third_party/heimdal/kcm/NTMakefile create mode 100644 third_party/heimdal/kcm/acl.c create mode 100644 third_party/heimdal/kcm/acquire.c create mode 100644 third_party/heimdal/kcm/cache.c create mode 100644 third_party/heimdal/kcm/client.c create mode 100644 third_party/heimdal/kcm/config.c create mode 100644 third_party/heimdal/kcm/connect.c create mode 100644 third_party/heimdal/kcm/events.c create mode 100644 third_party/heimdal/kcm/glue.c create mode 100644 third_party/heimdal/kcm/headers.h create mode 100644 third_party/heimdal/kcm/kcm.8 create mode 100644 third_party/heimdal/kcm/kcm_locl.h create mode 100644 third_party/heimdal/kcm/log.c create mode 100644 third_party/heimdal/kcm/main.c create mode 100644 third_party/heimdal/kcm/protocol.c create mode 100644 third_party/heimdal/kcm/renew.c create mode 100644 third_party/heimdal/kcm/sessions.c create mode 100644 third_party/heimdal/kdc/Makefile.am create mode 100644 third_party/heimdal/kdc/NTMakefile create mode 100644 third_party/heimdal/kdc/altsecid_gss_preauth_authorizer.c create mode 100644 third_party/heimdal/kdc/announce.c create mode 100644 third_party/heimdal/kdc/bx509d.8 create mode 100644 third_party/heimdal/kdc/bx509d.c create mode 100644 third_party/heimdal/kdc/ca.c create mode 100644 third_party/heimdal/kdc/cjwt_token_validator.c create mode 100644 third_party/heimdal/kdc/config.c create mode 100644 third_party/heimdal/kdc/connect.c create mode 100644 third_party/heimdal/kdc/csr_authorizer.c create mode 100644 third_party/heimdal/kdc/csr_authorizer_plugin.h create mode 100644 third_party/heimdal/kdc/default_config.c create mode 100644 third_party/heimdal/kdc/digest-service.c create mode 100644 third_party/heimdal/kdc/digest.c create mode 100644 third_party/heimdal/kdc/fast.c create mode 100644 third_party/heimdal/kdc/gss_preauth.c create mode 100644 third_party/heimdal/kdc/gss_preauth_authorizer_plugin.h create mode 100644 third_party/heimdal/kdc/headers.h create mode 100644 third_party/heimdal/kdc/hprop-version.rc create mode 100644 third_party/heimdal/kdc/hprop.8 create mode 100644 third_party/heimdal/kdc/hprop.c create mode 100644 third_party/heimdal/kdc/hprop.h create mode 100644 third_party/heimdal/kdc/hpropd-version.rc create mode 100644 third_party/heimdal/kdc/hpropd.8 create mode 100644 third_party/heimdal/kdc/hpropd.c create mode 100644 third_party/heimdal/kdc/httpkadmind.8 create mode 100644 third_party/heimdal/kdc/httpkadmind.c create mode 100644 third_party/heimdal/kdc/ipc_csr_authorizer.c create mode 100644 third_party/heimdal/kdc/kdc-accessors.h create mode 100644 third_party/heimdal/kdc/kdc-audit.h create mode 100644 third_party/heimdal/kdc/kdc-plugin.c create mode 100644 third_party/heimdal/kdc/kdc-plugin.h create mode 100644 third_party/heimdal/kdc/kdc-replay.c create mode 100644 third_party/heimdal/kdc/kdc-tester.c create mode 100644 third_party/heimdal/kdc/kdc-version.rc create mode 100644 third_party/heimdal/kdc/kdc.8 create mode 100644 third_party/heimdal/kdc/kdc.h create mode 100644 third_party/heimdal/kdc/kdc_locl.h create mode 100644 third_party/heimdal/kdc/kerberos5.c create mode 100644 third_party/heimdal/kdc/krb5tgs.c create mode 100644 third_party/heimdal/kdc/kstash-version.rc create mode 100644 third_party/heimdal/kdc/kstash.8 create mode 100644 third_party/heimdal/kdc/kstash.c create mode 100644 third_party/heimdal/kdc/kx509.c create mode 100644 third_party/heimdal/kdc/libkdc-exports.def create mode 100644 third_party/heimdal/kdc/libkdc-version.rc create mode 100644 third_party/heimdal/kdc/log.c create mode 100644 third_party/heimdal/kdc/main.c create mode 100644 third_party/heimdal/kdc/misc.c create mode 100644 third_party/heimdal/kdc/mit_dump.c create mode 100644 third_party/heimdal/kdc/mssfu.c create mode 100644 third_party/heimdal/kdc/negotiate_token_validator.c create mode 100644 third_party/heimdal/kdc/pkinit-ec.c create mode 100644 third_party/heimdal/kdc/pkinit.c create mode 100644 third_party/heimdal/kdc/process.c create mode 100644 third_party/heimdal/kdc/set_dbinfo.c create mode 100644 third_party/heimdal/kdc/simple_csr_authorizer.c create mode 100644 third_party/heimdal/kdc/string2key-version.rc create mode 100644 third_party/heimdal/kdc/string2key.8 create mode 100644 third_party/heimdal/kdc/string2key.c create mode 100644 third_party/heimdal/kdc/test_csr_authorizer.c create mode 100644 third_party/heimdal/kdc/test_kdc_ca.c create mode 100644 third_party/heimdal/kdc/test_token_validator.c create mode 100644 third_party/heimdal/kdc/token_validator.c create mode 100644 third_party/heimdal/kdc/token_validator_plugin.h create mode 100644 third_party/heimdal/kdc/version-script.map create mode 100644 third_party/heimdal/kpasswd/Makefile.am create mode 100644 third_party/heimdal/kpasswd/NTMakefile create mode 100644 third_party/heimdal/kpasswd/kpasswd-generator.c create mode 100644 third_party/heimdal/kpasswd/kpasswd.1 create mode 100644 third_party/heimdal/kpasswd/kpasswd.c create mode 100644 third_party/heimdal/kpasswd/kpasswd_locl.h create mode 100644 third_party/heimdal/kpasswd/kpasswdd.8 create mode 100644 third_party/heimdal/kpasswd/kpasswdd.c create mode 100644 third_party/heimdal/krb5.conf create mode 100644 third_party/heimdal/kuser/Makefile.am create mode 100644 third_party/heimdal/kuser/NTMakefile create mode 100644 third_party/heimdal/kuser/copy_cred_cache.1 create mode 100644 third_party/heimdal/kuser/copy_cred_cache.c create mode 100644 third_party/heimdal/kuser/generate-requests.c create mode 100644 third_party/heimdal/kuser/heimtools-commands.in create mode 100644 third_party/heimdal/kuser/heimtools-version.rc create mode 100644 third_party/heimdal/kuser/heimtools.c create mode 100644 third_party/heimdal/kuser/kcpytkt.c create mode 100644 third_party/heimdal/kuser/kdecode_ticket.c create mode 100644 third_party/heimdal/kuser/kdeltkt.c create mode 100644 third_party/heimdal/kuser/kdestroy-version.rc create mode 100644 third_party/heimdal/kuser/kdestroy.1 create mode 100644 third_party/heimdal/kuser/kdestroy.c create mode 100644 third_party/heimdal/kuser/kdigest-commands.in create mode 100644 third_party/heimdal/kuser/kdigest-version.rc create mode 100644 third_party/heimdal/kuser/kdigest.8 create mode 100644 third_party/heimdal/kuser/kdigest.c create mode 100644 third_party/heimdal/kuser/kgetcred-version.rc create mode 100644 third_party/heimdal/kuser/kgetcred.1 create mode 100644 third_party/heimdal/kuser/kgetcred.c create mode 100644 third_party/heimdal/kuser/kimpersonate-version.rc create mode 100644 third_party/heimdal/kuser/kimpersonate.8 create mode 100644 third_party/heimdal/kuser/kimpersonate.c create mode 100644 third_party/heimdal/kuser/kinit-version.rc create mode 100644 third_party/heimdal/kuser/kinit.1 create mode 100644 third_party/heimdal/kuser/kinit.c create mode 100644 third_party/heimdal/kuser/klist.1 create mode 100644 third_party/heimdal/kuser/klist.c create mode 100644 third_party/heimdal/kuser/kswitch.1 create mode 100644 third_party/heimdal/kuser/kswitch.c create mode 100644 third_party/heimdal/kuser/kuser_locl.h create mode 100644 third_party/heimdal/kuser/kverify.c create mode 100644 third_party/heimdal/kuser/kvno.c create mode 100644 third_party/heimdal/kuser/kx509.1 create mode 100644 third_party/heimdal/kuser/kx509.c create mode 100644 third_party/heimdal/lib/Makefile.am create mode 100644 third_party/heimdal/lib/NTMakefile create mode 100644 third_party/heimdal/lib/asn1/ChangeLog create mode 100644 third_party/heimdal/lib/asn1/MANUAL.md create mode 100644 third_party/heimdal/lib/asn1/Makefile.am create mode 100644 third_party/heimdal/lib/asn1/NTMakefile create mode 100644 third_party/heimdal/lib/asn1/README-X681.md create mode 100644 third_party/heimdal/lib/asn1/README-template.md create mode 100644 third_party/heimdal/lib/asn1/README.md create mode 100644 third_party/heimdal/lib/asn1/asn1-common.h create mode 100644 third_party/heimdal/lib/asn1/asn1-template.h create mode 100644 third_party/heimdal/lib/asn1/asn1_compile-version.rc create mode 100644 third_party/heimdal/lib/asn1/asn1_compile.1 create mode 100644 third_party/heimdal/lib/asn1/asn1_err.et create mode 100644 third_party/heimdal/lib/asn1/asn1_gen.c create mode 100644 third_party/heimdal/lib/asn1/asn1_print.1 create mode 100644 third_party/heimdal/lib/asn1/asn1_print.c create mode 100644 third_party/heimdal/lib/asn1/asn1parse.y create mode 100644 third_party/heimdal/lib/asn1/canthandle.asn1 create mode 100644 third_party/heimdal/lib/asn1/check-ber.c create mode 100644 third_party/heimdal/lib/asn1/check-common.c create mode 100644 third_party/heimdal/lib/asn1/check-common.h create mode 100644 third_party/heimdal/lib/asn1/check-der.c create mode 100644 third_party/heimdal/lib/asn1/check-gen.c create mode 100644 third_party/heimdal/lib/asn1/check-gen.h create mode 100644 third_party/heimdal/lib/asn1/check-template.c create mode 100644 third_party/heimdal/lib/asn1/check-timegm.c create mode 100644 third_party/heimdal/lib/asn1/cms.asn1 create mode 100644 third_party/heimdal/lib/asn1/cms.opt create mode 100644 third_party/heimdal/lib/asn1/crmf.asn1 create mode 100644 third_party/heimdal/lib/asn1/crmf.opt create mode 100644 third_party/heimdal/lib/asn1/der.c create mode 100644 third_party/heimdal/lib/asn1/der.h create mode 100644 third_party/heimdal/lib/asn1/der_cmp.c create mode 100644 third_party/heimdal/lib/asn1/der_copy.c create mode 100644 third_party/heimdal/lib/asn1/der_format.c create mode 100644 third_party/heimdal/lib/asn1/der_free.c create mode 100644 third_party/heimdal/lib/asn1/der_get.c create mode 100644 third_party/heimdal/lib/asn1/der_length.c create mode 100644 third_party/heimdal/lib/asn1/der_locl.h create mode 100644 third_party/heimdal/lib/asn1/der_print.c create mode 100644 third_party/heimdal/lib/asn1/der_put.c create mode 100644 third_party/heimdal/lib/asn1/digest.asn1 create mode 100644 third_party/heimdal/lib/asn1/extra.c create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/minimal-ek.crt create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/x690sample.der create mode 100644 third_party/heimdal/lib/asn1/fuzzer.c create mode 100644 third_party/heimdal/lib/asn1/gen.c create mode 100644 third_party/heimdal/lib/asn1/gen_copy.c create mode 100644 third_party/heimdal/lib/asn1/gen_decode.c create mode 100644 third_party/heimdal/lib/asn1/gen_encode.c create mode 100644 third_party/heimdal/lib/asn1/gen_free.c create mode 100644 third_party/heimdal/lib/asn1/gen_glue.c create mode 100644 third_party/heimdal/lib/asn1/gen_length.c create mode 100644 third_party/heimdal/lib/asn1/gen_locl.h create mode 100644 third_party/heimdal/lib/asn1/gen_print.c create mode 100644 third_party/heimdal/lib/asn1/gen_seq.c create mode 100644 third_party/heimdal/lib/asn1/gen_template.c create mode 100644 third_party/heimdal/lib/asn1/hash.c create mode 100644 third_party/heimdal/lib/asn1/hash.h create mode 100644 third_party/heimdal/lib/asn1/heim_asn1.h create mode 100644 third_party/heimdal/lib/asn1/krb5.asn1 create mode 100644 third_party/heimdal/lib/asn1/krb5.opt create mode 100644 third_party/heimdal/lib/asn1/kx509.asn1 create mode 100644 third_party/heimdal/lib/asn1/lex.h create mode 100644 third_party/heimdal/lib/asn1/lex.l create mode 100644 third_party/heimdal/lib/asn1/libasn1-exports.def create mode 100644 third_party/heimdal/lib/asn1/main.c create mode 100644 third_party/heimdal/lib/asn1/ocsp.asn1 create mode 100644 third_party/heimdal/lib/asn1/ocsp.opt create mode 100644 third_party/heimdal/lib/asn1/oid_resolution.c create mode 100644 third_party/heimdal/lib/asn1/pkcs10.asn1 create mode 100644 third_party/heimdal/lib/asn1/pkcs10.opt create mode 100644 third_party/heimdal/lib/asn1/pkcs12.asn1 create mode 100644 third_party/heimdal/lib/asn1/pkcs8.asn1 create mode 100644 third_party/heimdal/lib/asn1/pkcs9.asn1 create mode 100644 third_party/heimdal/lib/asn1/pkinit.asn1 create mode 100644 third_party/heimdal/lib/asn1/pku2u.asn1 create mode 100644 third_party/heimdal/lib/asn1/rfc2459.asn1 create mode 100644 third_party/heimdal/lib/asn1/rfc2459.opt create mode 100644 third_party/heimdal/lib/asn1/rfc4108.asn1 create mode 100644 third_party/heimdal/lib/asn1/roken_rename.h create mode 100644 third_party/heimdal/lib/asn1/setchgpw2.asn1 create mode 100644 third_party/heimdal/lib/asn1/symbol.c create mode 100644 third_party/heimdal/lib/asn1/symbol.h create mode 100644 third_party/heimdal/lib/asn1/tcg.asn1 create mode 100644 third_party/heimdal/lib/asn1/template.c create mode 100644 third_party/heimdal/lib/asn1/test.asn1 create mode 100644 third_party/heimdal/lib/asn1/test.gen create mode 100644 third_party/heimdal/lib/asn1/test.opt create mode 100644 third_party/heimdal/lib/asn1/timegm.c create mode 100644 third_party/heimdal/lib/asn1/version-script.map create mode 100644 third_party/heimdal/lib/asn1/x690sample.asn1 create mode 100644 third_party/heimdal/lib/base/Makefile.am create mode 100644 third_party/heimdal/lib/base/NTMakefile create mode 100644 third_party/heimdal/lib/base/array.c create mode 100644 third_party/heimdal/lib/base/baselocl.h create mode 100644 third_party/heimdal/lib/base/bool.c create mode 100644 third_party/heimdal/lib/base/bsearch.c create mode 100644 third_party/heimdal/lib/base/common_plugin.h create mode 100644 third_party/heimdal/lib/base/config_file.c create mode 100644 third_party/heimdal/lib/base/config_reg.c create mode 100644 third_party/heimdal/lib/base/context.c create mode 100644 third_party/heimdal/lib/base/data.c create mode 100644 third_party/heimdal/lib/base/db.c create mode 100644 third_party/heimdal/lib/base/dict.c create mode 100644 third_party/heimdal/lib/base/dll.c create mode 100644 third_party/heimdal/lib/base/error.c create mode 100644 third_party/heimdal/lib/base/error_string.c create mode 100644 third_party/heimdal/lib/base/expand_path.c create mode 100644 third_party/heimdal/lib/base/heim_err.et create mode 100644 third_party/heimdal/lib/base/heimbase-atomics.h create mode 100644 third_party/heimdal/lib/base/heimbase-svc.h create mode 100644 third_party/heimdal/lib/base/heimbase.c create mode 100644 third_party/heimdal/lib/base/heimbase.h create mode 100644 third_party/heimdal/lib/base/heimbasepriv.h create mode 100644 third_party/heimdal/lib/base/json.c create mode 100644 third_party/heimdal/lib/base/log.c create mode 100644 third_party/heimdal/lib/base/null.c create mode 100644 third_party/heimdal/lib/base/number.c create mode 100644 third_party/heimdal/lib/base/plugin.c create mode 100644 third_party/heimdal/lib/base/roken_rename.h create mode 100644 third_party/heimdal/lib/base/string.c create mode 100644 third_party/heimdal/lib/base/test_base.c create mode 100644 third_party/heimdal/lib/base/version-script.map create mode 100644 third_party/heimdal/lib/base/warn.c create mode 100644 third_party/heimdal/lib/com_err/ChangeLog create mode 100644 third_party/heimdal/lib/com_err/Makefile.am create mode 100644 third_party/heimdal/lib/com_err/NTMakefile create mode 100644 third_party/heimdal/lib/com_err/com_err.3 create mode 100644 third_party/heimdal/lib/com_err/com_err.c create mode 100644 third_party/heimdal/lib/com_err/com_err.h create mode 100644 third_party/heimdal/lib/com_err/com_right.h create mode 100644 third_party/heimdal/lib/com_err/compile_et-version.rc create mode 100644 third_party/heimdal/lib/com_err/compile_et.c create mode 100644 third_party/heimdal/lib/com_err/compile_et.h create mode 100644 third_party/heimdal/lib/com_err/error.c create mode 100644 third_party/heimdal/lib/com_err/lex.h create mode 100644 third_party/heimdal/lib/com_err/lex.l create mode 100644 third_party/heimdal/lib/com_err/libcom_err-exports.def create mode 100644 third_party/heimdal/lib/com_err/libcom_err-version.rc create mode 100644 third_party/heimdal/lib/com_err/parse.y create mode 100644 third_party/heimdal/lib/com_err/roken_rename.h create mode 100644 third_party/heimdal/lib/com_err/version-script.map create mode 100644 third_party/heimdal/lib/gss_preauth/Makefile.am create mode 100644 third_party/heimdal/lib/gss_preauth/NTMakefile create mode 100644 third_party/heimdal/lib/gss_preauth/README.md create mode 100644 third_party/heimdal/lib/gss_preauth/pa_client.c create mode 100644 third_party/heimdal/lib/gss_preauth/pa_common.c create mode 100644 third_party/heimdal/lib/gssapi/ChangeLog create mode 100644 third_party/heimdal/lib/gssapi/Makefile.am create mode 100644 third_party/heimdal/lib/gssapi/NTMakefile create mode 100644 third_party/heimdal/lib/gssapi/gen-oid.pl create mode 100644 third_party/heimdal/lib/gssapi/gss-commands.in create mode 100644 third_party/heimdal/lib/gssapi/gss-token.1 create mode 100644 third_party/heimdal/lib/gssapi/gss-token.c create mode 100644 third_party/heimdal/lib/gssapi/gss_acquire_cred.3 create mode 100644 third_party/heimdal/lib/gssapi/gssapi.3 create mode 100644 third_party/heimdal/lib/gssapi/gssapi.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi_krb5.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi_netlogon.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi_ntlm.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi_oid.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi/gssapi_spnego.h create mode 100644 third_party/heimdal/lib/gssapi/gssapi_mech.h create mode 100644 third_party/heimdal/lib/gssapi/gsstool.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/8003.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/address_to_krb5addr.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/aeap.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/arcfour.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/authorize_localname.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/ccache_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/cfx.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/cfx.h create mode 100644 third_party/heimdal/lib/gssapi/krb5/compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/compat.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/context_time.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/copy_ccache.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/creds.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/decapsulate.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/display_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/display_status.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/encapsulate.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/export_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/external.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/get_mic.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/gkrb5_err.et create mode 100644 third_party/heimdal/lib/gssapi/krb5/gsskrb5_locl.h create mode 100644 third_party/heimdal/lib/gssapi/krb5/import_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/indicate_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/init.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_cred_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/name_attrs.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/pname_to_uid.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/prf.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/release_buffer.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/release_name.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/sequence.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/set_cred_option.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/set_sec_context_option.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/store_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_cfx.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_cred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_kcred.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_oid.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/test_sequence.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/ticket_flags.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/unwrap.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/verify_mic.c create mode 100644 third_party/heimdal/lib/gssapi/krb5/wrap.c create mode 100644 third_party/heimdal/lib/gssapi/libgssapi-exports.def create mode 100644 third_party/heimdal/lib/gssapi/libgssapi-version.rc create mode 100644 third_party/heimdal/lib/gssapi/mech/compat.h create mode 100644 third_party/heimdal/lib/gssapi/mech/context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/context.h create mode 100644 third_party/heimdal/lib/gssapi/mech/cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/cred.h create mode 100644 third_party/heimdal/lib/gssapi/mech/doxygen.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_acquire_cred_from.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_acquire_cred_impersonate_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_acquire_cred_with_password.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_add_cred_from.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_add_cred_with_password.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_aeap.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_authorize_localname.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_buffer_set.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_context_time.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_create_empty_oid_set.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_decapsulate_token.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_delete_name_attribute.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_destroy_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_display_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_display_name_ext.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_display_status.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_duplicate_oid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_duplicate_oid_set.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_encapsulate_token.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_export_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_export_name_composite.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_get_mic.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_get_name_attribute.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_get_neg_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_import_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_indicate_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_krb5.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_mech_switch.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_mo.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_names.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_oid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_oid_equal.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_oid_to_str.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_pname_to_uid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_pseudo_random.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_release_buffer.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_release_name.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_release_oid.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_release_oid_set.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_rfc4121.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_seal.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_set_cred_option.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_set_name_attribute.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_set_neg_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_set_sec_context_option.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_sign.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_store_cred.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_store_cred_into.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_test_oid_set_member.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_unseal.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_unwrap.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_utils.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_verify.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_verify_mic.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_wrap.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gss_wrap_size_limit.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gssapi.asn1 create mode 100644 third_party/heimdal/lib/gssapi/mech/gssspi_exchange_meta_data.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gssspi_query_mechanism_info.c create mode 100644 third_party/heimdal/lib/gssapi/mech/gssspi_query_meta_data.c create mode 100644 third_party/heimdal/lib/gssapi/mech/mech.5 create mode 100644 third_party/heimdal/lib/gssapi/mech/mech_locl.h create mode 100644 third_party/heimdal/lib/gssapi/mech/mech_switch.h create mode 100644 third_party/heimdal/lib/gssapi/mech/name.h create mode 100644 third_party/heimdal/lib/gssapi/mech/utils.h create mode 100644 third_party/heimdal/lib/gssapi/netlogon/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/context_time.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/crypto.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/display_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/display_status.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/export_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/external.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/import_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/indicate_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/iter_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/netlogon.h create mode 100644 third_party/heimdal/lib/gssapi/netlogon/process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/regen.sh create mode 100644 third_party/heimdal/lib/gssapi/netlogon/release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/netlogon/release_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/context_time.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/creds.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/crypto.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/display_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/display_status.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/export_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/external.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/import_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/indicate_mechs.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/inquire_sec_context_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/iter_cred.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/kdc.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/ntlm.h create mode 100644 third_party/heimdal/lib/gssapi/ntlm/process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/release_name.c create mode 100644 third_party/heimdal/lib/gssapi/ntlm/set_sec_context_option.c create mode 100644 third_party/heimdal/lib/gssapi/oid.txt create mode 100644 third_party/heimdal/lib/gssapi/sanon/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/add_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/canonicalize_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/compare_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/context_time.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/crypto.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/delete_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/display_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/display_status.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/duplicate_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/duplicate_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/export_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/export_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/export_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/external.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/import_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/import_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/import_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_context.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_cred_by_mech.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_mechs_for_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_names_for_mech.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/inquire_sec_context_by_oid.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/negoex.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/process_context_token.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/release_cred.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/release_name.c create mode 100644 third_party/heimdal/lib/gssapi/sanon/sanon_locl.h create mode 100644 third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/compat.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/context_storage.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/context_stubs.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/external.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/init_sec_context.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/negoex_ctx.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/negoex_err.et create mode 100644 third_party/heimdal/lib/gssapi/spnego/negoex_locl.h create mode 100644 third_party/heimdal/lib/gssapi/spnego/negoex_util.c create mode 100644 third_party/heimdal/lib/gssapi/spnego/spnego.asn1 create mode 100644 third_party/heimdal/lib/gssapi/spnego/spnego.opt create mode 100644 third_party/heimdal/lib/gssapi/spnego/spnego_locl.h create mode 100644 third_party/heimdal/lib/gssapi/test_acquire_cred.c create mode 100644 third_party/heimdal/lib/gssapi/test_add_store_cred.c create mode 100644 third_party/heimdal/lib/gssapi/test_common.c create mode 100644 third_party/heimdal/lib/gssapi/test_common.h create mode 100644 third_party/heimdal/lib/gssapi/test_context.c create mode 100644 third_party/heimdal/lib/gssapi/test_cred.c create mode 100644 third_party/heimdal/lib/gssapi/test_kcred.c create mode 100644 third_party/heimdal/lib/gssapi/test_names.c create mode 100644 third_party/heimdal/lib/gssapi/test_negoex_mech.c create mode 100644 third_party/heimdal/lib/gssapi/test_ntlm.c create mode 100644 third_party/heimdal/lib/gssapi/test_oid.c create mode 100644 third_party/heimdal/lib/gssapi/version-script.map create mode 100644 third_party/heimdal/lib/hcrypto/ChangeLog create mode 100644 third_party/heimdal/lib/hcrypto/DESperate.txt create mode 100644 third_party/heimdal/lib/hcrypto/Makefile.am create mode 100644 third_party/heimdal/lib/hcrypto/NTMakefile create mode 100644 third_party/heimdal/lib/hcrypto/aes.c create mode 100644 third_party/heimdal/lib/hcrypto/aes.h create mode 100644 third_party/heimdal/lib/hcrypto/bn.c create mode 100644 third_party/heimdal/lib/hcrypto/bn.h create mode 100644 third_party/heimdal/lib/hcrypto/camellia-ntt.c create mode 100644 third_party/heimdal/lib/hcrypto/camellia-ntt.h create mode 100644 third_party/heimdal/lib/hcrypto/camellia.c create mode 100644 third_party/heimdal/lib/hcrypto/camellia.h create mode 100644 third_party/heimdal/lib/hcrypto/common.c create mode 100644 third_party/heimdal/lib/hcrypto/common.h create mode 100644 third_party/heimdal/lib/hcrypto/des-tables.h create mode 100644 third_party/heimdal/lib/hcrypto/des.c create mode 100644 third_party/heimdal/lib/hcrypto/des.h create mode 100644 third_party/heimdal/lib/hcrypto/destest.c create mode 100644 third_party/heimdal/lib/hcrypto/dh-ltm.c create mode 100644 third_party/heimdal/lib/hcrypto/dh-tfm.c create mode 100644 third_party/heimdal/lib/hcrypto/dh.c create mode 100644 third_party/heimdal/lib/hcrypto/dh.h create mode 100644 third_party/heimdal/lib/hcrypto/doxygen.c create mode 100644 third_party/heimdal/lib/hcrypto/dsa.c create mode 100644 third_party/heimdal/lib/hcrypto/dsa.h create mode 100644 third_party/heimdal/lib/hcrypto/ec.c create mode 100644 third_party/heimdal/lib/hcrypto/ec.h create mode 100644 third_party/heimdal/lib/hcrypto/ecdh.h create mode 100644 third_party/heimdal/lib/hcrypto/ecdsa.h create mode 100644 third_party/heimdal/lib/hcrypto/engine.c create mode 100644 third_party/heimdal/lib/hcrypto/engine.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-cc.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-cc.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-crypt.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-hcrypto.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-hcrypto.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-openssl.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-openssl.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-pkcs11.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-pkcs11.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-w32.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-w32.h create mode 100644 third_party/heimdal/lib/hcrypto/evp-wincng.c create mode 100644 third_party/heimdal/lib/hcrypto/evp-wincng.h create mode 100644 third_party/heimdal/lib/hcrypto/evp.c create mode 100644 third_party/heimdal/lib/hcrypto/evp.h create mode 100644 third_party/heimdal/lib/hcrypto/example_evp_cipher.c create mode 100644 third_party/heimdal/lib/hcrypto/gen-des.pl create mode 100644 third_party/heimdal/lib/hcrypto/hash.h create mode 100644 third_party/heimdal/lib/hcrypto/hmac.c create mode 100644 third_party/heimdal/lib/hcrypto/hmac.h create mode 100644 third_party/heimdal/lib/hcrypto/libhcrypto-exports.def create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/LICENSE create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/NTMakefile create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/README.md create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/appveyor.yml create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/astylerc create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_cutoffs.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_deprecated.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_2expt.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_abs.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_add.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_add_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_addmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_and.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_clamp.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_clear.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_clear_multi.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_cmp.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_cmp_mag.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_cnt_lsb.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_complement.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_copy.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_count_bits.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_decr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_div.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_div_2.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_div_2d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_div_3.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_div_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_dr_is_modulus.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_dr_reduce.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_dr_setup.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_error_to_string.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_exch.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_expt_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_exptmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_exteuclid.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_fread.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_from_sbin.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_from_ubin.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_fwrite.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_gcd.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_double.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_i32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_i64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_ll.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_mag_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_mag_u64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_mag_ul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_get_mag_ull.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_grow.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_incr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_copy.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_i32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_i64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_ll.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_multi.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_set.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_size.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_u64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_ul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_init_ull.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_invmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_is_square.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_iseven.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_isodd.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_kronecker.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_lcm.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_log_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_lshd.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mod_2d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mod_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_montgomery_calc_normalization.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_montgomery_reduce.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_montgomery_setup.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mul_2d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mul_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_mulmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_neg.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_or.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_pack.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_pack_count.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_fermat.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_frobenius_underwood.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_is_prime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_miller_rabin.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_next_prime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_rabin_miller_trials.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_rand.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_prime_strong_lucas_selfridge.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_radix_size.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_radix_smap.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_rand.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_read_radix.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_2k_setup_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_is_2k_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_reduce_setup.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_root_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_rshd.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sbin_size.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_double.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_i32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_i64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_l.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_ll.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_u32.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_u64.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_ul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_set_ull.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_shrink.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_signed_rsh.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sqr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sqrmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sqrt.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sqrtmod_prime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sub.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_sub_d.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_submod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_to_radix.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_to_sbin.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_to_ubin.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_ubin_size.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_unpack.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_xor.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_mp_zero.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_prime_tab.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_add.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_balance_mul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_exptmod_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_get_bit.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_invmod_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_invmod_slow.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_karatsuba_mul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_karatsuba_sqr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_montgomery_reduce_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_digs_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_high_digs.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_mul_high_digs_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_prime_is_divisible.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_rand_jenkins.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_rand_platform.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_reverse.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_sqr_fast.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_sub.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_toom_mul.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/bn_s_mp_toom_sqr.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/changes.txt create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/demo/mtest_opponent.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/demo/shared.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/demo/shared.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/demo/test.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/demo/timing.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/doc/bn.pdf create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/doc/bn.tex create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/2kprime.1 create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/2kprime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/drprime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/drprimes.28 create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/drprimes.txt create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/makefile create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/makefile.icc create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/makefile.msvc create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/mersenne.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/mont.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/pprime.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/prime.1024 create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/prime.512 create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/timer.asm create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/etc/tune.c create mode 100755 third_party/heimdal/lib/hcrypto/libtommath/etc/tune_it.sh create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/gen.pl create mode 100755 third_party/heimdal/lib/hcrypto/libtommath/helper.pl create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/libtommath.pc.in create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/libtommath_VS2008.sln create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/libtommath_VS2008.vcproj create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/README create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/add.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/addsub.png create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/expt.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/expt.png create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/expt_2k.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/expt_2kl.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/expt_dr.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/graphs.dem create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/index.html create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/invmod.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/invmod.png create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/mult.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/mult.png create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/mult_kara.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/sqr.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/sqr_kara.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/logs/sub.log create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile.mingw create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile.msvc create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile.shared create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile.unix create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/makefile_include.mk create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/logtab.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/mpi-config.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/mpi-types.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/mpi.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/mpi.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/mtest/mtest.c create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/pre_gen/mpi.c create mode 100755 third_party/heimdal/lib/hcrypto/libtommath/testme.sh create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath.def create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath_class.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath_cutoffs.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath_private.h create mode 100644 third_party/heimdal/lib/hcrypto/libtommath/tommath_superclass.h create mode 100644 third_party/heimdal/lib/hcrypto/md2.c create mode 100644 third_party/heimdal/lib/hcrypto/md2.h create mode 100644 third_party/heimdal/lib/hcrypto/md4.c create mode 100644 third_party/heimdal/lib/hcrypto/md4.h create mode 100644 third_party/heimdal/lib/hcrypto/md5.c create mode 100644 third_party/heimdal/lib/hcrypto/md5.h create mode 100644 third_party/heimdal/lib/hcrypto/md5crypt_test.c create mode 100644 third_party/heimdal/lib/hcrypto/mdtest.c create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dialog.aps create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dialog.clw create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dialog.rc create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dialog.res create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dlg.c create mode 100644 third_party/heimdal/lib/hcrypto/passwd_dlg.h create mode 100644 third_party/heimdal/lib/hcrypto/pkcs12.c create mode 100644 third_party/heimdal/lib/hcrypto/pkcs12.h create mode 100644 third_party/heimdal/lib/hcrypto/pkcs5.c create mode 100644 third_party/heimdal/lib/hcrypto/rand-fortuna.c create mode 100644 third_party/heimdal/lib/hcrypto/rand-timer.c create mode 100644 third_party/heimdal/lib/hcrypto/rand-unix.c create mode 100644 third_party/heimdal/lib/hcrypto/rand-w32.c create mode 100644 third_party/heimdal/lib/hcrypto/rand.c create mode 100644 third_party/heimdal/lib/hcrypto/rand.h create mode 100644 third_party/heimdal/lib/hcrypto/randi.h create mode 100644 third_party/heimdal/lib/hcrypto/rc2.c create mode 100644 third_party/heimdal/lib/hcrypto/rc2.h create mode 100644 third_party/heimdal/lib/hcrypto/rc2test.c create mode 100644 third_party/heimdal/lib/hcrypto/rc4.c create mode 100644 third_party/heimdal/lib/hcrypto/rc4.h create mode 100644 third_party/heimdal/lib/hcrypto/rctest.c create mode 100644 third_party/heimdal/lib/hcrypto/resource.h create mode 100644 third_party/heimdal/lib/hcrypto/rijndael-alg-fst.c create mode 100644 third_party/heimdal/lib/hcrypto/rijndael-alg-fst.h create mode 100644 third_party/heimdal/lib/hcrypto/rnd_keys.c create mode 100644 third_party/heimdal/lib/hcrypto/rsa-gmp.c create mode 100644 third_party/heimdal/lib/hcrypto/rsa-ltm.c create mode 100644 third_party/heimdal/lib/hcrypto/rsa-tfm.c create mode 100644 third_party/heimdal/lib/hcrypto/rsa.c create mode 100644 third_party/heimdal/lib/hcrypto/rsa.h create mode 100644 third_party/heimdal/lib/hcrypto/rsakey.der create mode 100644 third_party/heimdal/lib/hcrypto/rsakey2048.der create mode 100644 third_party/heimdal/lib/hcrypto/rsakey4096.der create mode 100644 third_party/heimdal/lib/hcrypto/sha.c create mode 100644 third_party/heimdal/lib/hcrypto/sha.h create mode 100644 third_party/heimdal/lib/hcrypto/sha256.c create mode 100644 third_party/heimdal/lib/hcrypto/sha512.c create mode 100644 third_party/heimdal/lib/hcrypto/test_bn.c create mode 100644 third_party/heimdal/lib/hcrypto/test_bulk.c create mode 100644 third_party/heimdal/lib/hcrypto/test_cipher.c create mode 100644 third_party/heimdal/lib/hcrypto/test_crypto.in create mode 100644 third_party/heimdal/lib/hcrypto/test_dh.c create mode 100644 third_party/heimdal/lib/hcrypto/test_engine_dso.c create mode 100644 third_party/heimdal/lib/hcrypto/test_hmac.c create mode 100644 third_party/heimdal/lib/hcrypto/test_pkcs12.c create mode 100644 third_party/heimdal/lib/hcrypto/test_pkcs5.c create mode 100644 third_party/heimdal/lib/hcrypto/test_rand.c create mode 100644 third_party/heimdal/lib/hcrypto/test_rsa.c create mode 100644 third_party/heimdal/lib/hcrypto/ui.c create mode 100644 third_party/heimdal/lib/hcrypto/ui.h create mode 100644 third_party/heimdal/lib/hcrypto/undef.h create mode 100644 third_party/heimdal/lib/hcrypto/validate.c create mode 100644 third_party/heimdal/lib/hcrypto/version-script.map create mode 100644 third_party/heimdal/lib/hcrypto/x25519/NTMakefile create mode 100644 third_party/heimdal/lib/hcrypto/x25519/align.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/ed25519_ref10.c create mode 100644 third_party/heimdal/lib/hcrypto/x25519/ed25519_ref10.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/ed25519_ref10_fe_25_5.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/ed25519_ref10_fe_51.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_25_5/base.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_25_5/base2.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_25_5/constants.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_25_5/fe.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_51/base.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_51/base2.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_51/constants.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/fe_51/fe.h create mode 100644 third_party/heimdal/lib/hcrypto/x25519/x25519_ref10.c create mode 100644 third_party/heimdal/lib/hcrypto/x25519_ref10.h create mode 100644 third_party/heimdal/lib/hdb/Makefile.am create mode 100644 third_party/heimdal/lib/hdb/NTMakefile create mode 100644 third_party/heimdal/lib/hdb/common.c create mode 100644 third_party/heimdal/lib/hdb/data-mkey.mit.des3.be create mode 100644 third_party/heimdal/lib/hdb/data-mkey.mit.des3.le create mode 100644 third_party/heimdal/lib/hdb/db.c create mode 100644 third_party/heimdal/lib/hdb/db3.c create mode 100644 third_party/heimdal/lib/hdb/dbinfo.c create mode 100644 third_party/heimdal/lib/hdb/ext.c create mode 100644 third_party/heimdal/lib/hdb/hdb-keytab.c create mode 100644 third_party/heimdal/lib/hdb/hdb-ldap.c create mode 100644 third_party/heimdal/lib/hdb/hdb-mdb.c create mode 100644 third_party/heimdal/lib/hdb/hdb-mitdb.c create mode 100644 third_party/heimdal/lib/hdb/hdb-sqlite.c create mode 100644 third_party/heimdal/lib/hdb/hdb.asn1 create mode 100644 third_party/heimdal/lib/hdb/hdb.c create mode 100644 third_party/heimdal/lib/hdb/hdb.h create mode 100644 third_party/heimdal/lib/hdb/hdb.opt create mode 100644 third_party/heimdal/lib/hdb/hdb.schema create mode 100644 third_party/heimdal/lib/hdb/hdb_err.et create mode 100644 third_party/heimdal/lib/hdb/hdb_locl.h create mode 100644 third_party/heimdal/lib/hdb/keys.c create mode 100644 third_party/heimdal/lib/hdb/keytab.c create mode 100644 third_party/heimdal/lib/hdb/libhdb-exports.def create mode 100644 third_party/heimdal/lib/hdb/libhdb-version.rc create mode 100644 third_party/heimdal/lib/hdb/mkey.c create mode 100644 third_party/heimdal/lib/hdb/ndbm.c create mode 100644 third_party/heimdal/lib/hdb/print.c create mode 100644 third_party/heimdal/lib/hdb/test_concurrency.c create mode 100644 third_party/heimdal/lib/hdb/test_dbinfo.c create mode 100644 third_party/heimdal/lib/hdb/test_hdbkeys.c create mode 100644 third_party/heimdal/lib/hdb/test_mkey.c create mode 100644 third_party/heimdal/lib/hdb/test_namespace.c create mode 100644 third_party/heimdal/lib/hdb/version-script.map create mode 100644 third_party/heimdal/lib/heimdal/NTMakefile create mode 100644 third_party/heimdal/lib/heimdal/heimdal-version.rc create mode 100644 third_party/heimdal/lib/hx509/ChangeLog create mode 100644 third_party/heimdal/lib/hx509/Makefile.am create mode 100644 third_party/heimdal/lib/hx509/NTMakefile create mode 100644 third_party/heimdal/lib/hx509/TODO create mode 100644 third_party/heimdal/lib/hx509/ca.c create mode 100644 third_party/heimdal/lib/hx509/cert.c create mode 100644 third_party/heimdal/lib/hx509/char_map.h create mode 100644 third_party/heimdal/lib/hx509/cms.c create mode 100644 third_party/heimdal/lib/hx509/collector.c create mode 100644 third_party/heimdal/lib/hx509/crypto-ec.c create mode 100644 third_party/heimdal/lib/hx509/crypto.c create mode 100644 third_party/heimdal/lib/hx509/data/PKITS.pdf create mode 100644 third_party/heimdal/lib/hx509/data/PKITS_data.zip create mode 100644 third_party/heimdal/lib/hx509/data/bleichenbacher-bad.pem create mode 100644 third_party/heimdal/lib/hx509/data/bleichenbacher-good.pem create mode 100644 third_party/heimdal/lib/hx509/data/bleichenbacher-sf-pad-correct.pem create mode 100644 third_party/heimdal/lib/hx509/data/ca.crt create mode 100644 third_party/heimdal/lib/hx509/data/ca.key create mode 100644 third_party/heimdal/lib/hx509/data/crl1.crl create mode 100644 third_party/heimdal/lib/hx509/data/crl1.der create mode 100644 third_party/heimdal/lib/hx509/data/eccurve.pem create mode 100755 third_party/heimdal/lib/hx509/data/gen-req.sh create mode 100644 third_party/heimdal/lib/hx509/data/https.crt create mode 100644 third_party/heimdal/lib/hx509/data/https.key create mode 100644 third_party/heimdal/lib/hx509/data/j.pem create mode 100644 third_party/heimdal/lib/hx509/data/kdc.crt create mode 100644 third_party/heimdal/lib/hx509/data/kdc.key create mode 100644 third_party/heimdal/lib/hx509/data/key.der create mode 100644 third_party/heimdal/lib/hx509/data/key2.der create mode 100755 third_party/heimdal/lib/hx509/data/mkcert.sh create mode 100644 third_party/heimdal/lib/hx509/data/n0ll.pem create mode 100644 third_party/heimdal/lib/hx509/data/nist-data create mode 100644 third_party/heimdal/lib/hx509/data/nist-data2 create mode 100644 third_party/heimdal/lib/hx509/data/nist-result2 create mode 100644 third_party/heimdal/lib/hx509/data/no-proxy-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/no-proxy-test.key create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-req1.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-req2.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-2.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-3.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-ca.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-keyhash.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-ocsp-no-cert.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1-ocsp.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp1.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-resp2.der create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-responder.crt create mode 100644 third_party/heimdal/lib/hx509/data/ocsp-responder.key create mode 100644 third_party/heimdal/lib/hx509/data/openssl.1.0.cnf create mode 100644 third_party/heimdal/lib/hx509/data/openssl.1.1.cnf create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-ec.crt create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-ec.key create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-proxy-chain.crt create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-proxy.crt create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-proxy.key create mode 100644 third_party/heimdal/lib/hx509/data/pkinit-pw.key create mode 100644 third_party/heimdal/lib/hx509/data/pkinit.crt create mode 100644 third_party/heimdal/lib/hx509/data/pkinit.key create mode 100644 third_party/heimdal/lib/hx509/data/proxy-level-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/proxy-level-test.key create mode 100644 third_party/heimdal/lib/hx509/data/proxy-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/proxy-test.key create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-child-child-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-child-child-test.key create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-child-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-child-test.key create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-test.crt create mode 100644 third_party/heimdal/lib/hx509/data/proxy10-test.key create mode 100644 third_party/heimdal/lib/hx509/data/revoke.crt create mode 100644 third_party/heimdal/lib/hx509/data/revoke.key create mode 100644 third_party/heimdal/lib/hx509/data/secp256r1TestCA.cert.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r1TestCA.key.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r1TestCA.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestClient.cert.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestClient.key.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestClient.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestServer.cert.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestServer.key.pem create mode 100644 third_party/heimdal/lib/hx509/data/secp256r2TestServer.pem create mode 100644 third_party/heimdal/lib/hx509/data/sf-class2-root.pem create mode 100644 third_party/heimdal/lib/hx509/data/static-file create mode 100644 third_party/heimdal/lib/hx509/data/sub-ca.crt create mode 100644 third_party/heimdal/lib/hx509/data/sub-ca.key create mode 100644 third_party/heimdal/lib/hx509/data/sub-cert.crt create mode 100644 third_party/heimdal/lib/hx509/data/sub-cert.key create mode 100644 third_party/heimdal/lib/hx509/data/sub-cert.p12 create mode 100644 third_party/heimdal/lib/hx509/data/tcg-devid.pem create mode 100644 third_party/heimdal/lib/hx509/data/tcg-ek-cp.pem create mode 100644 third_party/heimdal/lib/hx509/data/test-ds-only.crt create mode 100644 third_party/heimdal/lib/hx509/data/test-ds-only.key create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-aes-128 create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-aes-256 create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-des create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-des-ede3 create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-rc2-128 create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-rc2-40 create mode 100644 third_party/heimdal/lib/hx509/data/test-enveloped-rc2-64 create mode 100644 third_party/heimdal/lib/hx509/data/test-ke-only.crt create mode 100644 third_party/heimdal/lib/hx509/data/test-ke-only.key create mode 100644 third_party/heimdal/lib/hx509/data/test-nopw.p12 create mode 100644 third_party/heimdal/lib/hx509/data/test-pw.key create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-data create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-data-noattr create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-data-noattr-nocerts create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-sha-1 create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-sha-256 create mode 100644 third_party/heimdal/lib/hx509/data/test-signed-sha-512 create mode 100644 third_party/heimdal/lib/hx509/data/test.combined.crt create mode 100644 third_party/heimdal/lib/hx509/data/test.crt create mode 100644 third_party/heimdal/lib/hx509/data/test.key create mode 100644 third_party/heimdal/lib/hx509/data/test.p12 create mode 100644 third_party/heimdal/lib/hx509/data/win-u16-in-printablestring.der create mode 100644 third_party/heimdal/lib/hx509/data/yutaka-pad-broken-ca.pem create mode 100644 third_party/heimdal/lib/hx509/data/yutaka-pad-broken-cert.pem create mode 100644 third_party/heimdal/lib/hx509/data/yutaka-pad-ok-ca.pem create mode 100644 third_party/heimdal/lib/hx509/data/yutaka-pad-ok-cert.pem create mode 100644 third_party/heimdal/lib/hx509/data/yutaka-pad.key create mode 100644 third_party/heimdal/lib/hx509/doxygen.c create mode 100644 third_party/heimdal/lib/hx509/env.c create mode 100644 third_party/heimdal/lib/hx509/error.c create mode 100644 third_party/heimdal/lib/hx509/file.c create mode 100644 third_party/heimdal/lib/hx509/hx509.h create mode 100644 third_party/heimdal/lib/hx509/hx509_err.et create mode 100644 third_party/heimdal/lib/hx509/hx_locl.h create mode 100644 third_party/heimdal/lib/hx509/hxtool-commands.in create mode 100644 third_party/heimdal/lib/hx509/hxtool-version.rc create mode 100644 third_party/heimdal/lib/hx509/hxtool.c create mode 100644 third_party/heimdal/lib/hx509/keyset.c create mode 100644 third_party/heimdal/lib/hx509/ks_dir.c create mode 100644 third_party/heimdal/lib/hx509/ks_file.c create mode 100644 third_party/heimdal/lib/hx509/ks_keychain.c create mode 100644 third_party/heimdal/lib/hx509/ks_mem.c create mode 100644 third_party/heimdal/lib/hx509/ks_null.c create mode 100644 third_party/heimdal/lib/hx509/ks_p11.c create mode 100644 third_party/heimdal/lib/hx509/ks_p12.c create mode 100644 third_party/heimdal/lib/hx509/libhx509-exports.def create mode 100644 third_party/heimdal/lib/hx509/lock.c create mode 100644 third_party/heimdal/lib/hx509/name.c create mode 100644 third_party/heimdal/lib/hx509/peer.c create mode 100644 third_party/heimdal/lib/hx509/print.c create mode 100644 third_party/heimdal/lib/hx509/quote.py create mode 100644 third_party/heimdal/lib/hx509/ref/pkcs11.h create mode 100644 third_party/heimdal/lib/hx509/req.c create mode 100644 third_party/heimdal/lib/hx509/revoke.c create mode 100644 third_party/heimdal/lib/hx509/sel-gram.y create mode 100644 third_party/heimdal/lib/hx509/sel-lex.l create mode 100644 third_party/heimdal/lib/hx509/sel.c create mode 100644 third_party/heimdal/lib/hx509/sel.h create mode 100644 third_party/heimdal/lib/hx509/softp11.c create mode 100644 third_party/heimdal/lib/hx509/test_ca.in create mode 100644 third_party/heimdal/lib/hx509/test_cert.in create mode 100644 third_party/heimdal/lib/hx509/test_chain.in create mode 100644 third_party/heimdal/lib/hx509/test_cms.in create mode 100644 third_party/heimdal/lib/hx509/test_crypto.in create mode 100644 third_party/heimdal/lib/hx509/test_expr.c create mode 100644 third_party/heimdal/lib/hx509/test_java_pkcs11.in create mode 100644 third_party/heimdal/lib/hx509/test_name.c create mode 100644 third_party/heimdal/lib/hx509/test_nist.in create mode 100644 third_party/heimdal/lib/hx509/test_nist2.in create mode 100644 third_party/heimdal/lib/hx509/test_nist_cert.in create mode 100644 third_party/heimdal/lib/hx509/test_nist_pkcs12.in create mode 100644 third_party/heimdal/lib/hx509/test_pkcs11.in create mode 100644 third_party/heimdal/lib/hx509/test_query.in create mode 100644 third_party/heimdal/lib/hx509/test_req.in create mode 100644 third_party/heimdal/lib/hx509/test_soft_pkcs11.c create mode 100644 third_party/heimdal/lib/hx509/test_windows.in create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-available1 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-available2 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-available3 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select1 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select2 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select3 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select4 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select5 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select6 create mode 100644 third_party/heimdal/lib/hx509/tst-crypto-select7 create mode 100644 third_party/heimdal/lib/hx509/version-script.map create mode 100644 third_party/heimdal/lib/ipc/Makefile.am create mode 100644 third_party/heimdal/lib/ipc/client.c create mode 100644 third_party/heimdal/lib/ipc/common.c create mode 100644 third_party/heimdal/lib/ipc/heim-ipc.h create mode 100644 third_party/heimdal/lib/ipc/heim_ipc.defs create mode 100644 third_party/heimdal/lib/ipc/heim_ipc_async.defs create mode 100644 third_party/heimdal/lib/ipc/heim_ipc_reply.defs create mode 100644 third_party/heimdal/lib/ipc/heim_ipc_types.h create mode 100644 third_party/heimdal/lib/ipc/hi_locl.h create mode 100644 third_party/heimdal/lib/ipc/server.c create mode 100644 third_party/heimdal/lib/ipc/tc.c create mode 100644 third_party/heimdal/lib/ipc/ts-http.c create mode 100644 third_party/heimdal/lib/ipc/ts.c create mode 100644 third_party/heimdal/lib/kadm5/ChangeLog create mode 100644 third_party/heimdal/lib/kadm5/Makefile.am create mode 100644 third_party/heimdal/lib/kadm5/NTMakefile create mode 100644 third_party/heimdal/lib/kadm5/acl.c create mode 100644 third_party/heimdal/lib/kadm5/ad.c create mode 100644 third_party/heimdal/lib/kadm5/admin.h create mode 100644 third_party/heimdal/lib/kadm5/bump_pw_expire.c create mode 100644 third_party/heimdal/lib/kadm5/check-cracklib.pl create mode 100644 third_party/heimdal/lib/kadm5/chpass_c.c create mode 100644 third_party/heimdal/lib/kadm5/chpass_s.c create mode 100644 third_party/heimdal/lib/kadm5/client_glue.c create mode 100644 third_party/heimdal/lib/kadm5/common_glue.c create mode 100644 third_party/heimdal/lib/kadm5/context_s.c create mode 100644 third_party/heimdal/lib/kadm5/create_c.c create mode 100644 third_party/heimdal/lib/kadm5/create_s.c create mode 100644 third_party/heimdal/lib/kadm5/default_keys.c create mode 100644 third_party/heimdal/lib/kadm5/delete_c.c create mode 100644 third_party/heimdal/lib/kadm5/delete_s.c create mode 100644 third_party/heimdal/lib/kadm5/destroy_c.c create mode 100644 third_party/heimdal/lib/kadm5/destroy_s.c create mode 100644 third_party/heimdal/lib/kadm5/ent_setup.c create mode 100644 third_party/heimdal/lib/kadm5/error.c create mode 100644 third_party/heimdal/lib/kadm5/flush.c create mode 100644 third_party/heimdal/lib/kadm5/flush_c.c create mode 100644 third_party/heimdal/lib/kadm5/flush_s.c create mode 100644 third_party/heimdal/lib/kadm5/free.c create mode 100644 third_party/heimdal/lib/kadm5/get_c.c create mode 100644 third_party/heimdal/lib/kadm5/get_princs_c.c create mode 100644 third_party/heimdal/lib/kadm5/get_princs_s.c create mode 100644 third_party/heimdal/lib/kadm5/get_s.c create mode 100644 third_party/heimdal/lib/kadm5/init_c.c create mode 100644 third_party/heimdal/lib/kadm5/init_s.c create mode 100644 third_party/heimdal/lib/kadm5/iprop-commands.in create mode 100644 third_party/heimdal/lib/kadm5/iprop-log-version.rc create mode 100644 third_party/heimdal/lib/kadm5/iprop-log.8 create mode 100644 third_party/heimdal/lib/kadm5/iprop-log.c create mode 100644 third_party/heimdal/lib/kadm5/iprop.8 create mode 100644 third_party/heimdal/lib/kadm5/iprop.h create mode 100644 third_party/heimdal/lib/kadm5/ipropd-master-version.rc create mode 100644 third_party/heimdal/lib/kadm5/ipropd-slave-version.rc create mode 100644 third_party/heimdal/lib/kadm5/ipropd_common.c create mode 100644 third_party/heimdal/lib/kadm5/ipropd_master.c create mode 100644 third_party/heimdal/lib/kadm5/ipropd_slave.c create mode 100644 third_party/heimdal/lib/kadm5/kadm5-hook.h create mode 100644 third_party/heimdal/lib/kadm5/kadm5-pwcheck.h create mode 100644 third_party/heimdal/lib/kadm5/kadm5_err.et create mode 100644 third_party/heimdal/lib/kadm5/kadm5_locl.h create mode 100644 third_party/heimdal/lib/kadm5/kadm5_pwcheck.3 create mode 100644 third_party/heimdal/lib/kadm5/keys.c create mode 100644 third_party/heimdal/lib/kadm5/libkadm5srv-exports.def create mode 100644 third_party/heimdal/lib/kadm5/libkadm5srv-version.rc create mode 100644 third_party/heimdal/lib/kadm5/log.c create mode 100644 third_party/heimdal/lib/kadm5/marshall.c create mode 100644 third_party/heimdal/lib/kadm5/modify_c.c create mode 100644 third_party/heimdal/lib/kadm5/modify_s.c create mode 100644 third_party/heimdal/lib/kadm5/password_quality.c create mode 100644 third_party/heimdal/lib/kadm5/private.h create mode 100644 third_party/heimdal/lib/kadm5/privs_c.c create mode 100644 third_party/heimdal/lib/kadm5/privs_s.c create mode 100644 third_party/heimdal/lib/kadm5/prune_c.c create mode 100644 third_party/heimdal/lib/kadm5/prune_s.c create mode 100644 third_party/heimdal/lib/kadm5/randkey_c.c create mode 100644 third_party/heimdal/lib/kadm5/randkey_s.c create mode 100644 third_party/heimdal/lib/kadm5/rename_c.c create mode 100644 third_party/heimdal/lib/kadm5/rename_s.c create mode 100644 third_party/heimdal/lib/kadm5/sample_hook.c create mode 100644 third_party/heimdal/lib/kadm5/sample_passwd_check.c create mode 100644 third_party/heimdal/lib/kadm5/send_recv.c create mode 100644 third_party/heimdal/lib/kadm5/server_glue.c create mode 100644 third_party/heimdal/lib/kadm5/server_hooks.c create mode 100644 third_party/heimdal/lib/kadm5/set_keys.c create mode 100644 third_party/heimdal/lib/kadm5/set_modifier.c create mode 100644 third_party/heimdal/lib/kadm5/setkey3_s.c create mode 100644 third_party/heimdal/lib/kadm5/test_pw_quality.c create mode 100644 third_party/heimdal/lib/kadm5/version-script-client.map create mode 100644 third_party/heimdal/lib/kadm5/version-script.map create mode 100644 third_party/heimdal/lib/kafs/ChangeLog create mode 100644 third_party/heimdal/lib/kafs/Makefile.am create mode 100644 third_party/heimdal/lib/kafs/NTMakefile create mode 100644 third_party/heimdal/lib/kafs/afskrb5.c create mode 100644 third_party/heimdal/lib/kafs/afsl.exp create mode 100644 third_party/heimdal/lib/kafs/afslib.c create mode 100644 third_party/heimdal/lib/kafs/afslib.exp create mode 100644 third_party/heimdal/lib/kafs/afssys.c create mode 100644 third_party/heimdal/lib/kafs/afssysdefs.h create mode 100644 third_party/heimdal/lib/kafs/common.c create mode 100644 third_party/heimdal/lib/kafs/kafs.3 create mode 100644 third_party/heimdal/lib/kafs/kafs.h create mode 100644 third_party/heimdal/lib/kafs/kafs_locl.h create mode 100644 third_party/heimdal/lib/kafs/roken_rename.h create mode 100644 third_party/heimdal/lib/kafs/rxkad_kdf.c create mode 100644 third_party/heimdal/lib/kdfs/ChangeLog create mode 100644 third_party/heimdal/lib/kdfs/Makefile.am create mode 100644 third_party/heimdal/lib/kdfs/NTMakefile create mode 100644 third_party/heimdal/lib/kdfs/k5dfspag.c create mode 100644 third_party/heimdal/lib/krb5/Makefile.am create mode 100644 third_party/heimdal/lib/krb5/NTMakefile create mode 100644 third_party/heimdal/lib/krb5/acache.c create mode 100644 third_party/heimdal/lib/krb5/acl.c create mode 100644 third_party/heimdal/lib/krb5/add_et_list.c create mode 100644 third_party/heimdal/lib/krb5/addr_families.c create mode 100644 third_party/heimdal/lib/krb5/aes-test.c create mode 100644 third_party/heimdal/lib/krb5/an2ln_plugin.h create mode 100644 third_party/heimdal/lib/krb5/aname_to_localname.c create mode 100644 third_party/heimdal/lib/krb5/appdefault.c create mode 100644 third_party/heimdal/lib/krb5/asn1_glue.c create mode 100644 third_party/heimdal/lib/krb5/auth_context.c create mode 100644 third_party/heimdal/lib/krb5/authdata.c create mode 100644 third_party/heimdal/lib/krb5/build_ap_req.c create mode 100644 third_party/heimdal/lib/krb5/build_auth.c create mode 100644 third_party/heimdal/lib/krb5/cache.c create mode 100644 third_party/heimdal/lib/krb5/ccache_plugin.h create mode 100644 third_party/heimdal/lib/krb5/changepw.c create mode 100644 third_party/heimdal/lib/krb5/codec.c create mode 100644 third_party/heimdal/lib/krb5/config_file.c create mode 100644 third_party/heimdal/lib/krb5/constants.c create mode 100644 third_party/heimdal/lib/krb5/context.c create mode 100644 third_party/heimdal/lib/krb5/convert_creds.c create mode 100644 third_party/heimdal/lib/krb5/copy_host_realm.c create mode 100644 third_party/heimdal/lib/krb5/crc.c create mode 100644 third_party/heimdal/lib/krb5/creds.c create mode 100644 third_party/heimdal/lib/krb5/crypto-aes-sha1.c create mode 100644 third_party/heimdal/lib/krb5/crypto-aes-sha2.c create mode 100644 third_party/heimdal/lib/krb5/crypto-algs.c create mode 100644 third_party/heimdal/lib/krb5/crypto-arcfour.c create mode 100644 third_party/heimdal/lib/krb5/crypto-des-common.c create mode 100644 third_party/heimdal/lib/krb5/crypto-des.c create mode 100644 third_party/heimdal/lib/krb5/crypto-des3.c create mode 100644 third_party/heimdal/lib/krb5/crypto-evp.c create mode 100644 third_party/heimdal/lib/krb5/crypto-null.c create mode 100644 third_party/heimdal/lib/krb5/crypto-pk.c create mode 100644 third_party/heimdal/lib/krb5/crypto-rand.c create mode 100644 third_party/heimdal/lib/krb5/crypto-stubs.c create mode 100644 third_party/heimdal/lib/krb5/crypto.c create mode 100644 third_party/heimdal/lib/krb5/crypto.h create mode 100644 third_party/heimdal/lib/krb5/data.c create mode 100644 third_party/heimdal/lib/krb5/db_plugin.c create mode 100644 third_party/heimdal/lib/krb5/db_plugin.h create mode 100644 third_party/heimdal/lib/krb5/dcache.c create mode 100644 third_party/heimdal/lib/krb5/deprecated.c create mode 100644 third_party/heimdal/lib/krb5/derived-key-test.c create mode 100644 third_party/heimdal/lib/krb5/digest.c create mode 100644 third_party/heimdal/lib/krb5/dll.c create mode 100644 third_party/heimdal/lib/krb5/doxygen.c create mode 100644 third_party/heimdal/lib/krb5/eai_to_heim_errno.c create mode 100644 third_party/heimdal/lib/krb5/enomem.c create mode 100644 third_party/heimdal/lib/krb5/error_string.c create mode 100644 third_party/heimdal/lib/krb5/expand_hostname.c create mode 100644 third_party/heimdal/lib/krb5/expand_path.c create mode 100644 third_party/heimdal/lib/krb5/fast.c create mode 100644 third_party/heimdal/lib/krb5/fcache.c create mode 100644 third_party/heimdal/lib/krb5/free.c create mode 100644 third_party/heimdal/lib/krb5/free_host_realm.c create mode 100644 third_party/heimdal/lib/krb5/generate_seq_number.c create mode 100644 third_party/heimdal/lib/krb5/generate_subkey.c create mode 100644 third_party/heimdal/lib/krb5/get_addrs.c create mode 100644 third_party/heimdal/lib/krb5/get_cred.c create mode 100644 third_party/heimdal/lib/krb5/get_default_principal.c create mode 100644 third_party/heimdal/lib/krb5/get_default_realm.c create mode 100644 third_party/heimdal/lib/krb5/get_for_creds.c create mode 100644 third_party/heimdal/lib/krb5/get_host_realm.c create mode 100644 third_party/heimdal/lib/krb5/get_in_tkt.c create mode 100644 third_party/heimdal/lib/krb5/get_port.c create mode 100644 third_party/heimdal/lib/krb5/init_creds.c create mode 100644 third_party/heimdal/lib/krb5/init_creds_pw.c create mode 100644 third_party/heimdal/lib/krb5/k524_err.et create mode 100644 third_party/heimdal/lib/krb5/k5e1_err.et create mode 100644 third_party/heimdal/lib/krb5/kcm.c create mode 100644 third_party/heimdal/lib/krb5/kcm.h create mode 100644 third_party/heimdal/lib/krb5/kerberos.8 create mode 100644 third_party/heimdal/lib/krb5/keyblock.c create mode 100644 third_party/heimdal/lib/krb5/keytab.c create mode 100644 third_party/heimdal/lib/krb5/keytab_any.c create mode 100644 third_party/heimdal/lib/krb5/keytab_file.c create mode 100644 third_party/heimdal/lib/krb5/keytab_keyfile.c create mode 100644 third_party/heimdal/lib/krb5/keytab_memory.c create mode 100644 third_party/heimdal/lib/krb5/krb5-plugin.7 create mode 100644 third_party/heimdal/lib/krb5/krb5-v4compat.h create mode 100644 third_party/heimdal/lib/krb5/krb5.conf.5 create mode 100644 third_party/heimdal/lib/krb5/krb5.h create mode 100644 third_party/heimdal/lib/krb5/krb5.moduli create mode 100644 third_party/heimdal/lib/krb5/krb524_convert_creds_kdc.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_425_conv_principal.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_acl_match_file.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_aname_to_localname.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_appdefault.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_auth_context.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_c_make_checksum.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_ccapi.h create mode 100644 third_party/heimdal/lib/krb5/krb5_check_transited.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_create_checksum.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_creds.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_digest.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_eai_to_heim_errno.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_encrypt.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_err.et create mode 100644 third_party/heimdal/lib/krb5/krb5_find_padata.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_generate_random_block.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_all_client_addrs.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_credentials.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_creds.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_forwarded_creds.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_in_cred.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_init_creds.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_get_krbhst.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_getportbyname.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_init_context.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_is_thread_safe.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_krbhst_init.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_locl.h create mode 100644 third_party/heimdal/lib/krb5/krb5_mk_req.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_mk_safe.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_openlog.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_parse_name.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_principal.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_rcache.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_rd_error.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_rd_safe.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_set_default_realm.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_set_password.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_string_to_key.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_timeofday.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_verify_init_creds.3 create mode 100644 third_party/heimdal/lib/krb5/krb5_verify_user.3 create mode 100644 third_party/heimdal/lib/krb5/krb_err.et create mode 100644 third_party/heimdal/lib/krb5/krbhst-test.c create mode 100644 third_party/heimdal/lib/krb5/krbhst.c create mode 100644 third_party/heimdal/lib/krb5/krcache.c create mode 100644 third_party/heimdal/lib/krb5/kuserok.c create mode 100644 third_party/heimdal/lib/krb5/kuserok_plugin.h create mode 100644 third_party/heimdal/lib/krb5/kx509.c create mode 100644 third_party/heimdal/lib/krb5/kx509_err.et create mode 100644 third_party/heimdal/lib/krb5/libkrb5-exports.def.in create mode 100644 third_party/heimdal/lib/krb5/locate_plugin.h create mode 100644 third_party/heimdal/lib/krb5/log.c create mode 100644 third_party/heimdal/lib/krb5/mcache.c create mode 100644 third_party/heimdal/lib/krb5/misc.c create mode 100644 third_party/heimdal/lib/krb5/mit_glue.c create mode 100644 third_party/heimdal/lib/krb5/mk_cred.c create mode 100644 third_party/heimdal/lib/krb5/mk_error.c create mode 100644 third_party/heimdal/lib/krb5/mk_priv.c create mode 100644 third_party/heimdal/lib/krb5/mk_rep.c create mode 100644 third_party/heimdal/lib/krb5/mk_req.c create mode 100644 third_party/heimdal/lib/krb5/mk_req_ext.c create mode 100644 third_party/heimdal/lib/krb5/mk_safe.c create mode 100644 third_party/heimdal/lib/krb5/n-fold-test.c create mode 100644 third_party/heimdal/lib/krb5/n-fold.c create mode 100644 third_party/heimdal/lib/krb5/net_read.c create mode 100644 third_party/heimdal/lib/krb5/net_write.c create mode 100644 third_party/heimdal/lib/krb5/pac.c create mode 100644 third_party/heimdal/lib/krb5/padata.c create mode 100644 third_party/heimdal/lib/krb5/parse-name-test.c create mode 100644 third_party/heimdal/lib/krb5/pcache.c create mode 100644 third_party/heimdal/lib/krb5/pkinit-ec.c create mode 100644 third_party/heimdal/lib/krb5/pkinit.c create mode 100644 third_party/heimdal/lib/krb5/plugin.c create mode 100644 third_party/heimdal/lib/krb5/principal.c create mode 100644 third_party/heimdal/lib/krb5/prog_setup.c create mode 100644 third_party/heimdal/lib/krb5/prompter_posix.c create mode 100644 third_party/heimdal/lib/krb5/pseudo-random-test.c create mode 100644 third_party/heimdal/lib/krb5/rd_cred.c create mode 100644 third_party/heimdal/lib/krb5/rd_error.c create mode 100644 third_party/heimdal/lib/krb5/rd_priv.c create mode 100644 third_party/heimdal/lib/krb5/rd_rep.c create mode 100644 third_party/heimdal/lib/krb5/rd_req.c create mode 100644 third_party/heimdal/lib/krb5/rd_safe.c create mode 100644 third_party/heimdal/lib/krb5/read_message.c create mode 100644 third_party/heimdal/lib/krb5/recvauth.c create mode 100644 third_party/heimdal/lib/krb5/replay.c create mode 100644 third_party/heimdal/lib/krb5/salt-aes-sha1.c create mode 100644 third_party/heimdal/lib/krb5/salt-aes-sha2.c create mode 100644 third_party/heimdal/lib/krb5/salt-arcfour.c create mode 100644 third_party/heimdal/lib/krb5/salt-des.c create mode 100644 third_party/heimdal/lib/krb5/salt-des3.c create mode 100644 third_party/heimdal/lib/krb5/salt.c create mode 100644 third_party/heimdal/lib/krb5/scache.c create mode 100644 third_party/heimdal/lib/krb5/send_to_kdc.c create mode 100644 third_party/heimdal/lib/krb5/send_to_kdc_plugin.h create mode 100644 third_party/heimdal/lib/krb5/sendauth.c create mode 100644 third_party/heimdal/lib/krb5/set_default_realm.c create mode 100644 third_party/heimdal/lib/krb5/sock_principal.c create mode 100755 third_party/heimdal/lib/krb5/sp800-108-kdf.c create mode 100644 third_party/heimdal/lib/krb5/store-int.c create mode 100644 third_party/heimdal/lib/krb5/store-int.h create mode 100644 third_party/heimdal/lib/krb5/store-test.c create mode 100644 third_party/heimdal/lib/krb5/store.c create mode 100644 third_party/heimdal/lib/krb5/store_emem.c create mode 100644 third_party/heimdal/lib/krb5/store_fd.c create mode 100644 third_party/heimdal/lib/krb5/store_mem.c create mode 100644 third_party/heimdal/lib/krb5/store_sock.c create mode 100644 third_party/heimdal/lib/krb5/store_stdio.c create mode 100644 third_party/heimdal/lib/krb5/string-to-key-test.c create mode 100644 third_party/heimdal/lib/krb5/test_acl.c create mode 100644 third_party/heimdal/lib/krb5/test_addr.c create mode 100644 third_party/heimdal/lib/krb5/test_alname.c create mode 100644 third_party/heimdal/lib/krb5/test_ap-req.c create mode 100755 third_party/heimdal/lib/krb5/test_canon.c create mode 100644 third_party/heimdal/lib/krb5/test_cc.c create mode 100644 third_party/heimdal/lib/krb5/test_config.c create mode 100644 third_party/heimdal/lib/krb5/test_config_strings.cfg create mode 100644 third_party/heimdal/lib/krb5/test_crypto.c create mode 100644 third_party/heimdal/lib/krb5/test_crypto_wrapping.c create mode 100644 third_party/heimdal/lib/krb5/test_expand_toks.c create mode 100644 third_party/heimdal/lib/krb5/test_forward.c create mode 100644 third_party/heimdal/lib/krb5/test_fx.c create mode 100644 third_party/heimdal/lib/krb5/test_get_addrs.c create mode 100644 third_party/heimdal/lib/krb5/test_gic.c create mode 100644 third_party/heimdal/lib/krb5/test_hostname.c create mode 100644 third_party/heimdal/lib/krb5/test_keytab.c create mode 100644 third_party/heimdal/lib/krb5/test_kuserok.c create mode 100644 third_party/heimdal/lib/krb5/test_mem.c create mode 100644 third_party/heimdal/lib/krb5/test_mkforwardable.c create mode 100644 third_party/heimdal/lib/krb5/test_pac.c create mode 100644 third_party/heimdal/lib/krb5/test_pkinit_dh2key.c create mode 100644 third_party/heimdal/lib/krb5/test_pknistkdf.c create mode 100644 third_party/heimdal/lib/krb5/test_plugin.c create mode 100644 third_party/heimdal/lib/krb5/test_prf.c create mode 100644 third_party/heimdal/lib/krb5/test_princ.c create mode 100644 third_party/heimdal/lib/krb5/test_renew.c create mode 100644 third_party/heimdal/lib/krb5/test_rfc3961.c create mode 100644 third_party/heimdal/lib/krb5/test_set_kvno0.c create mode 100644 third_party/heimdal/lib/krb5/test_store.c create mode 100644 third_party/heimdal/lib/krb5/test_time.c create mode 100644 third_party/heimdal/lib/krb5/test_x500.c create mode 100644 third_party/heimdal/lib/krb5/ticket.c create mode 100644 third_party/heimdal/lib/krb5/time.c create mode 100644 third_party/heimdal/lib/krb5/transited.c create mode 100644 third_party/heimdal/lib/krb5/verify_init.c create mode 100644 third_party/heimdal/lib/krb5/verify_krb5_conf-version.rc create mode 100644 third_party/heimdal/lib/krb5/verify_krb5_conf.8 create mode 100644 third_party/heimdal/lib/krb5/verify_krb5_conf.c create mode 100644 third_party/heimdal/lib/krb5/verify_user.c create mode 100644 third_party/heimdal/lib/krb5/version-script.map create mode 100644 third_party/heimdal/lib/krb5/version.c create mode 100644 third_party/heimdal/lib/krb5/warn.c create mode 100644 third_party/heimdal/lib/krb5/write_message.c create mode 100644 third_party/heimdal/lib/libedit/COPYING create mode 100644 third_party/heimdal/lib/libedit/ChangeLog create mode 100644 third_party/heimdal/lib/libedit/INSTALL create mode 100644 third_party/heimdal/lib/libedit/Makefile.am create mode 100644 third_party/heimdal/lib/libedit/THANKS create mode 100644 third_party/heimdal/lib/libedit/acinclude.m4 create mode 100644 third_party/heimdal/lib/libedit/config.h.in create mode 100644 third_party/heimdal/lib/libedit/configure.ac create mode 100644 third_party/heimdal/lib/libedit/doc/Makefile.am create mode 100644 third_party/heimdal/lib/libedit/doc/editline.3.roff create mode 100644 third_party/heimdal/lib/libedit/doc/editrc.5.roff create mode 100644 third_party/heimdal/lib/libedit/doc/mdoc2man.awk create mode 100644 third_party/heimdal/lib/libedit/examples/Makefile.am create mode 100644 third_party/heimdal/lib/libedit/examples/fileman.c create mode 100644 third_party/heimdal/lib/libedit/examples/tc1.c create mode 100644 third_party/heimdal/lib/libedit/examples/wtc1.c create mode 100644 third_party/heimdal/lib/libedit/libedit.pc.in create mode 100644 third_party/heimdal/lib/libedit/src/Makefile.am create mode 100644 third_party/heimdal/lib/libedit/src/chared.c create mode 100644 third_party/heimdal/lib/libedit/src/chared.h create mode 100644 third_party/heimdal/lib/libedit/src/chartype.c create mode 100644 third_party/heimdal/lib/libedit/src/chartype.h create mode 100644 third_party/heimdal/lib/libedit/src/common.c create mode 100644 third_party/heimdal/lib/libedit/src/editline.3 create mode 100644 third_party/heimdal/lib/libedit/src/editline.7 create mode 100644 third_party/heimdal/lib/libedit/src/editrc.5 create mode 100644 third_party/heimdal/lib/libedit/src/el.c create mode 100644 third_party/heimdal/lib/libedit/src/el.h create mode 100644 third_party/heimdal/lib/libedit/src/eln.c create mode 100644 third_party/heimdal/lib/libedit/src/emacs.c create mode 100644 third_party/heimdal/lib/libedit/src/filecomplete.c create mode 100644 third_party/heimdal/lib/libedit/src/filecomplete.h create mode 100644 third_party/heimdal/lib/libedit/src/getline.c create mode 100644 third_party/heimdal/lib/libedit/src/hist.c create mode 100644 third_party/heimdal/lib/libedit/src/hist.h create mode 100644 third_party/heimdal/lib/libedit/src/histedit.h create mode 100644 third_party/heimdal/lib/libedit/src/history.c create mode 100644 third_party/heimdal/lib/libedit/src/historyn.c create mode 100644 third_party/heimdal/lib/libedit/src/keymacro.c create mode 100644 third_party/heimdal/lib/libedit/src/keymacro.h create mode 100644 third_party/heimdal/lib/libedit/src/makelist create mode 100644 third_party/heimdal/lib/libedit/src/map.c create mode 100644 third_party/heimdal/lib/libedit/src/map.h create mode 100644 third_party/heimdal/lib/libedit/src/parse.c create mode 100644 third_party/heimdal/lib/libedit/src/parse.h create mode 100644 third_party/heimdal/lib/libedit/src/prompt.c create mode 100644 third_party/heimdal/lib/libedit/src/prompt.h create mode 100644 third_party/heimdal/lib/libedit/src/read.c create mode 100644 third_party/heimdal/lib/libedit/src/read.h create mode 100644 third_party/heimdal/lib/libedit/src/readline.c create mode 100644 third_party/heimdal/lib/libedit/src/readline/readline.h create mode 100644 third_party/heimdal/lib/libedit/src/refresh.c create mode 100644 third_party/heimdal/lib/libedit/src/refresh.h create mode 100644 third_party/heimdal/lib/libedit/src/search.c create mode 100644 third_party/heimdal/lib/libedit/src/search.h create mode 100644 third_party/heimdal/lib/libedit/src/shlib_version create mode 100644 third_party/heimdal/lib/libedit/src/sig.c create mode 100644 third_party/heimdal/lib/libedit/src/sig.h create mode 100644 third_party/heimdal/lib/libedit/src/sys.h create mode 100644 third_party/heimdal/lib/libedit/src/terminal.c create mode 100644 third_party/heimdal/lib/libedit/src/terminal.h create mode 100644 third_party/heimdal/lib/libedit/src/tokenizer.c create mode 100644 third_party/heimdal/lib/libedit/src/tokenizern.c create mode 100644 third_party/heimdal/lib/libedit/src/tty.c create mode 100644 third_party/heimdal/lib/libedit/src/tty.h create mode 100644 third_party/heimdal/lib/libedit/src/unvis.c create mode 100644 third_party/heimdal/lib/libedit/src/vi.c create mode 100644 third_party/heimdal/lib/libedit/src/vis.c create mode 100644 third_party/heimdal/lib/libedit/src/vis.h create mode 100644 third_party/heimdal/lib/libedit/src/wcsdup.c create mode 100644 third_party/heimdal/lib/ntlm/ChangeLog create mode 100644 third_party/heimdal/lib/ntlm/Makefile.am create mode 100644 third_party/heimdal/lib/ntlm/NTMakefile create mode 100644 third_party/heimdal/lib/ntlm/apop.c create mode 100644 third_party/heimdal/lib/ntlm/digest.c create mode 100644 third_party/heimdal/lib/ntlm/heim-auth.h create mode 100644 third_party/heimdal/lib/ntlm/heimntlm.h create mode 100644 third_party/heimdal/lib/ntlm/libheimntlm-exports.def create mode 100644 third_party/heimdal/lib/ntlm/libheimntlm-version.rc create mode 100644 third_party/heimdal/lib/ntlm/ntlm.c create mode 100644 third_party/heimdal/lib/ntlm/ntlm_err.et create mode 100644 third_party/heimdal/lib/ntlm/test_commonauth.c create mode 100644 third_party/heimdal/lib/ntlm/test_ntlm.c create mode 100644 third_party/heimdal/lib/ntlm/version-script.map create mode 100644 third_party/heimdal/lib/otp/ChangeLog create mode 100644 third_party/heimdal/lib/otp/Makefile.am create mode 100644 third_party/heimdal/lib/otp/NTMakefile create mode 100644 third_party/heimdal/lib/otp/otp.c create mode 100644 third_party/heimdal/lib/otp/otp.h create mode 100644 third_party/heimdal/lib/otp/otp_challenge.c create mode 100644 third_party/heimdal/lib/otp/otp_db.c create mode 100644 third_party/heimdal/lib/otp/otp_locl.h create mode 100644 third_party/heimdal/lib/otp/otp_md.c create mode 100644 third_party/heimdal/lib/otp/otp_md.h create mode 100644 third_party/heimdal/lib/otp/otp_parse.c create mode 100644 third_party/heimdal/lib/otp/otp_print.c create mode 100644 third_party/heimdal/lib/otp/otp_verify.c create mode 100644 third_party/heimdal/lib/otp/otptest.c create mode 100644 third_party/heimdal/lib/otp/roken_rename.h create mode 100644 third_party/heimdal/lib/otp/version-script.map create mode 100644 third_party/heimdal/lib/roken/ChangeLog create mode 100644 third_party/heimdal/lib/roken/Makefile.am create mode 100644 third_party/heimdal/lib/roken/NTMakefile create mode 100644 third_party/heimdal/lib/roken/base32-test.c create mode 100644 third_party/heimdal/lib/roken/base32.c create mode 100644 third_party/heimdal/lib/roken/base32.h create mode 100644 third_party/heimdal/lib/roken/base64-test.c create mode 100644 third_party/heimdal/lib/roken/base64.c create mode 100644 third_party/heimdal/lib/roken/base64.h create mode 100644 third_party/heimdal/lib/roken/bswap.c create mode 100644 third_party/heimdal/lib/roken/chown.c create mode 100644 third_party/heimdal/lib/roken/cloexec.c create mode 100644 third_party/heimdal/lib/roken/closefrom.c create mode 100644 third_party/heimdal/lib/roken/clz.c create mode 100644 third_party/heimdal/lib/roken/concat.c create mode 100644 third_party/heimdal/lib/roken/copyhostent.c create mode 100644 third_party/heimdal/lib/roken/ct.c create mode 100644 third_party/heimdal/lib/roken/daemon.c create mode 100644 third_party/heimdal/lib/roken/detach.c create mode 100644 third_party/heimdal/lib/roken/dirent-test.c create mode 100644 third_party/heimdal/lib/roken/dirent.c create mode 100644 third_party/heimdal/lib/roken/dirent.hin create mode 100644 third_party/heimdal/lib/roken/dlfcn.hin create mode 100644 third_party/heimdal/lib/roken/dlfcn_w32.c create mode 100644 third_party/heimdal/lib/roken/doxygen.c create mode 100644 third_party/heimdal/lib/roken/dumpdata.c create mode 100644 third_party/heimdal/lib/roken/ecalloc.3 create mode 100644 third_party/heimdal/lib/roken/ecalloc.c create mode 100644 third_party/heimdal/lib/roken/emalloc.c create mode 100644 third_party/heimdal/lib/roken/environment.c create mode 100644 third_party/heimdal/lib/roken/eread.c create mode 100644 third_party/heimdal/lib/roken/erealloc.c create mode 100644 third_party/heimdal/lib/roken/err.c create mode 100644 third_party/heimdal/lib/roken/err.hin create mode 100644 third_party/heimdal/lib/roken/errx.c create mode 100644 third_party/heimdal/lib/roken/esetenv.c create mode 100644 third_party/heimdal/lib/roken/estrdup.c create mode 100644 third_party/heimdal/lib/roken/ewrite.c create mode 100644 third_party/heimdal/lib/roken/fchown.c create mode 100644 third_party/heimdal/lib/roken/flock.c create mode 100644 third_party/heimdal/lib/roken/fnmatch.c create mode 100644 third_party/heimdal/lib/roken/fnmatch.hin create mode 100644 third_party/heimdal/lib/roken/freeaddrinfo.c create mode 100644 third_party/heimdal/lib/roken/freehostent.c create mode 100644 third_party/heimdal/lib/roken/fseeko.c create mode 100644 third_party/heimdal/lib/roken/ftello.c create mode 100644 third_party/heimdal/lib/roken/gai_strerror.c create mode 100644 third_party/heimdal/lib/roken/get_window_size.c create mode 100644 third_party/heimdal/lib/roken/getaddrinfo-test.c create mode 100644 third_party/heimdal/lib/roken/getaddrinfo.c create mode 100644 third_party/heimdal/lib/roken/getaddrinfo_hostspec.c create mode 100644 third_party/heimdal/lib/roken/getarg.3 create mode 100644 third_party/heimdal/lib/roken/getarg.c create mode 100644 third_party/heimdal/lib/roken/getarg.h create mode 100644 third_party/heimdal/lib/roken/getauxval.c create mode 100644 third_party/heimdal/lib/roken/getauxval.h create mode 100644 third_party/heimdal/lib/roken/getcwd.c create mode 100644 third_party/heimdal/lib/roken/getdtablesize.c create mode 100644 third_party/heimdal/lib/roken/getegid.c create mode 100644 third_party/heimdal/lib/roken/geteuid.c create mode 100644 third_party/heimdal/lib/roken/getgid.c create mode 100644 third_party/heimdal/lib/roken/gethostname.c create mode 100644 third_party/heimdal/lib/roken/getifaddrs-test.c create mode 100644 third_party/heimdal/lib/roken/getifaddrs.c create mode 100644 third_party/heimdal/lib/roken/getifaddrs_w32.c create mode 100644 third_party/heimdal/lib/roken/getipnodebyaddr.c create mode 100644 third_party/heimdal/lib/roken/getipnodebyname.c create mode 100644 third_party/heimdal/lib/roken/getnameinfo.c create mode 100644 third_party/heimdal/lib/roken/getnameinfo_verified.c create mode 100644 third_party/heimdal/lib/roken/getopt.c create mode 100644 third_party/heimdal/lib/roken/getprogname.c create mode 100644 third_party/heimdal/lib/roken/gettimeofday.c create mode 100644 third_party/heimdal/lib/roken/getuid.c create mode 100644 third_party/heimdal/lib/roken/getuserinfo.c create mode 100644 third_party/heimdal/lib/roken/getusershell.c create mode 100644 third_party/heimdal/lib/roken/h_errno.c create mode 100644 third_party/heimdal/lib/roken/hex-test.c create mode 100644 third_party/heimdal/lib/roken/hex.c create mode 100644 third_party/heimdal/lib/roken/hex.h create mode 100644 third_party/heimdal/lib/roken/hostent_find_fqdn.c create mode 100644 third_party/heimdal/lib/roken/hstrerror.c create mode 100644 third_party/heimdal/lib/roken/ifaddrs.hin create mode 100644 third_party/heimdal/lib/roken/inet_aton.c create mode 100644 third_party/heimdal/lib/roken/inet_ntop.c create mode 100644 third_party/heimdal/lib/roken/inet_pton.c create mode 100644 third_party/heimdal/lib/roken/initgroups.c create mode 100644 third_party/heimdal/lib/roken/innetgr.c create mode 100644 third_party/heimdal/lib/roken/install-sh create mode 100644 third_party/heimdal/lib/roken/issuid.c create mode 100644 third_party/heimdal/lib/roken/localtime_r.c create mode 100644 third_party/heimdal/lib/roken/lstat.c create mode 100644 third_party/heimdal/lib/roken/memmem.c create mode 100644 third_party/heimdal/lib/roken/memmove.c create mode 100644 third_party/heimdal/lib/roken/memset_s.c create mode 100644 third_party/heimdal/lib/roken/mergesort.c create mode 100644 third_party/heimdal/lib/roken/mergesort_r.c create mode 100644 third_party/heimdal/lib/roken/mini_inetd.c create mode 100644 third_party/heimdal/lib/roken/missing create mode 100644 third_party/heimdal/lib/roken/mkdir.c create mode 100644 third_party/heimdal/lib/roken/mkdtemp.c create mode 100644 third_party/heimdal/lib/roken/mkinstalldirs create mode 100644 third_party/heimdal/lib/roken/mkostemp.c create mode 100644 third_party/heimdal/lib/roken/mkstemp.c create mode 100644 third_party/heimdal/lib/roken/ndbm_wrap.c create mode 100644 third_party/heimdal/lib/roken/ndbm_wrap.h create mode 100644 third_party/heimdal/lib/roken/net_read.c create mode 100644 third_party/heimdal/lib/roken/net_write.c create mode 100644 third_party/heimdal/lib/roken/parse_bytes-test.c create mode 100644 third_party/heimdal/lib/roken/parse_bytes.c create mode 100644 third_party/heimdal/lib/roken/parse_bytes.h create mode 100644 third_party/heimdal/lib/roken/parse_reply-test.c create mode 100644 third_party/heimdal/lib/roken/parse_time-test.c create mode 100644 third_party/heimdal/lib/roken/parse_time.3 create mode 100644 third_party/heimdal/lib/roken/parse_time.c create mode 100644 third_party/heimdal/lib/roken/parse_time.h create mode 100644 third_party/heimdal/lib/roken/parse_units.c create mode 100644 third_party/heimdal/lib/roken/parse_units.h create mode 100644 third_party/heimdal/lib/roken/putenv.c create mode 100644 third_party/heimdal/lib/roken/qsort.c create mode 100644 third_party/heimdal/lib/roken/rand.c create mode 100644 third_party/heimdal/lib/roken/rcmd.c create mode 100644 third_party/heimdal/lib/roken/readv.c create mode 100644 third_party/heimdal/lib/roken/realloc.c create mode 100644 third_party/heimdal/lib/roken/recvmsg.c create mode 100644 third_party/heimdal/lib/roken/rename.c create mode 100644 third_party/heimdal/lib/roken/resolve-test.c create mode 100644 third_party/heimdal/lib/roken/resolve.c create mode 100644 third_party/heimdal/lib/roken/resolve.h create mode 100644 third_party/heimdal/lib/roken/rkpty.c create mode 100644 third_party/heimdal/lib/roken/roken-common.h create mode 100644 third_party/heimdal/lib/roken/roken.awk create mode 100644 third_party/heimdal/lib/roken/roken.h.in create mode 100644 third_party/heimdal/lib/roken/roken_gethostby.c create mode 100644 third_party/heimdal/lib/roken/rtbl.3 create mode 100644 third_party/heimdal/lib/roken/rtbl.c create mode 100644 third_party/heimdal/lib/roken/rtbl.h create mode 100644 third_party/heimdal/lib/roken/search.hin create mode 100644 third_party/heimdal/lib/roken/secure_getenv.c create mode 100644 third_party/heimdal/lib/roken/secure_getenv.h create mode 100644 third_party/heimdal/lib/roken/sendmsg.c create mode 100644 third_party/heimdal/lib/roken/setegid.c create mode 100644 third_party/heimdal/lib/roken/setenv.c create mode 100644 third_party/heimdal/lib/roken/seteuid.c create mode 100644 third_party/heimdal/lib/roken/setprogname.c create mode 100644 third_party/heimdal/lib/roken/signal.c create mode 100644 third_party/heimdal/lib/roken/simple_exec.c create mode 100644 third_party/heimdal/lib/roken/simple_exec_w32.c create mode 100644 third_party/heimdal/lib/roken/sleep.c create mode 100644 third_party/heimdal/lib/roken/snprintf-test.c create mode 100644 third_party/heimdal/lib/roken/snprintf.c create mode 100644 third_party/heimdal/lib/roken/socket.c create mode 100644 third_party/heimdal/lib/roken/socket_wrapper.c create mode 100644 third_party/heimdal/lib/roken/socket_wrapper.h create mode 100644 third_party/heimdal/lib/roken/sockstartup_w32.c create mode 100644 third_party/heimdal/lib/roken/stdbool.hin create mode 100644 third_party/heimdal/lib/roken/stdint.hin create mode 100644 third_party/heimdal/lib/roken/strcasecmp.c create mode 100644 third_party/heimdal/lib/roken/strcollect.c create mode 100644 third_party/heimdal/lib/roken/strdup.c create mode 100644 third_party/heimdal/lib/roken/strerror.c create mode 100644 third_party/heimdal/lib/roken/strerror_r.c create mode 100644 third_party/heimdal/lib/roken/strftime.c create mode 100644 third_party/heimdal/lib/roken/strlcat.c create mode 100644 third_party/heimdal/lib/roken/strlcpy.c create mode 100644 third_party/heimdal/lib/roken/strlwr.c create mode 100644 third_party/heimdal/lib/roken/strncasecmp.c create mode 100644 third_party/heimdal/lib/roken/strndup.c create mode 100644 third_party/heimdal/lib/roken/strnlen.c create mode 100644 third_party/heimdal/lib/roken/strpftime-test.c create mode 100644 third_party/heimdal/lib/roken/strpftime-test.h create mode 100644 third_party/heimdal/lib/roken/strpool.c create mode 100644 third_party/heimdal/lib/roken/strptime.c create mode 100644 third_party/heimdal/lib/roken/strsep.c create mode 100644 third_party/heimdal/lib/roken/strsep_copy.c create mode 100644 third_party/heimdal/lib/roken/strtok_r.c create mode 100644 third_party/heimdal/lib/roken/strtoll.c create mode 100644 third_party/heimdal/lib/roken/strtoull.c create mode 100644 third_party/heimdal/lib/roken/strupr.c create mode 100644 third_party/heimdal/lib/roken/swab.c create mode 100644 third_party/heimdal/lib/roken/syslog.hin create mode 100644 third_party/heimdal/lib/roken/syslogc.c create mode 100644 third_party/heimdal/lib/roken/test-auxval.c create mode 100644 third_party/heimdal/lib/roken/test-detach.c create mode 100644 third_party/heimdal/lib/roken/test-getuserinfo.c create mode 100644 third_party/heimdal/lib/roken/test-mem.c create mode 100644 third_party/heimdal/lib/roken/test-mem.h create mode 100644 third_party/heimdal/lib/roken/test-mini_inetd.c create mode 100644 third_party/heimdal/lib/roken/test-readenv.c create mode 100644 third_party/heimdal/lib/roken/timegm.c create mode 100644 third_party/heimdal/lib/roken/timeval.c create mode 100644 third_party/heimdal/lib/roken/tm2time.c create mode 100644 third_party/heimdal/lib/roken/tsearch-test.c create mode 100644 third_party/heimdal/lib/roken/tsearch.c create mode 100644 third_party/heimdal/lib/roken/unsetenv.c create mode 100644 third_party/heimdal/lib/roken/unvis.c create mode 100644 third_party/heimdal/lib/roken/verr.c create mode 100644 third_party/heimdal/lib/roken/verrx.c create mode 100644 third_party/heimdal/lib/roken/version-script.map create mode 100644 third_party/heimdal/lib/roken/versionsupport.h create mode 100644 third_party/heimdal/lib/roken/vis-extras.h create mode 100644 third_party/heimdal/lib/roken/vis.c create mode 100644 third_party/heimdal/lib/roken/vis.hin create mode 100644 third_party/heimdal/lib/roken/vsyslog.c create mode 100644 third_party/heimdal/lib/roken/vwarn.c create mode 100644 third_party/heimdal/lib/roken/vwarnx.c create mode 100644 third_party/heimdal/lib/roken/warn.c create mode 100644 third_party/heimdal/lib/roken/warnerr.c create mode 100644 third_party/heimdal/lib/roken/warnx.c create mode 100644 third_party/heimdal/lib/roken/win32_alloc.c create mode 100644 third_party/heimdal/lib/roken/win32_version.c create mode 100644 third_party/heimdal/lib/roken/write_pid.c create mode 100644 third_party/heimdal/lib/roken/writev.c create mode 100644 third_party/heimdal/lib/roken/xdbm.h create mode 100644 third_party/heimdal/lib/roken/xfree.c create mode 100644 third_party/heimdal/lib/sl/ChangeLog create mode 100644 third_party/heimdal/lib/sl/Makefile.am create mode 100644 third_party/heimdal/lib/sl/NTMakefile create mode 100644 third_party/heimdal/lib/sl/roken_rename.h create mode 100644 third_party/heimdal/lib/sl/sl.c create mode 100644 third_party/heimdal/lib/sl/sl.h create mode 100644 third_party/heimdal/lib/sl/sl_locl.h create mode 100644 third_party/heimdal/lib/sl/slc-gram.y create mode 100644 third_party/heimdal/lib/sl/slc-lex.l create mode 100644 third_party/heimdal/lib/sl/slc.h create mode 100644 third_party/heimdal/lib/sl/test_sl.c create mode 100644 third_party/heimdal/lib/sqlite/Makefile.am create mode 100644 third_party/heimdal/lib/sqlite/NTMakefile create mode 100644 third_party/heimdal/lib/sqlite/README create mode 100644 third_party/heimdal/lib/sqlite/sqlite3.c create mode 100644 third_party/heimdal/lib/sqlite/sqlite3.h create mode 100644 third_party/heimdal/lib/sqlite/sqlite3ext.h create mode 100644 third_party/heimdal/lib/vers/ChangeLog create mode 100644 third_party/heimdal/lib/vers/Makefile.am create mode 100644 third_party/heimdal/lib/vers/NTMakefile create mode 100644 third_party/heimdal/lib/vers/make-print-version.c create mode 100644 third_party/heimdal/lib/vers/print_version.c create mode 100644 third_party/heimdal/lib/vers/vers.h create mode 100644 third_party/heimdal/lib/wind/ChangeLog create mode 100644 third_party/heimdal/lib/wind/CompositionExclusions-3.2.0.txt create mode 100644 third_party/heimdal/lib/wind/DerivedNormalizationProps.txt create mode 100644 third_party/heimdal/lib/wind/Makefile.am create mode 100644 third_party/heimdal/lib/wind/NTMakefile create mode 100644 third_party/heimdal/lib/wind/NormalizationCorrections.txt create mode 100644 third_party/heimdal/lib/wind/NormalizationTest.txt create mode 100644 third_party/heimdal/lib/wind/UnicodeData.py create mode 100644 third_party/heimdal/lib/wind/UnicodeData.txt create mode 100644 third_party/heimdal/lib/wind/bidi.c create mode 100644 third_party/heimdal/lib/wind/combining.c create mode 100644 third_party/heimdal/lib/wind/doxygen.c create mode 100644 third_party/heimdal/lib/wind/errorlist.c create mode 100644 third_party/heimdal/lib/wind/gen-bidi.py create mode 100644 third_party/heimdal/lib/wind/gen-combining.py create mode 100644 third_party/heimdal/lib/wind/gen-errorlist.py create mode 100644 third_party/heimdal/lib/wind/gen-map.py create mode 100644 third_party/heimdal/lib/wind/gen-normalize.py create mode 100644 third_party/heimdal/lib/wind/gen-punycode-examples.py create mode 100644 third_party/heimdal/lib/wind/generate.py create mode 100644 third_party/heimdal/lib/wind/idn-lookup.c create mode 100644 third_party/heimdal/lib/wind/ldap.c create mode 100644 third_party/heimdal/lib/wind/libwind-exports.def create mode 100644 third_party/heimdal/lib/wind/map.c create mode 100644 third_party/heimdal/lib/wind/normalize.c create mode 100644 third_party/heimdal/lib/wind/punycode.c create mode 100644 third_party/heimdal/lib/wind/rfc3454.py create mode 100644 third_party/heimdal/lib/wind/rfc4518.py create mode 100644 third_party/heimdal/lib/wind/stringprep.c create mode 100644 third_party/heimdal/lib/wind/stringprep.py create mode 100644 third_party/heimdal/lib/wind/test-bidi.c create mode 100644 third_party/heimdal/lib/wind/test-ldap.c create mode 100644 third_party/heimdal/lib/wind/test-map.c create mode 100644 third_party/heimdal/lib/wind/test-normalize.c create mode 100644 third_party/heimdal/lib/wind/test-prohibited.c create mode 100644 third_party/heimdal/lib/wind/test-punycode.c create mode 100644 third_party/heimdal/lib/wind/test-rw.c create mode 100644 third_party/heimdal/lib/wind/test-utf8.c create mode 100644 third_party/heimdal/lib/wind/utf8.c create mode 100644 third_party/heimdal/lib/wind/util.py create mode 100644 third_party/heimdal/lib/wind/version-script.map create mode 100644 third_party/heimdal/lib/wind/wind.h create mode 100644 third_party/heimdal/lib/wind/wind_err.et create mode 100644 third_party/heimdal/lib/wind/windlocl.h create mode 100644 third_party/heimdal/packages/ChangeLog create mode 100644 third_party/heimdal/packages/Makefile.am create mode 100644 third_party/heimdal/packages/NTMakefile create mode 100644 third_party/heimdal/packages/mac/Info.plist create mode 100644 third_party/heimdal/packages/mac/Makefile.am create mode 100644 third_party/heimdal/packages/mac/Resources/Description.plist create mode 100644 third_party/heimdal/packages/mac/Resources/English.lproj/Welcome.rtf create mode 100644 third_party/heimdal/packages/mac/mac.sh create mode 100644 third_party/heimdal/packages/windows/NTMakefile create mode 100644 third_party/heimdal/packages/windows/assembly/Heimdal.Application.manifest.in create mode 100644 third_party/heimdal/packages/windows/assembly/Heimdal.Kerberos.manifest.in create mode 100644 third_party/heimdal/packages/windows/assembly/NTMakefile create mode 100644 third_party/heimdal/packages/windows/assembly/policy.Heimdal.Kerberos.in create mode 100644 third_party/heimdal/packages/windows/installer/NTMakefile create mode 100644 third_party/heimdal/packages/windows/installer/heimdal-assemblies.wxs create mode 100644 third_party/heimdal/packages/windows/installer/heimdal-command.wxs create mode 100644 third_party/heimdal/packages/windows/installer/heimdal-gss.wxs create mode 100644 third_party/heimdal/packages/windows/installer/heimdal-installer.wxs create mode 100644 third_party/heimdal/packages/windows/installer/heimdal-policy.wxs create mode 100644 third_party/heimdal/packages/windows/installer/images/Heimdal_banner.bmp create mode 100644 third_party/heimdal/packages/windows/installer/images/Heimdal_banner.png create mode 100644 third_party/heimdal/packages/windows/installer/images/Heimdal_dialog.bmp create mode 100644 third_party/heimdal/packages/windows/installer/images/Heimdal_dialog.png create mode 100644 third_party/heimdal/packages/windows/installer/lang/en-us.wxl create mode 100644 third_party/heimdal/packages/windows/installer/lang/license-en-us.rtf create mode 100644 third_party/heimdal/packages/windows/sdk/NTMakefile create mode 100644 third_party/heimdal/po/Makefile.am create mode 100644 third_party/heimdal/po/gen-po.in create mode 100644 third_party/heimdal/po/heim_com_err-1750206208/de.po create mode 100644 third_party/heimdal/po/heim_com_err-1750206208/heim_com_err-1750206208.pot create mode 100644 third_party/heimdal/po/heim_com_err-1765328384/de.po create mode 100644 third_party/heimdal/po/heim_com_err-1765328384/heim_com_err-1765328384.pot create mode 100644 third_party/heimdal/po/heim_com_err-1765328384/sv_SE.mo create mode 100644 third_party/heimdal/po/heim_com_err-1765328384/sv_SE.po create mode 100644 third_party/heimdal/po/heim_com_err-1980176640/de.po create mode 100644 third_party/heimdal/po/heim_com_err-1980176640/heim_com_err-1980176640.pot create mode 100644 third_party/heimdal/po/heim_com_err-969269760/de.po create mode 100644 third_party/heimdal/po/heim_com_err-969269760/heim_com_err-969269760.pot create mode 100644 third_party/heimdal/po/heim_com_err1859794432/de.po create mode 100644 third_party/heimdal/po/heim_com_err1859794432/heim_com_err1859794432.pot create mode 100644 third_party/heimdal/po/heim_com_err35224064/de.po create mode 100644 third_party/heimdal/po/heim_com_err35224064/heim_com_err35224064.pot create mode 100644 third_party/heimdal/po/heim_com_err36150272/de.po create mode 100644 third_party/heimdal/po/heim_com_err36150272/heim_com_err36150272.pot create mode 100644 third_party/heimdal/po/heim_com_err39525376/de.po create mode 100644 third_party/heimdal/po/heim_com_err39525376/heim_com_err39525376.pot create mode 100644 third_party/heimdal/po/heim_com_err43787520/de.po create mode 100644 third_party/heimdal/po/heim_com_err43787520/heim_com_err43787520.pot create mode 100644 third_party/heimdal/po/heim_com_err569856/de.po create mode 100644 third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot create mode 100644 third_party/heimdal/po/heimdal_krb5/de.po create mode 100644 third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot create mode 100644 third_party/heimdal/po/heimdal_krb5/sv_SE.mo create mode 100644 third_party/heimdal/po/heimdal_krb5/sv_SE.po create mode 100644 third_party/heimdal/po/heimdal_kuser/de.po create mode 100644 third_party/heimdal/po/heimdal_kuser/heimdal_kuser.pot create mode 100644 third_party/heimdal/po/heimdal_kuser/sv_SE.mo create mode 100644 third_party/heimdal/po/heimdal_kuser/sv_SE.po create mode 100644 third_party/heimdal/po/localefiles create mode 100755 third_party/heimdal/rebase-lorikeet.sh create mode 100644 third_party/heimdal/tests/ChangeLog create mode 100644 third_party/heimdal/tests/Makefile.am create mode 100644 third_party/heimdal/tests/NTMakefile create mode 100644 third_party/heimdal/tests/bin/Makefile.am create mode 100644 third_party/heimdal/tests/bin/intr.c create mode 100644 third_party/heimdal/tests/bin/setup-env.in create mode 100644 third_party/heimdal/tests/can/Makefile.am create mode 100644 third_party/heimdal/tests/can/NTMakefile create mode 100644 third_party/heimdal/tests/can/apple-10.4.kadm create mode 100644 third_party/heimdal/tests/can/apple-10.4.req create mode 100644 third_party/heimdal/tests/can/check-can.in create mode 100644 third_party/heimdal/tests/can/heim-0.8.kadm create mode 100644 third_party/heimdal/tests/can/heim-0.8.req create mode 100644 third_party/heimdal/tests/can/krb5.conf.in create mode 100644 third_party/heimdal/tests/can/mit-pkinit-20070607.ca.crt create mode 100644 third_party/heimdal/tests/can/mit-pkinit-20070607.kadm create mode 100644 third_party/heimdal/tests/can/mit-pkinit-20070607.req create mode 100644 third_party/heimdal/tests/can/mit-pkinit-20070607.xf create mode 100644 third_party/heimdal/tests/can/test_can.in create mode 100644 third_party/heimdal/tests/db/Makefile.am create mode 100644 third_party/heimdal/tests/db/NTMakefile create mode 100644 third_party/heimdal/tests/db/add-modify-delete.in create mode 100644 third_party/heimdal/tests/db/check-aliases.in create mode 100644 third_party/heimdal/tests/db/check-dbinfo.in create mode 100644 third_party/heimdal/tests/db/have-db.in create mode 100644 third_party/heimdal/tests/db/krb5-mit.conf.in create mode 100644 third_party/heimdal/tests/db/krb5.conf.in create mode 100644 third_party/heimdal/tests/db/loaddump-db.in create mode 100644 third_party/heimdal/tests/db/text-dump-0.7 create mode 100644 third_party/heimdal/tests/db/text-dump-known-ext create mode 100644 third_party/heimdal/tests/db/text-dump-no-ext create mode 100644 third_party/heimdal/tests/db/text-dump-unknown-ext create mode 100644 third_party/heimdal/tests/gss/Makefile.am create mode 100644 third_party/heimdal/tests/gss/NTMakefile create mode 100644 third_party/heimdal/tests/gss/check-basic.in create mode 100644 third_party/heimdal/tests/gss/check-context.in create mode 100644 third_party/heimdal/tests/gss/check-gss.in create mode 100644 third_party/heimdal/tests/gss/check-gssmask.in create mode 100644 third_party/heimdal/tests/gss/check-negoex.in create mode 100644 third_party/heimdal/tests/gss/check-ntlm.in create mode 100644 third_party/heimdal/tests/gss/check-spnego.in create mode 100644 third_party/heimdal/tests/gss/include-krb5.conf create mode 100644 third_party/heimdal/tests/gss/krb5.conf.in create mode 100644 third_party/heimdal/tests/gss/mech.in create mode 100644 third_party/heimdal/tests/gss/new_clients_k5.conf.in create mode 100644 third_party/heimdal/tests/gss/ntlm-user-file.txt create mode 100644 third_party/heimdal/tests/java/KerberosInit.java create mode 100644 third_party/heimdal/tests/java/Makefile.am create mode 100644 third_party/heimdal/tests/java/NTMakefile create mode 100644 third_party/heimdal/tests/java/check-kinit.in create mode 100644 third_party/heimdal/tests/java/have-java.sh create mode 100644 third_party/heimdal/tests/java/jaas.conf create mode 100644 third_party/heimdal/tests/java/krb5.conf.in create mode 100644 third_party/heimdal/tests/kdc/Makefile.am create mode 100644 third_party/heimdal/tests/kdc/NTMakefile create mode 100644 third_party/heimdal/tests/kdc/an2ln-db.txt create mode 100644 third_party/heimdal/tests/kdc/check-authz.in create mode 100644 third_party/heimdal/tests/kdc/check-bx509.in create mode 100644 third_party/heimdal/tests/kdc/check-canon.in create mode 100644 third_party/heimdal/tests/kdc/check-cc.in create mode 100644 third_party/heimdal/tests/kdc/check-delegation.in create mode 100644 third_party/heimdal/tests/kdc/check-des.in create mode 100644 third_party/heimdal/tests/kdc/check-digest.in create mode 100644 third_party/heimdal/tests/kdc/check-fast.in create mode 100644 third_party/heimdal/tests/kdc/check-hdb-mitdb.in create mode 100644 third_party/heimdal/tests/kdc/check-httpkadmind.in create mode 100644 third_party/heimdal/tests/kdc/check-iprop.in create mode 100644 third_party/heimdal/tests/kdc/check-kadmin.in create mode 100644 third_party/heimdal/tests/kdc/check-kdc-weak.in create mode 100644 third_party/heimdal/tests/kdc/check-kdc.in create mode 100644 third_party/heimdal/tests/kdc/check-keys.in create mode 100644 third_party/heimdal/tests/kdc/check-kinit.in create mode 100644 third_party/heimdal/tests/kdc/check-kpasswdd.in create mode 100644 third_party/heimdal/tests/kdc/check-pkinit.in create mode 100644 third_party/heimdal/tests/kdc/check-referral.in create mode 100644 third_party/heimdal/tests/kdc/check-tester.in create mode 100644 third_party/heimdal/tests/kdc/check-uu.in create mode 100644 third_party/heimdal/tests/kdc/donotexists.txt create mode 100644 third_party/heimdal/tests/kdc/hdb-mitdb create mode 100644 third_party/heimdal/tests/kdc/hdb-mitdb.kadm5 create mode 100644 third_party/heimdal/tests/kdc/hdb-mitdb.mkey create mode 100644 third_party/heimdal/tests/kdc/heimdal.acl create mode 100644 third_party/heimdal/tests/kdc/iprop-acl create mode 100644 third_party/heimdal/tests/kdc/k5login/foo create mode 100644 third_party/heimdal/tests/kdc/k5login/mapped_user1 create mode 100644 third_party/heimdal/tests/kdc/kdc-tester1.json create mode 100644 third_party/heimdal/tests/kdc/kdc-tester2.json create mode 100644 third_party/heimdal/tests/kdc/kdc-tester3.json create mode 100644 third_party/heimdal/tests/kdc/kdc-tester4.json.in create mode 100644 third_party/heimdal/tests/kdc/krb5-authz.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-authz2.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-bx509.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-canon.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-canon2.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-cccol.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-hdb-mitdb.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-httpkadmind.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-kcm.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5-pkinit.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5.conf.in create mode 100644 third_party/heimdal/tests/kdc/krb5.conf.keys.in create mode 100644 third_party/heimdal/tests/kdc/leaks-kill.sh create mode 100644 third_party/heimdal/tests/kdc/ntlm-user-file.txt create mode 100644 third_party/heimdal/tests/kdc/pki-mapping create mode 100644 third_party/heimdal/tests/kdc/uuserver.txt create mode 100644 third_party/heimdal/tests/kdc/wait-kdc.sh create mode 100644 third_party/heimdal/tests/ldap/Makefile.am create mode 100644 third_party/heimdal/tests/ldap/NTMakefile create mode 100644 third_party/heimdal/tests/ldap/check-ldap.in create mode 100644 third_party/heimdal/tests/ldap/init.ldif create mode 100644 third_party/heimdal/tests/ldap/krb5.conf.in create mode 100644 third_party/heimdal/tests/ldap/samba.schema create mode 100644 third_party/heimdal/tests/ldap/slapd-init.in create mode 100644 third_party/heimdal/tests/ldap/slapd-stop create mode 100644 third_party/heimdal/tests/ldap/slapd.conf create mode 100644 third_party/heimdal/tests/plugin/Makefile.am create mode 100644 third_party/heimdal/tests/plugin/NTMakefile create mode 100644 third_party/heimdal/tests/plugin/check-pac.in create mode 100644 third_party/heimdal/tests/plugin/kdc_test_plugin.c create mode 100644 third_party/heimdal/tests/plugin/krb5.conf.in create mode 100644 third_party/heimdal/tools/Makefile.am create mode 100644 third_party/heimdal/tools/NTMakefile create mode 100644 third_party/heimdal/tools/cov.sh create mode 100755 third_party/heimdal/tools/coveralls-tool create mode 100755 third_party/heimdal/tools/fixgcov-source-paths.sh create mode 100644 third_party/heimdal/tools/heimdal-gssapi.pc.in create mode 100644 third_party/heimdal/tools/heimdal-kadm-client.pc.in create mode 100644 third_party/heimdal/tools/heimdal-kadm-server.pc.in create mode 100644 third_party/heimdal/tools/heimdal-krb5.pc.in create mode 100644 third_party/heimdal/tools/kadm-client.pc.in create mode 100644 third_party/heimdal/tools/kadm-server.pc.in create mode 100644 third_party/heimdal/tools/kafs.pc.in create mode 100644 third_party/heimdal/tools/kdc-log-analyze.pl create mode 100644 third_party/heimdal/tools/krb5-config.1 create mode 100644 third_party/heimdal/tools/krb5-config.in create mode 100644 third_party/heimdal/tools/krb5-gssapi.pc.in create mode 100644 third_party/heimdal/tools/krb5.pc.in create mode 100644 third_party/heimdal/windows/NTMakefile.config create mode 100644 third_party/heimdal/windows/NTMakefile.sdk create mode 100644 third_party/heimdal/windows/NTMakefile.version create mode 100644 third_party/heimdal/windows/NTMakefile.w32 create mode 100644 third_party/heimdal/windows/README.md create mode 100644 third_party/heimdal/windows/version.rc (limited to 'third_party/heimdal') diff --git a/third_party/heimdal/.github/ISSUE_TEMPLATE/bug_report.md b/third_party/heimdal/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..dd84ea7 --- /dev/null +++ b/third_party/heimdal/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Smartphone (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Browser [e.g. stock browser, safari] + - Version [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/third_party/heimdal/.github/ISSUE_TEMPLATE/feature_request.md b/third_party/heimdal/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..bbcbbe7 --- /dev/null +++ b/third_party/heimdal/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/third_party/heimdal/.github/workflows/coverity.yml b/third_party/heimdal/.github/workflows/coverity.yml new file mode 100644 index 0000000..5a175f5 --- /dev/null +++ b/third_party/heimdal/.github/workflows/coverity.yml @@ -0,0 +1,68 @@ +name: Linux Coverity Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'coverity*' + +jobs: + linux: + if: secrets.COVERITY_SCAN_TOKEN != '' + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Download Coverity Build Tool + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=ruby" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + export PATH=`pwd`/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make -j4 + - name: Submit the result to Coverity Scan + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} + PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }} + run: | + tar czvf heimdal.tgz cov-int + curl \ + --form project=ruby \ + --form token=$TOKEN \ + --form email=$EMAIL \ + --form file=@heimdal.tgz \ + --form version=trunk \ + --form description="`./ruby -v`" "https://scan.coverity.com/builds?project=$PROJECT" diff --git a/third_party/heimdal/.github/workflows/linux.yml b/third_party/heimdal/.github/workflows/linux.yml new file mode 100644 index 0000000..48e4c80 --- /dev/null +++ b/third_party/heimdal/.github/workflows/linux.yml @@ -0,0 +1,146 @@ +name: Linux Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang, linux-gcc] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + cflags: '' + - name: linux-gcc + os: ubuntu-18.04 + compiler: gcc + cflags: '-Wnonnull' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex doxygen + sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl + sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl + sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python + sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils + sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check + - name: Make Install + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz . + - name: Core dump stacks + run: | + echo "thread apply all bt" > /tmp/x + find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done + if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi + - name: Test logs + run: | + find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from - + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Make Dist + run: | + cd build + make dist + make distclean + if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then + echo "Files not removed by make distclean:" + git ls-files -o|grep -v ^build/ + fi + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz' + - name: Upload Dist Tarball + uses: actions/upload-artifact@v2 + with: + name: Dist Tarball + path: 'build/heimdal-*.tar.gz' + - name: Upload Logs Tarball + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-${{ matrix.compiler }}.tgz' diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml new file mode 100644 index 0000000..342f850 --- /dev/null +++ b/third_party/heimdal/.github/workflows/osx.yml @@ -0,0 +1,122 @@ +name: OS X Build + +on: + push: + branches: + - 'master' + - 'osx-build' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + osx: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [osx-clang] + include: + - name: osx-clang + os: macos-latest + compiler: clang + steps: + - name: Install packages + run: | + echo "bison, flex, ncurses, texinfo, and unzip are in the base OS." + echo "berkeley-db, perl, python, curl, and jq are installed in the" + echo "base image already." + brew install autoconf automake libtool cpanm + sudo cpanm install JSON + - name: Clone repository + uses: actions/checkout@v1 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" + ulimit -c unlimited + make -j4 + #- name: Setup upterm session + # uses: lhotari/action-upterm@v1 + # with: + # limit-access-to-actor: true + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + set -vx + sudo lsof -nP -i:49188 || true + cd build + make check + - name: Install + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-osx.tgz . + - name: Test logs + run: | + find build -depth -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/' | cpio -o > $HOME/logs-osx.cpio + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-osx.tgz' + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Upload Test Logs + path: '~/logs-osx.cpio' diff --git a/third_party/heimdal/.github/workflows/scanbuild.yml b/third_party/heimdal/.github/workflows/scanbuild.yml new file mode 100644 index 0000000..678ccfd --- /dev/null +++ b/third_party/heimdal/.github/workflows/scanbuild.yml @@ -0,0 +1,67 @@ +name: Linux Static Analyzer Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'scan-build*' + + pull_request: + # Changing this build gets it to run + paths: + - '.github/workflows/scanbuild.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + scan-build --keep-going make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + scan-build --keep-going make check + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Scan-Build Reports + path: '/tmp/scan-build*/' diff --git a/third_party/heimdal/.github/workflows/valgrind.yml b/third_party/heimdal/.github/workflows/valgrind.yml new file mode 100644 index 0000000..ab5e909 --- /dev/null +++ b/third_party/heimdal/.github/workflows/valgrind.yml @@ -0,0 +1,71 @@ +name: Linux Valgrind Tests Build + +on: + push: + # Pushes to the valgrind branch get the valgrind treatment + branches: + - 'valgrind*' + + pull_request: + # Changing this build also gets it to run + paths: + - '.github/workflows/valgrind.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev lmdb-utils liblmdb-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + CHECK_TESTER_NO_VALGRIND: 'no-valgrind' + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check-valgrind + - name: Valgrind output + run: | + find . -name \*.log -print0|xargs -0 grep '^==[0-9]*== ' || true + - name: Test logs + run: | + find build -depth -name \*.log | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-valgrind.tgz --verbatim-files-from --files-from - + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-valgrind.tgz' diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml new file mode 100644 index 0000000..f1c187c --- /dev/null +++ b/third_party/heimdal/.github/workflows/windows.yml @@ -0,0 +1,92 @@ +name: Windows Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile*' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + windows: + runs-on: windows-latest + env: + APPVER: '10.0' + CODESIGN_PKT: 0000000000000000 + INSTALL_DIR: C:\heimdal + WINSDKVER: '10.0.22000.0' + WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Find MSVC and run vcvarsall.bat + uses: ilammy/msvc-dev-cmd@v1 + with: + arch: amd64 + - name: Build and Test + shell: cmd + run: | + set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin + set CODESIGN_PKT=0000000000000000 + set dbg__type=Debug + mkdir %INSTALL_DIR% + pacman --noconfirm -S zstd + pacman --noconfirm -S autoconf + pacman --noconfirm -S automake + pacman --noconfirm -S flex + pacman --noconfirm -S bison + pacman --noconfirm -S perl + pacman --noconfirm -S perl-JSON + set PATH=%PATH%;%wix%bin + title Heimdal Build %CPU% %dbg__type% + set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" + set "PATH=%PATH%;C:/msys64/usr/bin" + set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin" + set "PATH=%PATH%;C:\Python310-x64" + echo PATH=%PATH% + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Objects + path: 'D:/a/heimdal/heimdal/out/' diff --git a/third_party/heimdal/.gitignore b/third_party/heimdal/.gitignore new file mode 100644 index 0000000..e5b5246 --- /dev/null +++ b/third_party/heimdal/.gitignore @@ -0,0 +1,718 @@ +# After changing this file, please run: +# +# git ls-files -i --exclude-standard +# +# to check that you haven't inadvertently ignored any tracked files. This +# command should return no output. Any files listed by it are files +# present in the repository but ignored by .gitignore. + +# General rules, with some exclusions for where they're too general. + +.DS_Store +.deps/ +.dirstamp +.libs/ +Makefile +Makefile.in +rs_state.ini +tags +!/lib/asn1/asn1_gen.c +!/lib/asn1/asn1_print.c +!/lib/krb5/asn1_glue.c +*_asn1.h +!/lib/asn1/heim_asn1.h +*_asn1-priv.h +asn1_*_asn1.c +*_asn1_files +*_asn1_oids.x +*_asn1_syms.x +*_err.[ch] +!/lib/com_err/com_err.[ch] +*-commands.[ch] +*~ +*.a +*.la +*.lo +*.o +*.log +*.trs +*.tmp + +# Top-level files. + +/.vscode +/aclocal.m4 +/autom4te.cache +/compile +/config.guess +/config.log +/config.status +/config.sub +/configure +/depcomp +/install-sh +/libtool +/ltmain.sh +/missing +/setupbuild.cmd +/stage1.diff +/stage2.diff +/test-driver +/ylwrap + +/lib/libedit/aclocal.m4 +/lib/libedit/autom4te.cache +/lib/libedit/compile +/lib/libedit/config.guess +/lib/libedit/config.h +/lib/libedit/config.log +/lib/libedit/config.status +/lib/libedit/config.sub +/lib/libedit/configure +/lib/libedit/depcomp +/lib/libedit/install-sh +/lib/libedit/libtool +/lib/libedit/ltmain.sh +/lib/libedit/missing +/lib/libedit/setupbuild.cmd +/lib/libedit/ylwrap +/lib/libedit/src/common.h +/lib/libedit/src/emacs.h +/lib/libedit/src/fcns.c +/lib/libedit/src/fcns.h +/lib/libedit/src/func.h +/lib/libedit/src/help.c +/lib/libedit/src/help.h +/lib/libedit/src/vi.h +/lib/libedit/stamp-h1 + +# Files in subdirectories. + +/admin/ktutil +/appl/afsutil/afslog +/appl/afsutil/pagsh +/appl/dbutils/bsearch +/appl/gssmask/gssmaestro +/appl/gssmask/gssmask +/appl/kf/kf +/appl/kf/kfd +/appl/otp/otp +/appl/otp/otpprint +/appl/test/gssapi_client +/appl/test/gssapi_server +/appl/test/http_client +/appl/test/nt_gss_client +/appl/test/nt_gss_server +/appl/test/tcp_client +/appl/test/tcp_server +/appl/test/uu_client +/appl/test/uu_server +/cf/libtool.m4 +/cf/ltoptions.m4 +/cf/ltsugar.m4 +/cf/ltversion.m4 +/cf/lt~obsolete.m4 +/doc/Makefile.in +/doc/heimdal.info +/doc/hx509.info +/doc/gssapi +/doc/hdb +/doc/hcrypto +/doc/hx509 +/doc/krb5 +/doc/ntlm +/doc/wind +/doc/vars.texi +/doc/doxyout +/include/*.h +!/include/crypto-headers.h +!/include/heim_threads.h +/include/bits +/include/config.h.in +/include/gssapi/*.h +/include/hcrypto/*.h +/include/kadm5/*.h +/include/stamp-h1 +/include/version.h.in +/kadmin/add_random_users +/kadmin/kadmin +/kadmin/kadmind +/kadmin/test_util +/kcm/kcm +/kcm/kcm-protos.h +/kdc/digest-service +/kdc/hprop +/kdc/hpropd +/kdc/kdc +/kdc/kdc-protos.h +/kdc/kdc-private.h +/kdc/kdc-replay +/kdc/kdc-tester +/kdc/kstash +/kdc/string2key +/kdc/test_csr_authorizer +/kdc/test_kdc_ca +/kdc/test_token_validator +/kpasswd/kpasswd +/kpasswd/kpasswd-generator +/kpasswd/kpasswdd +/kuser/copy_cred_cache +/kuser/generate-requests +/kuser/heimtools +/kuser/kdecode_ticket +/kuser/kdestroy +/kuser/kdigest +/kuser/kgetcred +/kuser/kimpersonate +/kuser/kinit +/kuser/klist +/kuser/kswitch +/kuser/kverify +/lib/asn1/asn1_compile +/lib/asn1/asn1_gen +/lib/asn1/asn1_print +/lib/asn1/asn1parse.c +/lib/asn1/asn1parse.h +/lib/asn1/check-ber +/lib/asn1/check-der +/lib/asn1/check-gen +/lib/asn1/check-gen-template +/lib/asn1/check-template +/lib/asn1/check-timegm +/lib/asn1/cms_asn1.json +/lib/asn1/cms_asn1_oids.c +/lib/asn1/cms_asn1_syms.c +/lib/asn1/cms_template_asn1.json +/lib/asn1/cms_template_asn1_oids.c +/lib/asn1/cms_template_asn1_syms.c +/lib/asn1/crmf_asn1.json +/lib/asn1/crmf_asn1_oids.c +/lib/asn1/crmf_asn1_syms.c +/lib/asn1/crmf_template_asn1.json +/lib/asn1/crmf_template_asn1_oids.c +/lib/asn1/crmf_template_asn1_syms.c +/lib/asn1/der-private.h +/lib/asn1/der-protos.h +/lib/asn1/digest_asn1.json +/lib/asn1/digest_asn1_oids.c +/lib/asn1/digest_asn1_syms.c +/lib/asn1/digest_template_asn1.json +/lib/asn1/digest_template_asn1_oids.c +/lib/asn1/digest_template_asn1_syms.c +/lib/asn1/krb5_asn1.json +/lib/asn1/krb5_asn1_oids.c +/lib/asn1/krb5_asn1_syms.c +/lib/asn1/krb5_template_asn1.json +/lib/asn1/krb5_template_asn1_oids.c +/lib/asn1/krb5_template_asn1_syms.c +/lib/asn1/kx509_asn1.json +/lib/asn1/kx509_asn1_oids.c +/lib/asn1/kx509_asn1_syms.c +/lib/asn1/kx509_template_asn1.json +/lib/asn1/kx509_template_asn1_oids.c +/lib/asn1/kx509_template_asn1_syms.c +/lib/asn1/lex.c +/lib/asn1/ocsp_asn1.json +/lib/asn1/ocsp_asn1_oids.c +/lib/asn1/ocsp_asn1_syms.c +/lib/asn1/ocsp_template_asn1.json +/lib/asn1/ocsp_template_asn1_oids.c +/lib/asn1/ocsp_template_asn1_syms.c +/lib/asn1/pkcs10_asn1.json +/lib/asn1/pkcs10_asn1_oids.c +/lib/asn1/pkcs10_asn1_syms.c +/lib/asn1/pkcs10_template_asn1.json +/lib/asn1/pkcs10_template_asn1_oids.c +/lib/asn1/pkcs10_template_asn1_syms.c +/lib/asn1/pkcs12_asn1.json +/lib/asn1/pkcs12_asn1_oids.c +/lib/asn1/pkcs12_asn1_syms.c +/lib/asn1/pkcs12_template_asn1.json +/lib/asn1/pkcs12_template_asn1_oids.c +/lib/asn1/pkcs12_template_asn1_syms.c +/lib/asn1/pkcs8_asn1.json +/lib/asn1/pkcs8_asn1_oids.c +/lib/asn1/pkcs8_asn1_syms.c +/lib/asn1/pkcs8_template_asn1.json +/lib/asn1/pkcs8_template_asn1_oids.c +/lib/asn1/pkcs8_template_asn1_syms.c +/lib/asn1/pkcs9_asn1.json +/lib/asn1/pkcs9_asn1_oids.c +/lib/asn1/pkcs9_asn1_syms.c +/lib/asn1/pkcs9_template_asn1.json +/lib/asn1/pkcs9_template_asn1_oids.c +/lib/asn1/pkcs9_template_asn1_syms.c +/lib/asn1/pkinit_asn1.json +/lib/asn1/pkinit_asn1_oids.c +/lib/asn1/pkinit_asn1_syms.c +/lib/asn1/pkinit_template_asn1.json +/lib/asn1/pkinit_template_asn1_oids.c +/lib/asn1/pkinit_template_asn1_syms.c +/lib/asn1/rfc2459_asn1.json +/lib/asn1/rfc2459_asn1_oids.c +/lib/asn1/rfc2459_asn1_syms.c +/lib/asn1/rfc2459_template_asn1.json +/lib/asn1/rfc2459_template_asn1_oids.c +/lib/asn1/rfc2459_template_asn1_syms.c +/lib/asn1/rfc4108_asn1.json +/lib/asn1/rfc4108_asn1_oids.c +/lib/asn1/rfc4108_asn1_syms.c +/lib/asn1/rfc4108_template_asn1.json +/lib/asn1/rfc4108_template_asn1_oids.c +/lib/asn1/rfc4108_template_asn1_syms.c +/lib/asn1/test_asn1.json +/lib/asn1/test_asn1_oids.c +/lib/asn1/test_asn1_syms.c +/lib/asn1/test_template_asn1.json +/lib/asn1/test_template_asn1_oids.c +/lib/asn1/test_template_asn1_syms.c +/lib/asn1/x690sample_asn1.json +/lib/asn1/x690sample_asn1_oids.c +/lib/asn1/x690sample_asn1_syms.c +/lib/asn1/x690sample_template_asn1.json +/lib/asn1/x690sample_template_asn1_oids.c +/lib/asn1/x690sample_template_asn1_syms.c +/lib/auth/Makefile.in +/lib/base/base64.c +/lib/base/heimbase-protos.h +/lib/base/json-journal +/lib/base/test_base +/lib/base/test_db.json +/lib/com_err/compile_et +/lib/com_err/lex.c +/lib/com_err/parse.c +/lib/com_err/parse.h +/lib/com_err/snprintf.c +/lib/com_err/strlcpy.c +/lib/gssapi/asn1_ContextFlags.c +/lib/gssapi/asn1_GSSAPIContextToken.c +/lib/gssapi/asn1_MechType.c +/lib/gssapi/asn1_MechTypeList.c +/lib/gssapi/asn1_NegHints.c +/lib/gssapi/asn1_NegStateEnum.c +/lib/gssapi/asn1_NegTokenInit.c +/lib/gssapi/asn1_NegTokenInit2.c +/lib/gssapi/asn1_NegTokenResp.c +/lib/gssapi/asn1_NegotiationToken.c +/lib/gssapi/asn1_NegotiationToken2.c +/lib/gssapi/gss-token +/lib/gssapi/gssapi_asn1-template.c +/lib/gssapi/gssapi_asn1.json +/lib/gssapi/gssapi_asn1_oids.c +/lib/gssapi/gssapi_asn1_syms.c +/lib/gssapi/gsstool +/lib/gssapi/krb5/gsskrb5-private.h +/lib/gssapi/ntlm/ntlm-private.h +/lib/gssapi/sanon/sanon-private.h +/lib/gssapi/spnego/spnego-private.h +/lib/gssapi/spnego_asn1-template.c +/lib/gssapi/spnego_asn1.json +/lib/gssapi/spnego_asn1_oids.c +/lib/gssapi/spnego_asn1_syms.c +/lib/gssapi/test_acquire_cred +/lib/gssapi/test_add_store_cred +/lib/gssapi/test_cfx +/lib/gssapi/test_context +/lib/gssapi/test_cred +/lib/gssapi/test_kcred +/lib/gssapi/test_names +/lib/gssapi/test_ntlm +/lib/gssapi/test_oid +/lib/gss_preauth/gss-preauth-protos.h +/lib/gss_preauth/gss-preauth-private.h +/lib/hcrypto/crypto-test +/lib/hcrypto/crypto-test2 +/lib/hcrypto/destest +/lib/hcrypto/error +/lib/hcrypto/example_evp_cipher +/lib/hcrypto/hcrypto +/lib/hcrypto/hcrypto-link +/lib/hcrypto/mdtest +/lib/hcrypto/rc2test +/lib/hcrypto/rctest +/lib/hcrypto/test-out-1 +/lib/hcrypto/test-out-15 +/lib/hcrypto/test-out-16 +/lib/hcrypto/test-out-17 +/lib/hcrypto/test-out-31 +/lib/hcrypto/test-out-32 +/lib/hcrypto/test-out-33 +/lib/hcrypto/test_bn +/lib/hcrypto/test_bulk +/lib/hcrypto/test_cipher +/lib/hcrypto/test_crypto +/lib/hcrypto/test_dh +/lib/hcrypto/test_engine_dso +/lib/hcrypto/test_hmac +/lib/hcrypto/test-out-7 +/lib/hcrypto/test_pkcs12 +/lib/hcrypto/test_pkcs5 +/lib/hcrypto/test_rand +/lib/hcrypto/test_rsa +/lib/hcrypto/unix +/lib/hcrypto/libtommath/callgraph.txt +/lib/hdb/asn1_Event.c +/lib/hdb/asn1_GENERATION.c +/lib/hdb/asn1_HDBFlags.c +/lib/hdb/asn1_HDB_EncTypeList.c +/lib/hdb/asn1_HDB_EntryOrAlias.c +/lib/hdb/asn1_HDB_Ext_Aliases.c +/lib/hdb/asn1_HDB_Ext_Constrained_delegation_acl.c +/lib/hdb/asn1_HDB_Ext_KeyRotation.c +/lib/hdb/asn1_HDB_Ext_KeySet.c +/lib/hdb/asn1_HDB_Ext_Lan_Manager_OWF.c +/lib/hdb/asn1_HDB_Ext_PKINIT_acl.c +/lib/hdb/asn1_HDB_Ext_PKINIT_cert.c +/lib/hdb/asn1_HDB_Ext_PKINIT_hash.c +/lib/hdb/asn1_HDB_Ext_Password.c +/lib/hdb/asn1_HDB_entry.c +/lib/hdb/asn1_HDB_entry_alias.c +/lib/hdb/asn1_HDB_extension.c +/lib/hdb/asn1_HDB_extensions.c +/lib/hdb/asn1_HDB_keyset.c +/lib/hdb/asn1_Key.c +/lib/hdb/asn1_KeyRotation.c +/lib/hdb/asn1_KeyRotationFlags.c +/lib/hdb/asn1_Keys.c +/lib/hdb/asn1_Salt.c +/lib/hdb/hdb-private.h +/lib/hdb/hdb-protos.h +/lib/hdb/hdb_asn1-template.c +/lib/hdb/hdb_asn1.json +/lib/hdb/hdb_asn1_oids.c +/lib/hdb/hdb_asn1_syms.c +/lib/hdb/test_concurrency +/lib/hdb/test_dbinfo +/lib/hdb/test_hdbkeys +/lib/hdb/test_mkey +/lib/hdb/test_namespace +/lib/hdb/testhdb-*-shm +/lib/hdb/testhdb-*-wal +/lib/hx509/actual +/lib/hx509/PKITS_data/ +/lib/hx509/cert-ca.der +/lib/hx509/cert-ca.pem +/lib/hx509/cert-ee.pem +/lib/hx509/cert-null.pem +/lib/hx509/cert-proxy.der +/lib/hx509/cert-sub-ca.pem +/lib/hx509/cert-sub-ca2.pem +/lib/hx509/cert-sub-ee.pem +/lib/hx509/crl.crl +/lib/hx509/data/*.srl +/lib/hx509/data/*.req +/lib/hx509/data/sub-ca-combined.crt +/lib/hx509/expected +/lib/hx509/ev.data +/lib/hx509/ev.data.out +/lib/hx509/hx509-private.h +/lib/hx509/hx509-protos.h +/lib/hx509/hxtool +/lib/hx509/out.pem +/lib/hx509/out2.pem +/lib/hx509/pkcs10-request.der +/lib/hx509/random-data +/lib/hx509/request.out +/lib/hx509/sel-gram.c +/lib/hx509/sel-gram.h +/lib/hx509/sel-lex.c +/lib/hx509/sd +/lib/hx509/sd.data +/lib/hx509/sd.data.out +/lib/hx509/sd.pem +/lib/hx509/statfile +/lib/hx509/test +/lib/hx509/test-rc-file.rc +/lib/hx509/test_ca +/lib/hx509/test_cert +/lib/hx509/test_chain +/lib/hx509/test_cms +/lib/hx509/test_crypto +/lib/hx509/test_expr +/lib/hx509/test_java_pkcs11 +/lib/hx509/test_name +/lib/hx509/test_nist +/lib/hx509/test_nist2 +/lib/hx509/test_nist_cert +/lib/hx509/test_nist_pkcs12 +/lib/hx509/test_pkcs11 +/lib/hx509/test_query +/lib/hx509/test_req +/lib/hx509/test_soft_pkcs11 +/lib/hx509/test_windows +/lib/hx509/wca.pem +/lib/hx509/wcrl.crl +/lib/hx509/wdc.pem +/lib/hx509/wuser.pem +/lib/ipc/tc +/lib/ipc/ts +/lib/ipc/ts-http +/lib/kadm5/default_keys +/lib/kadm5/iprop-log +/lib/kadm5/ipropd-master +/lib/kadm5/ipropd-slave +/lib/kadm5/test_pw_quality +/lib/kadm5/kadm5-protos.h +/lib/kadm5/kadm5-private.h +/lib/kafs/resolve.c +/lib/kafs/strlcpy.c +/lib/kafs/strsep.c +/lib/kafs/strtok_r.c +/lib/krb5/aes-test +/lib/krb5/config_file.c.orig +/lib/krb5/config_file.c.rej +/lib/krb5/derived-key-test +/lib/krb5/krb5-protos.h +/lib/krb5/krb5-private.h +/lib/krb5/krbhst-test +/lib/krb5/n-fold-test +/lib/krb5/parse-name-test +/lib/krb5/pseudo-random-test +/lib/krb5/store-test +/lib/krb5/string-to-key-test +/lib/krb5/test_acl +/lib/krb5/test_addr +/lib/krb5/test_alname +/lib/krb5/test_ap-req +/lib/krb5/test_canon +/lib/krb5/test_cc +/lib/krb5/test_config +/lib/krb5/test_config_include.out +/lib/krb5/test_config_strings.out +/lib/krb5/test_crypto +/lib/krb5/test_crypto_wrapping +/lib/krb5/test_expand_toks +/lib/krb5/test_fx +/lib/krb5/test_hostname +/lib/krb5/test_keytab +/lib/krb5/test_mem +/lib/krb5/test_mkforwardable +/lib/krb5/test_pac +/lib/krb5/test_pkinit_dh2key +/lib/krb5/test_pknistkdf +/lib/krb5/test_plugin +/lib/krb5/test_prf +/lib/krb5/test_princ +/lib/krb5/test_set_kvno0 +/lib/krb5/test_store +/lib/krb5/test_time +/lib/krb5/test_x500 +/lib/krb5/test_forward +/lib/krb5/test_get_addrs +/lib/krb5/test_gic +/lib/krb5/test_kuserok +/lib/krb5/test_renew +/lib/krb5/test_rfc3961 +/lib/krb5/verify_krb5_conf +/lib/ntlm/heimntlm-protos.h +/lib/ntlm/test_ntlm +/lib/otp/ndbm_wrap.c +/lib/otp/ndbm_wrap.h +/lib/otp/otptest +/lib/otp/snprintf.c +/lib/otp/strcasecmp.c +/lib/otp/strlcat.c +/lib/otp/strlcpy.c +/lib/otp/strlwr.c +/lib/otp/strncasecmp.c +/lib/roken/base32-test +/lib/roken/base64-test +/lib/roken/getaddrinfo-test +/lib/roken/getifaddrs-test +/lib/roken/hex-test +/lib/roken/make-roken +/lib/roken/make-roken.c +/lib/roken/parse_bytes-test +/lib/roken/parse_reply-test +/lib/roken/parse_time-test +/lib/roken/resolve-test +/lib/roken/rkbase32 +/lib/roken/rkbase64 +/lib/roken/rkpty +/lib/roken/rkvis +/lib/roken/roken.h +/lib/roken/rtbl +/lib/roken/snprintf-test +/lib/roken/strpftime-test +/lib/roken/test-auxval +/lib/roken/test-detach +/lib/roken/test-getuserinfo +/lib/roken/test-readenv +/lib/roken/tsearch-test +/lib/roken/vis.h +/lib/sl/getprogname.c +/lib/sl/slc +/lib/sl/slc-gram.c +/lib/sl/slc-gram.h +/lib/sl/slc-lex.c +/lib/sl/snprintf.c +/lib/sl/strdup.c +/lib/sl/strtok_r.c +/lib/sl/strupr.c +/lib/sl/test_sl +/lib/wind/*.pyc +/lib/wind/bidi_table.c +/lib/wind/bidi_table.h +/lib/wind/combining_table.c +/lib/wind/combining_table.h +/lib/wind/errorlist_table.c +/lib/wind/errorlist_table.h +/lib/wind/idn-lookup +/lib/wind/map_table.c +/lib/wind/map_table.h +/lib/wind/normalize_table.c +/lib/wind/normalize_table.h +/lib/wind/punycode_examples.c +/lib/wind/punycode_examples.h +/lib/wind/__pycache__/ +/lib/wind/test-bidi +/lib/wind/test-ldap +/lib/wind/test-map +/lib/wind/test-normalize +/lib/wind/test-prohibited +/lib/wind/test-punycode +/lib/wind/test-rw +/lib/wind/test-utf8 +/out +/po/gen-po.sh +/scripts +/tests/bin/intr +/tests/bin/setup-env +/tests/can/check-can +/tests/can/current-db.db +/tests/can/krb5.conf +/tests/can/log +/tests/can/mit-pkinit-20070607.cf +/tests/can/test_can +/tests/db/add-modify-delete +/tests/db/check-aliases +/tests/db/check-dbinfo +/tests/db/current-db.db +/tests/db/dbinfo.out +/tests/db/have-db +/tests/db/krb5.conf +/tests/db/krb5.conf-db1 +/tests/db/krb5.conf-db3 +/tests/db/krb5.conf-lmdb +/tests/db/krb5.conf-sqlite +/tests/db/loaddump-db +/tests/db/log +/tests/db/tempfile +/tests/gss/barpassword +/tests/gss/check-basic +/tests/gss/check-context +/tests/gss/check-gss +/tests/gss/check-gssmask +/tests/gss/check-negoex +/tests/gss/check-ntlm +/tests/gss/check-spnego +/tests/gss/current-db.db +/tests/gss/foopassword +/tests/gss/krb5.conf +/tests/gss/krb5ccfile +/tests/gss/krb5ccfile-ds +/tests/gss/krb5ccfile2 +/tests/gss/mech +/tests/gss/new_clients_k5.conf +/tests/gss/server.keytab +/tests/gss/tempfile +/tests/java/check-kinit +/tests/java/krb5.conf +/tests/kdc/acache.krb5 +/tests/kdc/barpassword +/tests/kdc/bx509.pem +/tests/kdc/cache.krb5 +/tests/kdc/cc_dir/ +/tests/kdc/cdigest-reply +/tests/kdc/check-authz +/tests/kdc/check-bx509 +/tests/kdc/check-canon +/tests/kdc/check-cc +/tests/kdc/check-delegation +/tests/kdc/check-des +/tests/kdc/check-digest +/tests/kdc/check-fast +/tests/kdc/check-hdb-mitdb +/tests/kdc/check-httpkadmind +/tests/kdc/check-iprop +/tests/kdc/check-kadmin +/tests/kdc/check-kdc +/tests/kdc/check-kdc-weak +/tests/kdc/check-keys +/tests/kdc/check-kpasswdd +/tests/kdc/check-pkinit +/tests/kdc/check-referral +/tests/kdc/check-tester +/tests/kdc/check-uu +/tests/kdc/current-db.db +/tests/kdc/current-db.sqlite3 +/tests/kdc/current-db.sqlite3-shm +/tests/kdc/current-db.sqlite3-wal +/tests/kdc/current.log.save +/tests/kdc/email.pem +/tests/kdc/foopassword +/tests/kdc/foopassword.rkpty +/tests/kdc/icache.krb5 +/tests/kdc/iprop-stats +/tests/kdc/iprop-stats2 +/tests/kdc/iprop.keytab +/tests/kdc/ipropd.dumpfile +/tests/kdc/k.der +/tests/kdc/kdc-tester4.json +/tests/kdc/kdc.pid +/tests/kdc/krb5-authz.conf +/tests/kdc/krb5-authz2.conf +/tests/kdc/krb5-bx509.conf +/tests/kdc/krb5-canon.conf +/tests/kdc/krb5-canon2.conf +/tests/kdc/krb5-cccol.conf +/tests/kdc/krb5-hdb-mitdb.conf +/tests/kdc/krb5-httpkadmind.conf +/tests/kdc/krb5-master2.conf +/tests/kdc/krb5-pkinit-win.conf +/tests/kdc/krb5-pkinit.conf +/tests/kdc/krb5-pkinit2.conf +/tests/kdc/krb5-slave.conf +/tests/kdc/krb5-slave2.conf +/tests/kdc/krb5-weak.conf +/tests/kdc/krb5.conf +/tests/kdc/krb5.conf.keys +/tests/kdc/localname +/tests/kdc/messages.log2 +/tests/kdc/mixed-issuer.pem +/tests/kdc/notfoopassword +/tests/kdc/o2cache.krb5 +/tests/kdc/ocache.krb5 +/tests/kdc/pkinit-anchor.pem +/tests/kdc/req +/tests/kdc/s2digest-reply +/tests/kdc/sdb +/tests/kdc/sdigest-init +/tests/kdc/sdigest-reply +/tests/kdc/server-issuer.pem +/tests/kdc/server.keytab +/tests/kdc/server.pem +/tests/kdc/simple_csr_authz/ +/tests/kdc/tempfile +/tests/kdc/test-rc-file.rc +/tests/kdc/trivial.pem +/tests/kdc/user-issuer.pem +/tests/ldap/check-ldap +/tests/ldap/krb5.conf +/tests/ldap/slapd-init +/tests/plugin/cache.krb5 +/tests/plugin/check-pac +/tests/plugin/current-db.db +/tests/plugin/foopassword +/tests/plugin/krb5.conf +/tests/plugin/server.keytab +/tools/heimdal-gssapi.pc +/tools/heimdal-kadm-client.pc +/tools/heimdal-kadm-server.pc +/tools/heimdal-krb5.pc +/tools/kadm-client.pc +/tools/kadm-server.pc +/tools/kafs.pc +/tools/krb5-gssapi.pc +/tools/krb5.pc +/tools/krb5-config diff --git a/third_party/heimdal/.travis.yml b/third_party/heimdal/.travis.yml new file mode 100644 index 0000000..1a1f587 --- /dev/null +++ b/third_party/heimdal/.travis.yml @@ -0,0 +1,92 @@ +os: + - linux + - osx + +language: c + +env: + global: + secure: "YKG77M7zMvJ+IeV2ziw//HcHqMqFoAzIZlE99Yw/aOn5pvMYKq6Ep7EFVhbfDu9yN0T7M5csCGQeH7/ylDlsZSRMUw72844ezMDM8e10T/lW/T/OYN7j1ZVHh3WSJgS+1D9VG6/Y0OY1Si3lb7PcOdAIU0fPJV5xQONN2+hpJeI=" + +before_install: + - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get update -qq; fi + - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils; fi + - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq ldap-utils gdb apport; fi + - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq curl libmicrohttpd-dev; fi + - if [ $TRAVIS_OS_NAME = linux -a -n "$COVERAGE" ]; then sudo apt-get install -qq jq; fi + - if [ $TRAVIS_OS_NAME = osx ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install cpanm bison flex berkeley-db lmdb openldap openssl; fi + - if [ $TRAVIS_OS_NAME = osx ]; then sudo cpanm install JSON; fi + - if [ $TRAVIS_OS_NAME = osx -a -n "$COVERAGE" ]; then brew install jq; fi + - mkdir ci-build + - mkdir coverity-build + - ./autogen.sh + +install: + - cd ci-build + - | + if [ $TRAVIS_OS_NAME = osx ]; then + LDFLAGS="-L/usr/local/opt/berkeley-db/lib -L/usr/local/opt/lmdb/lib" \ + CFLAGS="-I/usr/local/opt/lmdb/include" \ + ../configure \ + --srcdir=`dirname "$PWD"` \ + --prefix=/tmp/heimdal \ + --enable-maintainer-mode $COVERAGE \ + --enable-static=no \ + --enable-pthread-support \ + --disable-afs-support \ + --disable-ndbm-db \ + --with-openldap=/usr/local/opt/openldap \ + --with-openssl=/usr/local/opt/openssl/ \ + --with-hcrypto-default-backend=ossl \ + --with-berkeley-db \ + --with-berkeley-db-include=/usr/local/opt/berkeley-db/include + else + # This list of -Wno-error options should be reduced over time where possible + if [ x"$TRAVIS_COMPILER" != x"clang" ]; then + CFLAGS="-Wno-error=empty-body -Wno-error=shadow -Wno-error=unused-value -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE + else + CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE + fi + fi + - ulimit -c unlimited; make -j3 + +script: + - if [ x${COVERITY_SCAN_BRANCH} != x1 ]; then ulimit -c unlimited; make check${MAKE_CHECK_SUFFIX}; fi + +after_script: + - if [ -n "$COVERAGE" ]; then ../tools/coveralls-tool -O $PWD -S ..; fi + - find . -name \*.log -print0|xargs -0 grep '^==[1-9]' + +after_failure: + - find . -name test-suite.log -print0 | xargs -0 cat + - if [ $TRAVIS_OS_NAME = linux ]; then echo "thread apply all bt" > x; find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi + - if [ $TRAVIS_OS_NAME = osx ]; then find . -name core -print | while read core; do echo bt | lldb --core "$core" `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi + +compiler: + - clang + - gcc + +matrix: + include: + - os: linux + compiler: gcc + env: COVERAGE=--enable-gcov + exclude: + - os: osx + compiler: gcc + +notifications: + email: + on_success: change + on_failure: always + +addons: + + coverity_scan: + project: + name: "heimdal/heimdal" + description: "Build submitted via Travis CI" + notification_email: heimdal-builders@secure-endpoints.com + build_command_prepend: ../configure --enable-maintainer-mode + build_command: make + branch_pattern: coverity_scan diff --git a/third_party/heimdal/CODE_OF_CONDUCT.md b/third_party/heimdal/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..06c44ad --- /dev/null +++ b/third_party/heimdal/CODE_OF_CONDUCT.md @@ -0,0 +1,76 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at abuse@heimdal.team. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see +https://www.contributor-covenant.org/faq diff --git a/third_party/heimdal/ChangeLog b/third_party/heimdal/ChangeLog new file mode 100644 index 0000000..125740d --- /dev/null +++ b/third_party/heimdal/ChangeLog @@ -0,0 +1,485 @@ + +We stop writing change logs, see the source code version control systems history log instead + +2008-07-28 Love Hornquist Astrand + + * lib/krb5/v4_glue.c: The "kaserver" part of Heimdal occasionally + issues invalid AFS tokens + (here "occasionally" means for certain users in certain realms). + + In lib/krb5/v4_glue.c, in the routine storage_to_etext the ticket + is padded to a multiple of 8 bytes. If it is already a multiple of + 8 bytes, 8 additional 0-bytes are added. + + This catches the AFS krb4 ticket decoder by surprise: unless the + ticket is exactly 56 bytes, it only supports the minimum necessary + padding. It detects the superfluous padding by comparing the + ticket length decoded to the advertised ticket length. + + Hence a 7-letter userid in "cern.ch" which resulted in a ticket of + 40 bytes, got "padded" to 48 bytes which the rxkad decoder + rejected. + + From Rainer Toebbicke. + +2008-07-25 Love Hörnquist Åstrand + + * kuser/kinit.c: add --ok-as-delegate and --windows flags + + * kpasswd/kpasswd-generator.c: Switch to krb5_set_password. + + * kuser/kinit.c: Use krb5_cc_set_config. + + * lib/krb5/cache.c: Add krb5_cc_[gs]et_config. + +2008-07-22 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: Allow numbers to be enctypes to as long as + they are valid. + +2008-07-17 Love Hörnquist Åstrand + + * lib/hdb/version-script.map: some random bits needed for libkadm + +2008-07-15 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc_plugin.h: add name for send_to_kdc plugin. + + * lib/krb5/krbhst.c: handle KRB5_PLUGIN_NO_HANDLE for lookup + plugin. + + * lib/krb5/send_to_kdc.c: Add support for the send_to_kdc plugin + interface. + + * lib/krb5/Makefile.am: add send_to_kdc_plugin.h + + * lib/krb5/krb5_err.et: add plugin error codes + +2008-07-14 Love Hornquist Astrand + + * lib/hdb/Makefile.am: EXTRA_DIST += version-script.map + +2008-07-14 Love Hornquist Astrand + + * lib/krb5/krb5_{address,ccache}.3: spelling, from openbsd via janne + johansson + +2008-07-13 Love Hörnquist Åstrand + + * lib/krb5/version-script.map: add krb5_free_error_message + +2008-06-21 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: switch to krb5_set_password(). + +2008-06-18 Love Hörnquist Åstrand + + * lib/krb5/time.c (krb5_set_real_time): handle negative usec + +2008-05-31 Love Hörnquist Åstrand + + * lib/krb5/krb5_locl.h: Add + + * lib/krb5/crypto.c: Use wind_utf8ucs2_length to convert the password to utf16. + +2008-05-30 Love Hörnquist Åstrand + + * lib/krb5/kcm.c: Add back krb5_kcmcache argument to try_door(). + +2008-05-27 Love Hörnquist Åstrand + + * lib/krb5/error_string.c (krb5_free_error_message): constify + + * lib/krb5/error_string.c: Add krb5_get_error_message(). + + * lib/krb5/doxygen.c: krb5_cc_new_unique() is name of the creation + function. + +2008-04-30 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: Use the _ext api for OpenLDAP, from Honza + Machacek (gentoo). + +2008-04-28 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: Use DES_set_key_unchecked(). + + * lib/krb5/krb5.conf.5: Document default_cc_type. + + * lib/krb5/cache.c: Pick up [libdefaults]default_cc_type + +2008-04-27 Love Hörnquist Åstrand + + * kdc/kaserver.c: Use DES_set_key_unchecked(). + +2008-04-21 Love Hörnquist Åstrand + + * doc/hx509.texi: About the pkcs11 module. + + * doc/hx509.texi: Pick up version from vars.texi + + * doc/hx509.texi: No MIT code in hx509. + + * hx509 now includes a pkcs11 implementation. + +2008-04-20 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: Move OpenLDAP includes to AM_CPPFLAGS to + avoid dropping other defines for the library. + +2008-04-17 Love Hörnquist Åstrand + + * lib/krb5: add __declspec() for windows. + + * configure.in: Update rk_WIN32_EXPORT, add gssapi to + rk_WIN32_EXPORT. + + * configure.in: Lets try dependency tracking for automake 1.10 and + later. + + * configure.in: Use at least libtool-2.2. + + * configure.in: Use LT_INIT the right way. + + * lib/krb5/Makefile.am: Update make-proto usage. + + * configure.in: Run autoupdate, use LT_INIT(). + +2008-04-15 Love Hörnquist Åstrand + + * lib/krb5/test_forward.c: Don't print krb5_error_code since we + are using krb5_err(). + + * lib/krb5/ticket.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/scache.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/principal.c: Cast enum to int to avoid warning. + + * lib/krb5/pkinit.c: Cast krb5_error_code to int to avoid warning. + + * lib/krb5/pac.c: Cast size_t to unsigned long to avoid warning. + + * lib/krb5/error_string.c: Cast krb5_error_code to int to avoid + warning. + + * lib/krb5/keytab_keyfile.c: Make num_entries an uint32 to avoid + negative numbers and type warnings. + + * lib/krb5: cc_get_version returns an int, update. + +2008-04-10 Love Hörnquist Åstrand + + * configure.in: Check for . + +2008-04-09 Love Hörnquist Åstrand + + * lib/krb5/version-script.map: sort and export _krb5_pk_kdf + + * lib/krb5/crypto.c: Check kdf params. calculate the second half + of the key. + + * lib/krb5/Makefile.am: Add test_pknistkdf + + * lib/krb5/test_pknistkdf.c: Test the new pkinit nist kdf. + + * lib/krb5/crypto.c: Complete _krb5_pk_kdf. + + * lib/krb5/crypto.c: First version of KDF in + draft-ietf-krb-wg-pkinit-alg-agility-03.txt. + +2008-04-08 Love Hörnquist Åstrand + + * doc/setup.texi: Add text about smbk5pwd overlay from Buchan + Milne. + + * lib/krb5/krb5_locl.h: Name the pkinit type enum. + + * kdc/pkinit.c: Rename constants to match global header. + + * lib/krb5/pkinit.c: Drop krb5_pk_identity and rename constants to + match global header. + + * kdc/pkinit.c: Pick up krb5_pk_identity from krb5_locl.h. + + * lib/krb5/scache.c (scc_alloc): %x is unsigned int. + +2008-04-07 Love Hörnquist Åstrand + + * lib/krb5/version-script.map: Sort and add krb5_cc_switch. + + * lib/krb5/acache.c: Use unsigned where appropriate. + + * kcm/glue.c: Adapt to chenge to krb5_cc_ops. + + * kcm/acl.c: Add missing op. + + * kdc/connect.c: Use unsigned where appropriate. + + * lib/krb5/n-fold.c: Use size_t where appropriate. + + * lib/krb5/get_addrs.c: Use unsigned where appropriate. + + * lib/krb5/crypto.c: Use unsigned where appropriate. + + * lib/krb5/crc.c: Use unsigned where appropriate. + + * lib/krb5/changepw.c: simplify + + * lib/krb5/copy_host_realm.c: simplify + + * kuser/kswitch.c: Implement --principal. + +2008-04-05 Love Hörnquist Åstrand + + * lib/krb5/cache.c: allow returning the default cc-type. + + * kuser/kswitch.c: Enable switching between existing caches. + + * lib/krb5/cache.c: Add krb5_cc_switch, to set the default + credential cache. + + * lib/krb5/acache.c: Implement set_default. + + * lib/krb5/krb5.h: Extend krb5_cc_ops and add set_default to set + the default cc name for a credential type. + +2008-04-04 Love Hörnquist Åstrand + + * lib/krb5/test_cc.c: test remove + + * lib/krb5/fcache.c: Make the remove cred slight more atomic, now + it might lose creds, but there will be no empty cache at any time. + + * lib/krb5/scache.c: Do credential iteration by temporary table. + +2008-04-02 Love Hörnquist Åstrand + + * lib/krb5/acache.c: Translate ccErrInvalidCCache. + + * lib/krb5/scache.c: implemetation of a sqlite3 backed credential + cache. + + * lib/krb5/test_cc.c: test acc and scc + + * lib/krb5/acache.c: Only release context if its in use. + +2008-04-01 Love Hörnquist Åstrand + + * doc/setup.texi: No patching of OpenLDAP is needed, from Buchan + Milne. + +2008-03-30 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: Add scache. + + * lib/krb5/scache.c: initial implementation + + * lib/Makefile.am: sqlite + + * configure.in: lib/sqlite/Makefile + +2008-03-26 Love Hörnquist Åstrand + + * lib/krb5/fcache.c: Make the storing credential an atomic + write(2) to avoid signal races, bug traced by Harald Barth and Lars + Malinowsky. + +2008-03-25 Love Hörnquist Åstrand + + * lib/krb5/fcache.c: Make erase_file() do locking too. + + * kcm/protocol.c: Make work when moving to a non-existant + cred-cache. + + * lib/krb5/test_cc.c: more verbose info. + + * lib/krb5/test_cc.c: test krb5_cc_move(). + +2008-03-23 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c: Try both kdc server referral and the old + client chasing mode. + + * lib/krb5/get_cred.c: Don't do canonicalize by default, make + add_cred() sane, make loop detection in credential fetching + better. + + * lib/krb5/krb5_locl.h: Add flag EXTRACT_TICKET_AS_REQ. + + * lib/krb5/init_creds_pw.c: Tell _krb5_extract_ticket that this is + an AS-REQ. + + * lib/krb5/get_in_tkt.c: Make server referral work. + +2008-03-22 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt.c: check no server referral, don't use + stringent length tests since encryption layer does padding for + us... + + * kdc/kerberos5.c: Match name in ClientCanonicalizedNames with -10 + + * lib/krb5/principal.c (_krb5_principal_compare_PrincipalName): + new function to compare a principal to a PrincipalName. + + * lib/krb5/init_creds_pw.c: Move client referral checking to + _krb5_extract_ticket(). + + * lib/krb5/get_in_tkt.c: More bits for server referral. + + * lib/krb5/get_in_tkt.c: Make working with client referrals. + + * lib/krb5/get_cred.c: Try moving referrals checking into + _krb5_extract_ticket(). + + * lib/krb5/get_in_tkt.c: Try moving referrals checking into + _krb5_extract_ticket(). + +2008-03-21 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Send SERVER-REFERRAL data in rep.padata instead + of auth_data in ticket. + +2008-03-20 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: remove lost bits from using + krb5_principal_set_realm + + * kdc/krb5tgs.c: Better referrals support, use canonicalize flag. + + * kdc/hprop.c: use krb5_principal_set_realm + + * lib/krb5/init_creds_pw.c: use krb5_principal_set_realm + + * lib/krb5/verify_user.c: use krb5_principal_set_realm + + * lib/krb5/version-script.map: add krb5_principal_set_realm + + * lib/krb5/principal.c: add krb5_principal_set_realm + + * lib/krb5/get_cred.c: Insecure tgs referrals. + + * lib/krb5/get_cred.c: Dont try key usage KRB5_KU_AP_REQ_AUTH for + TGS-REQ. This drop compatibility with pre 0.3d KDCs. + + * lib/krb5/get_cred.c: catch KRB5_GC_CANONICALIZE. + + * lib/krb5/krb5.h: set KRB5_GC_CANONICALIZE. + + * kuser/kgetcred.c: set KRB5_GC_CANONICALIZE. + + * kuser/kgetcred.c: Add stub --canonicalize implementation. + +2008-03-19 Love Hörnquist Åstrand + + * doc/setup.texi: Fix sasl-regexp, from Howard Chu. + +2008-03-14 Love Hörnquist Åstrand + + * kdc/kx509.c: Adapt to hx509_env changes. + +2008-03-10 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Try searchin the key by to use by first + looking for for PK-INIT EKU, then the Microsoft smart card EKU and + last, no special EKU at all. + +2008-03-09 Love Hörnquist Åstrand + + * lib/krb5/acache.c: Create a new credential cache is ->get_name + is called, make acc_initialize() reset the existing credential + cache if needed. + + * lib/krb5/acache.c (acc_get_name): just return the cache_name + directly instead of trying to resolve it. + +2008-02-23 Love Hörnquist Åstrand + + * include/Makefile.am (CLEANFILES): add wind.h and wind_err.h and + sort. + +2008-02-11 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: Use malloc() instead of static buffer. + + * lib/hdb/hdb-ldap.c: Use ldap_get_values_len, from LaMont Jones + via Brian May and Debian. + + * doc/Makefile.am: add libwind + +2008-02-05 Love Hörnquist Åstrand + + * lib/krb5/test_renew.c: Remove extra ;, From Dennis Davis. + + * lib/krb5/store_emem.c: Make compile on-pre c99 compilers. From + Dennis Davis. + +2008-02-03 Love Hörnquist Åstrand + + * tools/heimdal-gssapi.pc.in: Add wind. + + * tools/krb5-config.in: Add wind. + + * lib/krb5/pac.c: Use libwind. + +2008-02-01 Love Hörnquist Åstrand + + * lib/Makefile.am: SUBDIRS: add wind + +2008-01-29 Love Hörnquist Åstrand + + * doc/programming.texi: See the Kerberos 5 API introduction and + documentation on the Heimdal webpage. + +2008-01-27 Love Hörnquist Åstrand + + * lib/krb5: better error strings for the keytab fetching functions + + * lib/krb5/verify_krb5_conf.c: Catch deprecated entries. + + * lib/krb5/get_cred.c: Remove support + for [libdefaults]capath (not [libdefaults] capaths though). + +2008-01-25 Love Hörnquist Åstrand + + * tools/heimdal-gssapi.pc.in: Fix caps of prefix, from Joakim + Fallsjo. + +2008-01-24 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (fcc_move): more explict why the fcc_move + failes, handle cross device moves. + +2008-01-21 Love Hörnquist Åstrand + + * lib/krb5/get_for_creds.c: Use on variable less. + + * lib/krb5/get_for_creds.c: Try to handle ticket full and + ticketless tickets better. Add doxygen comments while here. + + * lib/krb5/test_forward.c: Used for testing + krb5_get_forwarded_creds(). + + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_forward + + * lib/krb5/Makefile.am: drop CHECK_SYMBOLS + + * lib/hdb/Makefile.am: drop CHECK_SYMBOLS + + * kdc/Makefile.am: drop CHECK_SYMBOLS + +2008-01-18 Love Hörnquist Åstrand + + * lib/krb5/version-script.map: Add krb5_digest_probe. + +2008-01-13 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Replace hx509_name_to_der_name with + hx509_name_binary. + +2008-01-12 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: add missing files + + * Happy new year. diff --git a/third_party/heimdal/ChangeLog.1998 b/third_party/heimdal/ChangeLog.1998 new file mode 100644 index 0000000..f26dba7 --- /dev/null +++ b/third_party/heimdal/ChangeLog.1998 @@ -0,0 +1,3201 @@ +Sat Dec 5 19:49:34 1998 Johan Danielsson + + * lib/krb5/context.c: remove ktype_is_etype + + * lib/krb5/crypto.c, lib/krb5/krb5.h, acconfig.h: NEW_DES3_CODE + + * configure.in: fix for AIX install; better tests for AIX dynamic + AFS libs; `--enable-new-des3-code' + +Tue Dec 1 14:44:44 1998 Johan Danielsson + + * appl/afsutil/Makefile.am: link with extra libs for aix + + * kuser/Makefile.am: link with extra libs for aix + +Sun Nov 29 01:56:21 1998 Assar Westerlund + + * lib/krb5/get_addrs.c (krb5_get_all_server_addrs): add. almost + the same as krb5_get_all_client_addrs except that it includes + loopback addresses + + * kdc/connect.c (init_socket): bind to a particular address + (init_sockets): get all local addresses and bind to them all + + * lib/krb5/addr_families.c (addr2sockaddr, print_addr): new + methods + (find_af, find_atype): new functions. use them. + + * configure.in: add hesiod + +Wed Nov 25 11:37:48 1998 Johan Danielsson + + * lib/krb5/krb5_err.et: add some codes from kerberos-revisions-03 + +Mon Nov 23 12:53:48 1998 Assar Westerlund + + * lib/kadm5/log.c: rename delete -> remove + + * lib/kadm5/delete_s.c: rename delete -> remove + + * lib/hdb/common.c: rename delete -> remove + +Sun Nov 22 12:26:26 1998 Assar Westerlund + + * configure.in: check for environ and `struct spwd' + +Sun Nov 22 11:42:45 1998 Johan Danielsson + + * kdc/kerberos5.c (as_rep): set keytype to sess_ktype if + ktype_is_etype + + * lib/krb5/encrypt.c (krb5_keytype_to_etypes): zero terminate + etypes + (em): sort entries + +Sun Nov 22 06:54:48 1998 Assar Westerlund + + * lib/krb5/init_creds_pw.c: more type correctness + + * lib/krb5/get_cred.c: re-structure code. remove limits on ASN1 + generated bits. + +Sun Nov 22 01:49:50 1998 Johan Danielsson + + * kdc/hprop.c (v4_prop): fix bogus indexing + +Sat Nov 21 21:39:20 1998 Assar Westerlund + + * lib/krb5/verify_init.c (fail_verify_is_ok): new function + (krb5_verify_init_creds): if we cannot get a ticket for + host/`hostname` and fail_verify_is_ok just return. use + krb5_rd_req + +Sat Nov 21 23:12:27 1998 Assar Westerlund + + * lib/krb5/free.c (krb5_xfree): new function + + * lib/krb5/creds.c (krb5_free_creds_contents): new function + + * lib/krb5/context.c: more type correctness + + * lib/krb5/checksum.c: more type correctness + + * lib/krb5/auth_context.c (krb5_auth_con_init): more type + correctness + + * lib/asn1/der_get.c (der_get_length): fix test of len + (der_get_tag): more type correctness + + * kuser/klist.c (usage): void-ize + + * admin/ktutil.c (kt_remove): some more type correctness. + +Sat Nov 21 16:49:20 1998 Johan Danielsson + + * kuser/klist.c: try to list enctypes as keytypes + + * kuser/kinit.c: remove extra `--cache' option, add `--enctypes' + to set list of enctypes to use + + * kadmin/load.c: load strings as hex + + * kadmin/dump.c: dump hex as string is possible + + * admin/ktutil.c: use print_version() + + * configure.in, acconfig.h: test for hesiod + +Sun Nov 15 17:28:19 1998 Johan Danielsson + + * lib/krb5/crypto.c: add some crypto debug code + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): don't use fixed + buffer when encoding ticket + + * lib/krb5/auth_context.c (re-)implement `krb5_auth_setenctype' + + * kdc/kerberos5.c: allow mis-match of tgt session key, and service + session key + + * admin/ktutil.c: keytype -> enctype + +Fri Nov 13 05:35:48 1998 Assar Westerlund + + * lib/krb5/krb5.h (KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE): added + +Sat Nov 7 19:56:31 1998 Assar Westerlund + + * lib/krb5/get_cred.c (add_cred): add termination NULL pointer + +Mon Nov 2 01:15:06 1998 Assar Westerlund + + * lib/krb5/rd_req.c: adapt to new crypto api + + * lib/krb5/rd_rep.c: adapt to new crypto api + + * lib/krb5/rd_priv.c: adopt to new crypto api + + * lib/krb5/rd_cred.c: adopt to new crypto api + + * lib/krb5/principal.c: ENOMEM -> ERANGE + + * lib/krb5/mk_safe.c: cleanup and adopt to new crypto api + + * lib/krb5/mk_req_ext.c: adopt to new crypto api + + * lib/krb5/mk_req.c: get enctype from auth_context keyblock + + * lib/krb5/mk_rep.c: cleanup and adopt to new crypto api + + * lib/krb5/mk_priv.c: adopt to new crypto api + + * lib/krb5/keytab.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_with_skey.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_with_keytab.c: adopt to new crypto api + + * lib/krb5/get_in_tkt_pw.c: adopt to new crypto api + + * lib/krb5/get_in_tkt.c: adopt to new crypto api + + * lib/krb5/get_cred.c: adopt to new crypto api + + * lib/krb5/generate_subkey.c: use new crypto api + + * lib/krb5/context.c: rename etype functions to enctype ditto + + * lib/krb5/build_auth.c: use new crypto api + + * lib/krb5/auth_context.c: remove enctype and cksumtype from + auth_context + +Mon Nov 2 01:15:06 1998 Assar Westerlund + + * kdc/connect.c (handle_udp, handle_tcp): correct type of `n' + +Tue Sep 15 18:41:38 1998 Johan Danielsson + + * admin/ktutil.c: fix printing of unrecognized keytypes + +Tue Sep 15 17:02:33 1998 Johan Danielsson + + * lib/kadm5/set_keys.c: add KEYTYPE_USE_AFS3_SALT to keytype if + using AFS3 salt + +Tue Aug 25 23:30:52 1998 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): care about + `use_admin_kdc' + + * lib/krb5/changepw.c (get_kdc_address): use + krb5_get_krb_admin_hst + + * lib/krb5/krbhst.c (krb5_get_krb_admin_hst): new function + + * lib/krb5/krb5.h (krb5_context_data): add `use_admin_kdc' + + * lib/krb5/context.c (krb5_get_use_admin_kdc, + krb5_set_use_admin_kdc): new functions + +Tue Aug 18 22:24:12 1998 Johan Danielsson + + * lib/krb5/crypto.c: remove all calls to abort(); check return + value from _key_schedule; + (RSA_MD[45]_DES_verify): zero tmp and res; + (RSA_MD5_DES3_{verify,checksum}): implement + +Mon Aug 17 20:18:46 1998 Assar Westerlund + + * kdc/kerberos4.c (swap32): conditionalize + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): new function + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): if the hostname + returned from gethostby*() isn't a FQDN, try with the original + hostname + + * lib/krb5/get_cred.c (make_pa_tgs_req): use krb5_mk_req_internal + and correct key usage + + * lib/krb5/crypto.c (verify_checksum): make static + + * admin/ktutil.c (kt_list): use krb5_enctype_to_string + +Sun Aug 16 20:57:56 1998 Assar Westerlund + + * kadmin/cpw.c (do_cpw_entry): use asprintf for the prompt + + * kadmin/ank.c (ank): print principal name in prompt + + * lib/krb5/crypto.c (hmac): always allocate space for checksum. + never trust c.checksum.length + (_get_derived_key): try to return the derived key + +Sun Aug 16 19:48:42 1998 Johan Danielsson + + * lib/krb5/crypto.c (hmac): fix some peculiarities and bugs + (get_checksum_key): assume usage is `formatted' + (create_checksum,verify_checksum): moved the guts of the krb5_* + functions here, both take `formatted' key-usages + (encrypt_internal_derived): fix various bogosities + (derive_key): drop key_type parameter (already given by the + encryption_type) + + * kdc/kerberos5.c (check_flags): handle case where client is NULL + + * kdc/connect.c (process_request): return zero after processing + kerberos 4 request + +Sun Aug 16 18:38:15 1998 Johan Danielsson + + * lib/krb5/crypto.c: merge x-*.[ch] into one file + + * lib/krb5/cache.c: remove residual from krb5_ccache_data + +Fri Aug 14 16:28:23 1998 Johan Danielsson + + * lib/krb5/x-crypto.c (derive_key): move DES3 specific code to + separate function (will eventually end up someplace else) + + * lib/krb5/x-crypto.c (krb5_string_to_key_derived): allocate key + + * configure.in, acconfig.h: test for four valued krb_put_int + +Thu Aug 13 23:46:29 1998 Assar Westerlund + + * Release 0.0t + +Thu Aug 13 22:40:17 1998 Assar Westerlund + + * lib/krb5/config_file.c (parse_binding): remove trailing + whitespace + +Wed Aug 12 20:15:11 1998 Johan Danielsson + + * lib/krb5/x-checksum.c (krb5_verify_checksum): pass checksum type + to krb5_create_checksum + + * lib/krb5/x-key.c: implement DES3_string_to_key_derived; fix a + few typos + +Wed Aug 5 12:39:54 1998 Assar Westerlund + + * Release 0.0s + +Thu Jul 30 23:12:17 1998 Assar Westerlund + + * lib/krb5/mk_error.c (krb5_mk_error): realloc until you die + +Thu Jul 23 19:49:03 1998 Johan Danielsson + + * kdc/kdc_locl.h: proto for `get_des_key' + + * configure.in: test for four valued el_init + + * kuser/klist.c: keytype -> enctype + + * kpasswd/kpasswdd.c (change): use new `krb5_string_to_key*' + + * kdc/hprop.c (v4_prop, ka_convert): convert to a set of keys + + * kdc/kaserver.c: use `get_des_key' + + * kdc/524.c: use new crypto api + + * kdc/kerberos4.c: use new crypto api + + * kdc/kerberos5.c: always treat keytypes as enctypes; use new + crypto api + + * kdc/kstash.c: adapt to new crypto api + + * kdc/string2key.c: adapt to new crypto api + + * admin/srvconvert.c: add keys for all possible enctypes + + * admin/ktutil.c: keytype -> enctype + + * lib/gssapi/init_sec_context.c: get enctype from auth_context + keyblock + + * lib/hdb/hdb.c: remove hdb_*_keytype2key + + * lib/kadm5/set_keys.c: adapt to new crypto api + + * lib/kadm5/rename_s.c: adapt to new crypto api + + * lib/kadm5/get_s.c: adapt to new crypto api + + * lib/kadm5/create_s.c: add keys for des-cbc-crc, des-cbc-md4, + des-cbc-md5, and des3-cbc-sha1 + + * lib/krb5/heim_err.et: error message for unsupported salt + + * lib/krb5/codec.c: short-circuit these functions, since they are + not needed any more + + * lib/krb5/rd_safe.c: cleanup and adapt to new crypto api + +Mon Jul 13 23:00:59 1998 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): don't advance + hostent->h_addr_list, use a copy instead + +Mon Jul 13 15:00:31 1998 Johan Danielsson + + * lib/krb5/config_file.c (parse_binding, parse_section): make sure + everything is ok before adding to linked list + + * lib/krb5/config_file.c: skip ws before checking for comment + +Wed Jul 8 10:45:45 1998 Johan Danielsson + + * lib/asn1/k5.asn1: hmac-sha1-des3 = 12 + +Tue Jun 30 18:08:05 1998 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): do not close the + unopened file + + * lib/krb5/mk_priv.c: realloc correctly + + * lib/krb5/get_addrs.c (find_all_addresses): init j + + * lib/krb5/context.c (krb5_init_context): print error if parsing + of config file produced an error. + + * lib/krb5/config_file.c (parse_list, krb5_config_parse_file): + ignore more spaces + + * lib/krb5/codec.c (krb5_encode_EncKrbCredPart, + krb5_encode_ETYPE_INFO): initialize `ret' + + * lib/krb5/build_auth.c (krb5_build_authenticator): realloc + correctly + + * lib/kadm5/set_keys.c (_kadm5_set_keys): initialize `ret' + + * lib/kadm5/init_c.c (get_cred_cache): try to do the right thing + with default_client + + * kuser/kinit.c (main): initialize `ticket_life' + + * kdc/kerberos5.c (get_pa_etype_info): initialize `ret' + (tgs_rep2): initialize `krbtgt' + + * kdc/connect.c (do_request): check for errors from `sendto' + + * kdc/524.c (do_524): initialize `ret' + + * kadmin/util.c (foreach_principal): don't clobber `ret' + + * kadmin/del.c (del_entry): don't apply on zeroth argument + + * kadmin/cpw.c (do_cpw_entry): initialize `ret' + +Sat Jun 13 04:14:01 1998 Assar Westerlund + + * Release 0.0r + +Sun Jun 7 04:13:14 1998 Assar Westerlund + + * lib/krb5/addr_families.c: fall-back definition of + IN6_ADDR_V6_TO_V4 + + * configure.in: only set CFLAGS if it wasn't set look for + dn_expand and res_search + +Mon Jun 1 21:28:07 1998 Assar Westerlund + + * configure.in: remove duplicate seteuid + +Sat May 30 00:19:51 1998 Johan Danielsson + + * lib/krb5/convert_creds.c: import _krb_time_to_life, to avoid + runtime dependencies on libkrb with some shared library + implementations + +Fri May 29 00:09:02 1998 Johan Danielsson + + * kuser/kinit_options.c: Default options for kinit. + + * kuser/kauth_options.c: Default options for kauth. + + * kuser/kinit.c: Implement lots a new options. + + * kdc/kerberos5.c (check_tgs_flags): make sure kdc-req-body->rtime + is not NULL; set endtime to min of new starttime + old_life, and + requested endtime + + * lib/krb5/init_creds_pw.c (get_init_creds_common): if the + forwardable or proxiable flags are set in options, set the + kdc-flags to the value specified, and not always to one + +Thu May 28 21:28:06 1998 Johan Danielsson + + * kdc/kerberos5.c: Optionally compare client address to addresses + in ticket. + + * kdc/connect.c: Pass client address to as_rep() and tgs_rep(). + + * kdc/config.c: Add check_ticket_addresses, and + allow_null_ticket_addresses variables. + +Tue May 26 14:03:42 1998 Johan Danielsson + + * lib/kadm5/create_s.c: possibly make DES keys version 4 salted + + * lib/kadm5/set_keys.c: check config file for kadmin/use_v4_salt + before zapping version 4 salts + +Sun May 24 05:22:17 1998 Assar Westerlund + + * Release 0.0q + + * lib/krb5/aname_to_localname.c: new file + + * lib/gssapi/init_sec_context.c (repl_mutual): no output token + + * lib/gssapi/display_name.c (gss_display_name): zero terminate + output. + +Sat May 23 19:11:07 1998 Assar Westerlund + + * lib/gssapi/display_status.c: new file + + * Makefile.am: send -I to aclocal + + * configure.in: remove duplicate setenv + +Sat May 23 04:55:19 1998 Johan Danielsson + + * kadmin/util.c (foreach_principal): Check for expression before + wading through the whole database. + + * kadmin/kadmin.c: Pass NULL password to + kadm5_*_init_with_password. + + * lib/kadm5/init_c.c: Implement init_with_{skey,creds}*. Make use + of `password' parameter to init_with_password. + + * lib/kadm5/init_s.c: implement init_with_{skey,creds}* + + * lib/kadm5/server.c: Better arguments for + kadm5_init_with_password. + +Sat May 16 07:10:36 1998 Assar Westerlund + + * kdc/hprop.c: conditionalize ka-server reading support on + KASERVER_DB + + * configure.in: new option `--enable-kaserver-db' + +Fri May 15 19:39:18 1998 Johan Danielsson + + * lib/krb5/get_cred.c: Better error if local tgt couldn't be + found. + +Tue May 12 21:11:02 1998 Assar Westerlund + + * Release 0.0p + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): only set + encryption type in auth_context if it's compatible with the type + of the session key + +Mon May 11 21:11:14 1998 Johan Danielsson + + * kdc/hprop.c: add support for ka-server databases + + * appl/ftp/ftpd: link with -lcrypt, if needed + +Fri May 1 07:29:52 1998 Assar Westerlund + + * configure.in: don't test for winsock.h + +Sat Apr 18 21:43:11 1998 Johan Danielsson + + * Release 0.0o + +Sat Apr 18 00:31:11 1998 Johan Danielsson + + * lib/krb5/sock_principal.c: Save hostname. + +Sun Apr 5 11:29:45 1998 Johan Danielsson + + * lib/krb5/mk_req_ext.c: Use same enctype as in ticket. + + * kdc/hprop.c (v4_prop): Check for null key. + +Fri Apr 3 03:54:54 1998 Johan Danielsson + + * lib/krb5/str2key.c: Fix DES3 string-to-key. + + * lib/krb5/keytab.c: Get default keytab name from context. + + * lib/krb5/context.c: Get `default_keytab_name' value. + + * kadmin/util.c (foreach_principal): Print error message if + `kadm5_get_principals' fails. + + * kadmin/kadmind.c: Use `kadmind_loop'. + + * lib/kadm5/server.c: Replace several other functions with + `kadmind_loop'. + +Sat Mar 28 09:49:18 1998 Assar Westerlund + + * lib/krb5/keytab.c (fkt_add_entry): use an explicit seek instead + of O_APPEND + + * configure.in: generate ftp Makefiles + + * kuser/klist.c (print_cred_verbose): print IPv4-address in a + portable way. + + * admin/srvconvert.c (srvconv): return 0 if successful + +Tue Mar 24 00:40:33 1998 Johan Danielsson + + * lib/krb5/keytab.c: MIT compatible changes: add and use sizes to + keytab entries, and change default keytab to `/etc/krb5.keytab'. + +Mon Mar 23 23:43:59 1998 Johan Danielsson + + * lib/gssapi/wrap.c: Use `gss_krb5_getsomekey'. + + * lib/gssapi/unwrap.c: Implement and use `gss_krb5_getsomekey'. + Fix bug in checking of pad. + + * lib/gssapi/{un,}wrap.c: Add support for just integrity + protecting data. + + * lib/gssapi/accept_sec_context.c: Use + `gssapi_krb5_verify_8003_checksum'. + + * lib/gssapi/8003.c: Implement `gssapi_krb5_verify_8003_checksum'. + + * lib/gssapi/init_sec_context.c: Zero cred, and store session key + properly in auth-context. + +Sun Mar 22 00:47:22 1998 Johan Danielsson + + * lib/kadm5/delete_s.c: Check immutable bit. + + * kadmin/kadmin.c: Pass client name to kadm5_init. + + * lib/kadm5/init_c.c: Get creds for client name passed in. + + * kdc/hprop.c (v4_prop): Check for `changepw.kerberos'. + +Sat Mar 21 22:57:13 1998 Johan Danielsson + + * lib/krb5/mk_error.c: Verify that error_code is in the range + [0,127]. + + * kdc/kerberos5.c: Move checking of principal flags to new + function `check_flags'. + +Sat Mar 21 14:38:51 1998 Assar Westerlund + + * lib/kadm5/get_s.c (kadm5_s_get_principal): handle an empty salt + + * configure.in: define SunOS if running solaris + +Sat Mar 21 00:26:34 1998 Johan Danielsson + + * lib/kadm5/server.c: Unifdef test for same principal when + changing password. + + * kadmin/util.c: If kadm5_get_principals failes, we might still be + able to perform the requested opreration (for instance someone if + trying to change his own password). + + * lib/kadm5/init_c.c: Try to get ticket via initial request, if + not possible via tgt. + + * lib/kadm5/server.c: Check for principals changing their own + passwords. + + * kdc/kerberos5.c (tgs_rep2): check for interesting flags on + involved principals. + + * kadmin/util.c: Fix order of flags. + +Thu Mar 19 16:54:10 1998 Johan Danielsson + + * kdc/kerberos4.c: Return sane error code if krb_rd_req fails. + +Wed Mar 18 17:11:47 1998 Assar Westerlund + + * acconfig.h: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 + +Wed Mar 18 09:58:18 1998 Johan Danielsson + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): don't + free keyseed; use correct keytab + +Tue Mar 10 09:56:16 1998 Assar Westerlund + + * acinclude.m4 (AC_KRB_IPV6): rewrote to avoid false positives + +Mon Mar 16 23:58:23 1998 Johan Danielsson + + * Release 0.0n + +Fri Mar 6 00:41:30 1998 Johan Danielsson + + * lib/gssapi/{accept_sec_context,release_cred}.c: Use + krb5_kt_close/krb5_kt_resolve. + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): Use resolver + to lookup hosts, so CNAMEs can be ignored. + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc, send_and_recv_http): + Add support for using proxy. + + * lib/krb5/context.c: Initialize `http_proxy' from + `libdefaults/http_proxy'. + + * lib/krb5/krb5.h: Add `http_proxy' to context. + + * lib/krb5/send_to_kdc.c: Recognize `http/' and `udp/' as protocol + specifications. + +Wed Mar 4 01:47:29 1998 Johan Danielsson + + * admin/ktutil.c: Implement `add' and `remove' functions. Make + `--keytab' a global option. + + * lib/krb5/keytab.c: Implement remove with files. Add memory + operations. + +Tue Mar 3 20:09:59 1998 Johan Danielsson + + * lib/krb5/keytab.c: Use function pointers. + + * admin: Remove kdb_edit. + +Sun Mar 1 03:28:42 1998 Assar Westerlund + + * lib/kadm5/dump_log.c: print operation names + +Sun Mar 1 03:04:12 1998 Assar Westerlund + + * configure.in: add X-tests, and {bin,...}dir appl/{kx,kauth} + + * lib/krb5/build_auth.c,mk_priv.c,rd_safe.c,mk_safe.c,mk_rep.c: + remove arbitrary limit + + * kdc/hprop-common.c: use krb5_{read,write}_message + + * lib/kadm5/ipropd_master.c (send_diffs): more careful use + krb5_{write,read}_message + + * lib/kadm5/ipropd_slave.c (get_creds): get credentials for + `iprop/master' directly. + (main): use `krb5_read_message' + +Sun Mar 1 02:05:11 1998 Johan Danielsson + + * kadmin/kadmin.c: Cleanup commands list, and add help strings. + + * kadmin/get.c: Add long, short, and terse (equivalent to `list') + output formats. Short is the default. + + * kadmin/util.c: Add `include_time' flag to timeval2str. + + * kadmin/init.c: Max-life and max-renew can, infact, be zero. + + * kadmin/{cpw,del,ext,get}.c: Use `foreach_principal'. + + * kadmin/util.c: Add function `foreach_principal', that loops over + all principals matching an expression. + + * kadmin/kadmin.c: Add usage string to `privileges'. + + * lib/kadm5/get_princs_s.c: Also try to match aganist the + expression appended with `@default-realm'. + + * lib/krb5/principal.c: Add `krb5_unparse_name_fixed_short', that + excludes the realm if it's the same as the default realm. + +Fri Feb 27 05:02:21 1998 Assar Westerlund + + * configure.in: more WFLAGS and WFLAGS_NOUNUSED added missing + headers and functions error -> com_err + + (krb5_get_init_creds_keytab): use krb5_keytab_key_proc + + * lib/krb5/get_in_tkt_with_keytab.c: make `krb5_keytab_key_proc' + global + + * lib/kadm5/marshall.c (ret_principal_ent): set `n_tl_data' + + * lib/hdb/ndbm.c: use `struct ndbm_db' everywhere. + +Fri Feb 27 04:49:24 1998 Assar Westerlund + + * lib/krb5/mk_priv.c (krb5_mk_priv): bump static limit to 10240. + This should be fixed the correct way. + + * lib/kadm5/ipropd_master.c (check_acl:) truncate buf correctly + (send_diffs): compare versions correctly + (main): reorder handling of events + + * lib/kadm5/log.c (kadm5_log_previous): avoid bad type conversion + +Thu Feb 26 02:22:35 1998 Assar Westerlund + + * lib/kadm5/ipropd_{slave,master}.c: new files + + * lib/kadm5/log.c (kadm5_log_get_version): take an `fd' as + argument + + * lib/krb5/krb5.h (krb5_context_data): `et_list' should be `struct + et_list *' + + * aux/make-proto.pl: Should work with perl4 + +Mon Feb 16 17:20:22 1998 Johan Danielsson + + * lib/krb5/krb5_locl.h: Remove (it gets included via + {asn1,krb5}_err.h). + +Thu Feb 12 03:28:40 1998 Assar Westerlund + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): if time difference + is larger than max_skew, return KRB5KRB_AP_ERR_SKEW + + * lib/kadm5/log.c (get_version): globalize + + * lib/kadm5/kadm5_locl.h: include + + * lib/asn1/Makefile.am: add PA_KEY_INFO and PA_KEY_INFO_ENTRY + + * kdc/kerberos5.c (get_pa_etype_info): remove gcc-ism of + initializing local struct in declaration. + +Sat Jan 31 17:28:58 1998 Johan Danielsson + + * kdc/524.c: Use krb5_decode_EncTicketPart. + + * kdc/kerberos5.c: Check at runtime whether to use enctypes + instead of keytypes. If so use the same value to encrypt ticket, + and kdc-rep as well as `keytype' for session key. Fix some obvious + bugs with the handling of additional tickets. + + * lib/krb5/rd_req.c: Use krb5_decode_EncTicketPart, and + krb5_decode_Authenticator. + + * lib/krb5/rd_rep.c: Use krb5_decode_EncAPRepPart. + + * lib/krb5/rd_cred.c: Use krb5_decode_EncKrbCredPart. + + * lib/krb5/mk_rep.c: Make sure enc_part.etype is an encryption + type, and not a key type. Use krb5_encode_EncAPRepPart. + + * lib/krb5/init_creds_pw.c: Use krb5_decode_PA_KEY_INFO. + + * lib/krb5/get_in_tkt.c: Use krb5_decode_Enc{AS,TGS}RepPart. + + * lib/krb5/get_for_creds.c: Use krb5_encode_EncKrbCredPart. + + * lib/krb5/get_cred.c: Use krb5_decode_Enc{AS,TGS}RepPart. + + * lib/krb5/build_auth.c: Use krb5_encode_Authenticator. + + * lib/krb5/codec.c: Enctype conversion stuff. + + * lib/krb5/context.c: Ignore KRB5_CONFIG if *not* running + setuid. Get configuration for libdefaults ktype_is_etype, and + default_etypes. + + * lib/krb5/encrypt.c: Add krb5_string_to_etype, rename + krb5_convert_etype to krb5_decode_keytype, and add + krb5_decode_keyblock. + +Fri Jan 23 00:32:09 1998 Johan Danielsson + + * lib/krb5/{get_in_tkt,rd_req}.c: Use krb5_convert_etype. + + * lib/krb5/encrypt.c: Add krb5_convert_etype function - converts + from protocol keytypes (that really are enctypes) to internal + representation. + +Thu Jan 22 21:24:36 1998 Johan Danielsson + + * lib/asn1/k5.asn1: Add PA-KEY-INFO structure to hold information + on keys in the database; and also a new `pa-key-info' padata-type. + + * kdc/kerberos5.c: If pre-authentication fails, return a list of + keytypes, salttypes, and salts. + + * lib/krb5/init_creds_pw.c: Add better support for + pre-authentication, by looking at hints from the KDC. + + * lib/krb5/get_in_tkt.c: Add better support for specifying what + pre-authentication to use. + + * lib/krb5/str2key.c: Merge entries for KEYTYPE_DES and + KEYTYPE_DES_AFS3. + + * lib/krb5/krb5.h: Add pre-authentication structures. + + * kdc/connect.c: Don't fail if realloc(X, 0) returns NULL. + +Wed Jan 21 06:20:40 1998 Assar Westerlund + + * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize + `log_context.socket_name' and `log_context.socket_fd' + + * lib/kadm5/log.c (kadm5_log_flush): send a unix domain datagram + to inform the possible running ipropd of an update. + +Wed Jan 21 01:34:09 1998 Johan Danielsson + + * lib/krb5/get_in_tkt.c: Return error-packet to caller. + + * lib/krb5/free.c (krb5_free_kdc_rep): Free krb5_kdc_rep->error. + + * kdc/kerberos5.c: Add some support for using enctypes instead of + keytypes. + + * lib/krb5/get_cred.c: Fixes to send authorization-data to the + KDC. + + * lib/krb5/build_auth.c: Only generate local subkey if there is + none. + + * lib/krb5/krb5.h: Add krb5_authdata type. + + * lib/krb5/auth_context.c: Add + krb5_auth_con_set{,localsub,remotesub}key. + + * lib/krb5/init_creds_pw.c: Return some error if prompter + functions return failure. + +Wed Jan 21 01:16:13 1998 Assar Westerlund + + * kpasswd/kpasswd.c: detect bad password. use krb5_err. + + * kadmin/util.c (edit_entry): remove unused variables + +Tue Jan 20 22:58:31 1998 Assar Westerlund + + * kuser/kinit.c: rename `-s' to `-S' to be MIT-compatible. + + * lib/kadm5/kadm5_locl.h: add kadm5_log_context and + kadm5_log*-functions + + * lib/kadm5/create_s.c (kadm5_s_create_principal): add change to + log + + * lib/kadm5/rename_s.c (kadm5_s_rename_principal): add change to + log + + * lib/kadm5/init_s.c (kadm5_s_init_with_password_ctx): initialize + log_context + + * lib/kadm5/delete_s.c (kadm5_s_delete_principal): add change to + log + + * lib/kadm5/modify_s.c (kadm5_s_modify_principal): add change to + log + + * lib/kadm5/randkey_s.c (kadm5_s_randkey_principal): add change to + log + + * lib/kadm5/chpass_s.c (kadm5_s_chpass_principal): add change to + log + + * lib/kadm5/Makefile.am: add log.c, dump_log and replay_log + + * lib/kadm5/replay_log.c: new file + + * lib/kadm5/dump_log.c: new file + + * lib/kadm5/log.c: new file + + * lib/krb5/str2key.c (get_str): initialize pad space to zero + + * lib/krb5/config_file.c (krb5_config_vget_next): handle c == NULL + + * kpasswd/kpasswdd.c: rewritten to use the kadm5 API + + * kpasswd/Makefile.am: link with kadm5srv + + * kdc/kerberos5.c (tgs_rep): initialize `i' + + * kadmin/kadmind.c (main): use kadm5_server_{send,recv}_sp + + * include/Makefile.am: added admin.h + +Sun Jan 18 01:41:34 1998 Johan Danielsson + + * lib/asn1/gen_copy.c: Don't return ENOMEM if allocating 0 bytes. + + * lib/krb5/mcache.c (mcc_store_cred): restore linked list if + copy_creds fails. + +Tue Jan 6 04:17:56 1998 Assar Westerlund + + * lib/kadm5/server.c: add kadm5_server_{send,recv}{,_sp} + + * lib/kadm5/marshall.c: add kadm5_{store,ret}_principal_ent_mask. + + * lib/kadm5/init_c.c (kadm5_c_init_with_password_ctx): use + krb5_getportbyname + + * kadmin/kadmind.c (main): htons correctly. + moved kadm5_server_{recv,send} + + * kadmin/kadmin.c (main): only set admin_server if explicitly + given + +Mon Jan 5 23:34:44 1998 Johan Danielsson + + * lib/hdb/ndbm.c: Implement locking of database. + + * kdc/kerberos5.c: Process AuthorizationData. + +Sat Jan 3 22:07:07 1998 Johan Danielsson + + * kdc/string2key.c: Use AFS string-to-key from libkrb5. + + * lib/krb5/get_in_tkt.c: Handle pa-afs3-salt case. + + * lib/krb5/krb5.h: Add value for AFS salts. + + * lib/krb5/str2key.c: Add support for AFS string-to-key. + + * lib/kadm5/rename_s.c: Use correct salt. + + * lib/kadm5/ent_setup.c: Always enable client. Only set max-life + and max-renew if != 0. + + * lib/krb5/config_file.c: Add context to all krb5_config_*get_*. + +Thu Dec 25 17:03:25 1997 Assar Westerlund + + * kadmin/ank.c (ank): don't zero password if --random-key was + given. + +Tue Dec 23 01:56:45 1997 Assar Westerlund + + * Release 0.0m + + * lib/kadm5/ent_setup.c (attr_to_flags): try to set `client' + + * kadmin/util.c (edit_time): only set mask if != 0 + (edit_attributes): only set mask if != 0 + + * kadmin/init.c (init): create `default' + +Sun Dec 21 09:44:05 1997 Assar Westerlund + + * kadmin/util.c (str2deltat, str2attr, get_deltat): return value + as pointer and have return value indicate success. + + (get_response): check NULL from fgets + + (edit_time, edit_attributes): new functions for reading values and + offering list of answers on '?' + + (edit_entry): use edit_time and edit_attributes + + * kadmin/ank.c (add_new_key): test the return value of + `krb5_parse_name' + + * kdc/kerberos5.c (tgs_check_authenticator): RFC1510 doesn't say + that the checksum has to be keyed, even though later drafts do. + Accept unkeyed checksums to be compatible with MIT. + + * kadmin/kadmin_locl.h: add some prototypes. + + * kadmin/util.c (edit_entry): return a value + + * appl/afsutil/afslog.c (main): return a exit code. + + * lib/krb5/get_cred.c (init_tgs_req): use krb5_keytype_to_enctypes + + * lib/krb5/encrypt.c (krb5_keytype_to_enctypes): new function. + + * lib/krb5/build_auth.c (krb5_build_authenticator): use + krb5_{free,copy}_keyblock instead of the _contents versions + +Fri Dec 12 14:20:58 1997 Johan Danielsson + + * lib/krb5/{mk,rd}_priv.c: fix check for local/remote subkey + +Mon Dec 8 08:48:09 1997 Johan Danielsson + + * lib/krb5/context.c: don't look at KRB5_CONFIG if running setuid + +Sat Dec 6 10:09:40 1997 Johan Danielsson + + * lib/krb5/keyblock.c (krb5_free_keyblock): check for NULL + keyblock + +Sat Dec 6 08:26:10 1997 Assar Westerlund + + * Release 0.0l + +Thu Dec 4 03:38:12 1997 Johan Danielsson + + * lib/krb5/send_to_kdc.c: Add TCP client support. + + * lib/krb5/store.c: Add k_{put,get}_int. + + * kadmin/ank.c: Set initial kvno to 1. + + * kdc/connect.c: Send version 5 TCP-reply as length+data. + +Sat Nov 29 07:10:11 1997 Assar Westerlund + + * lib/krb5/rd_req.c (krb5_rd_req): fixed obvious bug + + * kdc/kaserver.c (create_reply_ticket): use a random nonce in the + reply packet. + + * kdc/connect.c (init_sockets): less reallocing. + + * **/*.c: changed `struct fd_set' to `fd_set' + +Sat Nov 29 05:12:01 1997 Johan Danielsson + + * lib/krb5/get_default_principal.c: More guessing. + +Thu Nov 20 02:55:09 1997 Johan Danielsson + + * lib/krb5/rd_req.c: Use principal from ticket if no server is + given. + +Tue Nov 18 02:58:02 1997 Johan Danielsson + + * kuser/klist.c: Use krb5_err*(). + +Sun Nov 16 11:57:43 1997 Johan Danielsson + + * kadmin/kadmin.c: Add local `init', `load', `dump', and `merge' + commands. + +Sun Nov 16 02:52:20 1997 Assar Westerlund + + * lib/krb5/mk_req_ext.c (krb5_mk_req_ext): figure out the correct + `enctype' + + * lib/krb5/mk_req.c (krb5_mk_req): use `(*auth_context)->enctype' + if set. + + * lib/krb5/get_cred.c: handle the case of a specific keytype + + * lib/krb5/build_auth.c (krb5_build_authenticator): enctype as a + parameter instead of guessing it. + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): new parameter + `enctype' + + * appl/test/common.c (common_setup): don't use `optarg' + + * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): new function + (krb5_kt_get_entry): retrieve the latest version if kvno == 0 + + * lib/krb5/krb5.h: define KRB5_TC_MATCH_KEYTYPE + + * lib/krb5/creds.c (krb5_compare_creds): check for + KRB5_TC_MATCH_KEYTYPE + + * lib/gssapi/8003.c (gssapi_krb5_create_8003_checksum): remove + unused variable + + * lib/krb5/creds.c (krb5_copy_creds_contents): only free the + contents if we fail. + +Sun Nov 16 00:32:48 1997 Johan Danielsson + + * kpasswd/kpasswdd.c: Get password expiration time from config + file. + + * lib/asn1/{der_get,gen_decode}.c: Allow passing NULL size. + +Wed Nov 12 02:35:57 1997 Assar Westerlund + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + restructured and fixed. + + * lib/krb5/addr_families.c (krb5_h_addr2addr): new function. + +Wed Nov 12 01:36:01 1997 Johan Danielsson + + * lib/krb5/get_addrs.c: Fall back to hostname's addresses if other + methods fail. + +Tue Nov 11 22:22:12 1997 Johan Danielsson + + * kadmin/kadmin.c: Add `-l' flag to use local database. + + * lib/kadm5/acl.c: Use KADM5_PRIV_ALL. + + * lib/kadm5: Use function pointer trampoline for easier dual use + (without radiation-hardening capability). + +Tue Nov 11 05:15:22 1997 Assar Westerlund + + * lib/krb5/encrypt.c (krb5_etype_valid): new function + + * lib/krb5/creds.c (krb5_copy_creds_contents): zero target + + * lib/krb5/context.c (valid_etype): remove + + * lib/krb5/checksum.c: remove dead code + + * lib/krb5/changepw.c (send_request): free memory on error. + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): check return value + from malloc. + + * lib/krb5/auth_context.c (krb5_auth_con_init): free memory on + failure correctly. + (krb5_auth_con_setaddrs_from_fd): return error correctly. + + * lib/krb5/get_in_tkt_with_{keytab,skey}.c: new files + +Tue Nov 11 02:53:19 1997 Johan Danielsson + + * lib/krb5/auth_context.c: Implement auth_con_setuserkey. + + * lib/gssapi/init_sec_context.c: Use krb5_auth_con_getkey. + + * lib/krb5/keyblock.c: Rename krb5_free_keyblock to + krb5_free_keyblock_contents, and reimplement krb5_free_keyblock. + + * lib/krb5/rd_req.c: Use auth_context->keyblock if + ap_options.use_session_key. + +Tue Nov 11 02:35:17 1997 Assar Westerlund + + * lib/krb5/net_{read,write}.c: change `int fd' to `void *p_fd'. + fix callers. + + * lib/krb5/krb5_locl.h: include and + + * include/Makefile.am: add xdbm.h + +Tue Nov 11 01:58:22 1997 Johan Danielsson + + * lib/krb5/get_cred.c: Implement krb5_get_cred_from_kdc. + +Mon Nov 10 22:41:53 1997 Johan Danielsson + + * lib/krb5/ticket.c: Implement copy_ticket. + + * lib/krb5/get_in_tkt.c: Make `options' parameter MIT-compatible. + + * lib/krb5/data.c: Implement free_data and copy_data. + +Sun Nov 9 02:17:27 1997 Johan Danielsson + + * lib/kadm5: Implement kadm5_get_privs, and kadm5_get_principals. + + * kadmin/kadmin.c: Add get_privileges function. + + * lib/kadm5: Rename KADM5_ACL_* -> KADM5_PRIV_* to conform with + specification. + + * kdc/connect.c: Exit if no sockets could be bound. + + * kadmin/kadmind.c: Check return value from krb5_net_read(). + + * lib/kadm5,kadmin: Fix memory leaks. + +Fri Nov 7 02:45:26 1997 Johan Danielsson + + * lib/kadm5/create_s.c: Get some default values from `default' + principal. + + * lib/kadm5/ent_setup.c: Add optional default entry to get some + values from. + +Thu Nov 6 00:20:41 1997 Johan Danielsson + + * lib/error/compile_et.awk: Remove generated destroy_*_error_table + prototype + + * kadmin/kadmind.c: Crude admin server. + + * kadmin/kadmin.c: Update to use remote protocol. + + * kadmin/get.c: Fix principal formatting. + + * lib/kadm5: Add client support. + + * lib/kadm5/error.c: Error code mapping. + + * lib/kadm5/server.c: Kadmind support function. + + * lib/kadm5/marshall.c: Kadm5 marshalling. + + * lib/kadm5/acl.c: Simple acl system. + + * lib/kadm5/kadm5_locl.h: Add client stuff. + + * lib/kadm5/init_s.c: Initialize acl. + + * lib/kadm5/*: Return values. + + * lib/kadm5/create_s.c: Correct kvno. + +Wed Nov 5 22:06:50 1997 Johan Danielsson + + * lib/krb5/log.c: Fix parsing of log destinations. + +Mon Nov 3 20:33:55 1997 Johan Danielsson + + * lib/krb5/principal.c: Reduce number of reallocs in unparse_name. + +Sat Nov 1 01:40:53 1997 Johan Danielsson + + * kadmin: Simple kadmin utility. + + * admin/ktutil.c: Print keytype. + + * lib/kadm5/get_s.c: Set correct n_key_data. + + * lib/kadm5/init_s.c: Add kadm5_s_init_with_password_ctx. Use + master key. + + * lib/kadm5/destroy_s.c: Check for allocated context. + + * lib/kadm5/{create,chpass}_s.c: Use _kadm5_set_keys(). + +Sat Nov 1 00:21:00 1997 Assar Westerlund + + * configure.in: test for readv, writev + +Wed Oct 29 23:41:26 1997 Assar Westerlund + + * lib/krb5/warn.c (_warnerr): handle the case of an illegal error + code + + * kdc/kerberos5.c (encode_reply): return success + +Wed Oct 29 18:01:59 1997 Johan Danielsson + + * kdc/kerberos5.c (find_etype) Return correct index of selected + etype. + +Wed Oct 29 04:07:06 1997 Assar Westerlund + + * Release 0.0k + + * lib/krb5/context.c (krb5_init_context): support `KRB5_CONFIG' + environment variable + + * *: use the roken_get*-macros from roken.h for the benefit of + Crays. + + * configure.in: add --{enable,disable}-otp. check for compatible + prototypes for gethostbyname, gethostbyaddr, getservbyname, and + openlog (they have strange prototypes on Crays) + + * acinclude.m4: new macro `AC_PROTO_COMPAT' + +Tue Oct 28 00:11:22 1997 Johan Danielsson + + * kdc/connect.c: Log bad requests. + + * kdc/kerberos5.c: Move stuff that's in common between as_rep and + tgs_rep to separate functions. + + * kdc/kerberos5.c: Fix user-to-user authentication. + + * lib/krb5/get_cred.c: Some restructuring of krb5_get_credentials: + - add a kdc-options argument to krb5_get_credentials, and rename + it to krb5_get_credentials_with_flags + - honour the KRB5_GC_CACHED, and KRB5_GC_USER_USER options + - add some more user-to-user glue + + * lib/krb5/rd_req.c: Move parts of krb5_verify_ap_req into a new + function, krb5_decrypt_ticket, so it is easier to decrypt and + check a ticket without having an ap-req. + + * lib/krb5/krb5.h: Add KRB5_GC_CACHED, and KRB5_GC_USER_USER + flags. + + * lib/krb5/crc.c (crc_init_table): Check if table is already + inited. + +Sun Oct 26 04:51:02 1997 Johan Danielsson + + * lib/asn1/der_get.c (der_get_length, fix_dce): Special-case + indefinite encoding. + + * lib/asn1/gen_glue.c (generate_units): Check for empty + member-list. + +Sat Oct 25 07:24:57 1997 Johan Danielsson + + * lib/error/compile_et.awk: Allow specifying table-base. + +Tue Oct 21 20:21:40 1997 Johan Danielsson + + * kdc/kerberos5.c: Check version number of krbtgt. + +Mon Oct 20 01:14:53 1997 Assar Westerlund + + * lib/krb5/prompter_posix.c (krb5_prompter_posix): implement the + case of unhidden prompts. + + * lib/krb5/str2key.c (string_to_key_internal): return error + instead of aborting. always free memory + + * admin/ktutil.c: add `help' command + + * admin/kdb_edit.c: implement new commands: add_random_key(ark), + change_password(cpw), change_random_key(crk) + +Thu Oct 16 05:16:36 1997 Assar Westerlund + + * kpasswd/kpasswdd.c: change all the keys in the database + + * kdc: removed all unsealing, now done by the hdb layer + + * lib/hdb/hdb.c: new functions `hdb_create', `hdb_set_master_key' + and `hdb_clear_master_key' + + * admin/misc.c: removed + +Wed Oct 15 22:47:31 1997 Assar Westerlund + + * kuser/klist.c: print year as YYYY iff verbose + +Wed Oct 15 20:02:13 1997 Johan Danielsson + + * kuser/klist.c: print etype from ticket + +Mon Oct 13 17:18:57 1997 Johan Danielsson + + * Release 0.0j + + * lib/krb5/get_cred.c: Get the subkey from mk_req so it can be + used to decrypt the reply from DCE secds. + + * lib/krb5/auth_context.c: Add {get,set}enctype. + + * lib/krb5/get_cred.c: Fix for DCE secd. + + * lib/krb5/store.c: Store keytype twice, as MIT does. + + * lib/krb5/get_in_tkt.c: Use etype from reply. + +Fri Oct 10 00:39:48 1997 Johan Danielsson + + * kdc/connect.c: check for leading '/' in http request + +Tue Sep 30 21:50:18 1997 Assar Westerlund + + * Release 0.0i + +Mon Sep 29 15:58:43 1997 Assar Westerlund + + * lib/krb5/rd_req.c (krb5_rd_req): redone because we don't know + the kvno or keytype before receiving the AP-REQ + + * lib/krb5/mk_safe.c (krb5_mk_safe): figure out what cksumtype to + use from the keytype. + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): figure out what + cksumtype to use from the keytype. + + * lib/krb5/mk_priv.c (krb5_mk_priv): figure out what etype to use + from the keytype. + + * lib/krb5/keytab.c (krb5_kt_get_entry): check the keytype + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): figure out + what etype to use from the keytype. + + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): + handle other key types than DES + + * lib/krb5/encrypt.c (key_type): add `best_cksumtype' + (krb5_keytype_to_cksumtype): new function + + * lib/krb5/build_auth.c (krb5_build_authenticator): figure out + what etype to use from the keytype. + + * lib/krb5/auth_context.c (krb5_auth_con_init): set `cksumtype' + and `enctype' to 0 + + * admin/extkeytab.c (ext_keytab): extract all keys + + * appl/telnet/telnet/commands.c: INET6_ADDRSTRLEN kludge + + * configure.in: check for . check for -linet6 + +Tue Sep 23 03:00:53 1997 Assar Westerlund + + * lib/krb5/encrypt.c: fix checksumtype for des3-cbc-sha1 + + * lib/krb5/rd_safe.c: fix check for keyed and collision-proof + checksum + + * lib/krb5/context.c (valid_etype): remove hard-coded constants + (default_etypes): include DES3 + + * kdc/kerberos5.c: fix check for keyed and collision-proof + checksum + + * admin/util.c (init_des_key, set_password): DES3 keys also + + * lib/krb/send_to_kdc.c (krb5_sendto_kdc): no data returned means + no contact? + + * lib/krb5/addr_families.c: fix typo in `ipv6_anyaddr' + +Mon Sep 22 11:44:27 1997 Johan Danielsson + + * kdc/kerberos5.c: Somewhat fix the etype usage. The list sent by + the client is used to select wich key to encrypt the kdc rep with + (in case of as-req), and with the server info to select the + session key type. The server key the ticket is encrypted is based + purely on the keys in the database. + + * kdc/string2key.c: Add keytype support. Default to version 5 + keys. + + * lib/krb5/get_in_tkt.c: Fix a lot of etype/keytype misuse. + + * lib/krb5/encrypt.c: Add des3-cbc-md5, and des3-cbc-sha1. Add + many *_to_* functions. + + * lib/krb5/str2key.c: Add des3 string-to-key. Add ktype argument + to krb5_string_to_key(). + + * lib/krb5/checksum.c: Some cleanup, and added: + - rsa-md5-des3 + - hmac-sha1-des3 + - keyed and collision proof flags to each checksum method + - checksum<->string functions. + + * lib/krb5/generate_subkey.c: Use krb5_generate_random_keyblock. + +Sun Sep 21 15:19:23 1997 Assar Westerlund + + * kdc/connect.c: use new addr_families functions + + * kpasswd/kpasswdd.c: use new addr_families functions. Now works + over IPv6 + + * kuser/klist.c: use correct symbols for address families + + * lib/krb5/sock_principal.c: use new addr_families functions + + * lib/krb5/send_to_kdc.c: use new addr_families functions + + * lib/krb5/krb5.h: add KRB5_ADDRESS_INET6 + + * lib/krb5/get_addrs.c: use new addr_families functions + + * lib/krb5/changepw.c: use new addr_families functions. Now works + over IPv6 + + * lib/krb5/auth_context.c: use new addr_families functions + + * lib/krb5/addr_families.c: new file + + * acconfig.h: AC_SOCKADDR_IN6 -> AC_STRUCT_SOCKADDR_IN6. Updated + uses. + + * acinclude.m4: new macro `AC_KRB_IPV6'. Use it. + +Sat Sep 13 23:04:23 1997 Johan Danielsson + + * kdc/hprop.c: Don't encrypt twice. Complain on non-convertable + principals. + +Sat Sep 13 00:59:36 1997 Assar Westerlund + + * Release 0.0h + + * appl/telnet/telnet/commands.c: AF_INET6 support + + * admin/misc.c: new file + + * lib/krb5/context.c: new configuration variable `max_retries' + + * lib/krb5/get_addrs.c: fixes and better #ifdef's + + * lib/krb5/config_file.c: implement krb5_config_get_int + + * lib/krb5/auth_context.c, send_to_kdc.c, sock_principal.c: + AF_INET6 support + + * kuser/klist.c: support for printing IPv6-addresses + + * kdc/connect.c: support AF_INET6 + + * configure.in: test for gethostbyname2 and struct sockaddr_in6 + +Thu Sep 11 07:25:28 1997 Assar Westerlund + + * lib/asn1/k5.asn1: Use `METHOD-DATA' instead of `SEQUENCE OF + PA-DATA' + +Wed Sep 10 21:20:17 1997 Johan Danielsson + + * kdc/kerberos5.c: Fixes for cross-realm, including (but not + limited to): + - allow client to be non-existant (should probably check for + "local realm") + - if server isn't found and it is a request for a krbtgt, try to + find a realm on the way to the requested realm + - update the transited encoding iff + client-realm != server-realm != tgt-realm + + * lib/krb5/get_cred.c: Several fixes for cross-realm. + +Tue Sep 9 15:59:20 1997 Johan Danielsson + + * kdc/string2key.c: Fix password handling. + + * lib/krb5/encrypt.c: krb5_key_to_string + +Tue Sep 9 07:46:05 1997 Assar Westerlund + + * lib/krb5/get_addrs.c: rewrote. Now should be able to handle + aliases and IPv6 addresses + + * kuser/klist.c: try printing IPv6 addresses + + * kdc/kerberos5.c: increase the arbitrary limit from 1024 to 8192 + + * configure.in: check for + +Mon Sep 8 02:57:14 1997 Assar Westerlund + + * doc: fixes + + * admin/util.c (init_des_key): increase kvno + (set_password): return -1 if `des_read_pw_string' failed + + * admin/mod.c (doit2): check the return value from `set_password' + + * admin/ank.c (doit): don't add a new entry if `set_password' + failed + +Mon Sep 8 02:20:16 1997 Johan Danielsson + + * lib/krb5/verify_init.c: fix ap_req_nofail semantics + + * lib/krb5/transited.c: something that might resemble + domain-x500-compress + +Mon Sep 8 01:24:42 1997 Assar Westerlund + + * kdc/hpropd.c (main): check number of arguments + + * appl/popper/pop_init.c (pop_init): check number of arguments + + * kpasswd/kpasswd.c (main): check number of arguments + + * kdc/string2key.c (main): check number of arguments + + * kuser/kdestroy.c (main): check number of arguments + + * kuser/kinit.c (main): check number of arguments + + * kpasswd/kpasswdd.c (main): use sigaction without SA_RESTART to + break out of select when a signal arrives + + * kdc/main.c (main): use sigaction without SA_RESTART to break out + of select when a signal arrives + + * kdc/kstash.c: default to HDB_DB_DIR "/m-key" + + * kdc/config.c (configure): add `--version'. Check the number of + arguments. Handle the case of there being no specification of port + numbers. + + * admin/util.c: seal and unseal key at appropriate places + + * admin/kdb_edit.c (main): parse arguments, config file and read + master key iff there's one. + + * admin/extkeytab.c (ext_keytab): unseal key while extracting + +Sun Sep 7 20:41:01 1997 Assar Westerlund + + * lib/roken/roken.h: include + + * kdc/kerberos5.c (set_salt_padata): new function + + * appl/telnet/telnetd/telnetd.c: Rename some variables that + conflict with cpp symbols on HP-UX 10.20 + + * change all calls of `gethostbyaddr' to cast argument 1 to `const + char *' + + * acconfig.h: only use SGTTY on nextstep + +Sun Sep 7 14:33:50 1997 Johan Danielsson + + * kdc/kerberos5.c: Check invalid flag. + +Fri Sep 5 14:19:38 1997 Johan Danielsson + + * lib/krb5/verify_user.c: Use get_init_creds/verify_init_creds. + + * lib/kafs: Move functions common to krb/krb5 modules to new file, + and make things more modular. + + * lib/krb5/krb5.h: rename STRING -> krb5_config_string, and LIST + -> krb5_config_list + +Thu Sep 4 23:39:43 1997 Johan Danielsson + + * lib/krb5/get_addrs.c: Fix loopback test. + +Thu Sep 4 04:45:49 1997 Assar Westerlund + + * lib/roken/roken.h: fallback definition of `O_ACCMODE' + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful when + checking for a v4 reply + +Wed Sep 3 18:20:14 1997 Johan Danielsson + + * kdc/hprop.c: Add `--decrypt' and `--encrypt' flags. + + * lib/hdb/hdb.c: new {seal,unseal}_keys functions + + * kdc/{hprop,hpropd}.c: Add support to dump database to stdout. + + * kdc/hprop.c: Don't use same master key as version 4. + + * admin/util.c: Don't dump core if no `default' is found. + +Wed Sep 3 16:01:07 1997 Johan Danielsson + + * kdc/connect.c: Allow run time port specification. + + * kdc/config.c: Add flags for http support, and port + specifications. + +Tue Sep 2 02:00:03 1997 Assar Westerlund + + * include/bits.c: Don't generate ifndef's in bits.h. Instead, use + them when building the program. This makes it possible to include + bits.h without having defined all HAVE_INT17_T symbols. + + * configure.in: test for sigaction + + * doc: updated documentation. + +Tue Sep 2 00:20:31 1997 Johan Danielsson + + * Release 0.0g + +Mon Sep 1 17:42:14 1997 Johan Danielsson + + * lib/krb5/data.c: don't return ENOMEM if len == 0 + +Sun Aug 31 17:15:49 1997 Johan Danielsson + + * lib/hdb/hdb.asn1: Include salt type in salt. + + * kdc/hprop.h: Change port to 754. + + * kdc/hpropd.c: Verify who tries to transmit a database. + + * appl/popper: Use getarg and krb5_log. + + * lib/krb5/get_port.c: Add context parameter. Now takes port in + host byte order. + +Sat Aug 30 18:48:19 1997 Johan Danielsson + + * kdc/connect.c: Add timeout to select, and log about expired tcp + connections. + + * kdc/config.c: Add `database' option. + + * kdc/hpropd.c: Log about duplicate entries. + + * lib/hdb/{db,ndbm}.c: Use common routines. + + * lib/hdb/common.c: Implement more generic fetch/store/delete + functions. + + * lib/hdb/hdb.h: Add `replace' parameter to store. + + * kdc/connect.c: Set filedecriptor to -1 on allocated decriptor + entries. + +Fri Aug 29 03:13:23 1997 Assar Westerlund + + * lib/krb5/get_in_tkt.c: extract_ticket -> _krb5_extract_ticket + + * aux/make-proto.pl: fix __P for stone age mode + +Fri Aug 29 02:45:46 1997 Johan Danielsson + + * lib/45/mk_req.c: implementation of krb_mk_req that uses 524 + protocol + + * lib/krb5/init_creds_pw.c: make change_password and + get_init_creds_common static + + * lib/krb5/krb5.h: Merge stuff from removed headerfiles. + + * lib/krb5/fcache.c: fcc_ops -> krb5_fcc_ops + + * lib/krb5/mcache.c: mcc_ops -> krb5_mcc_ops + +Fri Aug 29 01:45:25 1997 Johan Danielsson + + * lib/krb5/krb5.h: Remove all prototypes. + + * lib/krb5/convert_creds.c: Use `struct credentials' instead of + `CREDENTIALS'. + +Fri Aug 29 00:08:18 1997 Assar Westerlund + + * lib/asn1/gen_glue.c: new file. generates 2int and int2 functions + and units for bit strings. + + * admin/util.c: flags2int, int2flags, and flag_units are now + generated by asn1_compile + + * lib/roken/parse_units.c: generalised `parse_units' and + `unparse_units' and added new functions `parse_flags' and + `unparse_flags' that use these + + * lib/krb5/krb5_locl.h: moved krb5_data* functions to krb5.h + + * admin/util.c: Use {un,}parse_flags for printing and parsing + hdbflags. + +Thu Aug 28 03:26:12 1997 Assar Westerlund + + * lib/krb5/get_addrs.c: restructured + + * lib/krb5/warn.c (_warnerr): leak less memory + + * lib/hdb/hdb.c (hdb_free_entry): zero keys + (hdb_check_db_format): leak less memory + + * lib/hdb/ndbm.c (NDBM_seq): check for valid hdb_entries implement + NDBM__get, NDBM__put + + * lib/hdb/db.c (DB_seq): check for valid hdb_entries + +Thu Aug 28 02:06:58 1997 Johan Danielsson + + * lib/krb5/send_to_kdc.c: Don't use sendto on connected sockets. + +Thu Aug 28 01:13:17 1997 Assar Westerlund + + * kuser/kinit.1, klist.1, kdestroy.1: new man pages + + * kpasswd/kpasswd.1, kpasswdd.8: new man pages + + * kdc/kstash.8, hprop.8, hpropd.8: new man pages + + * admin/ktutil.8, admin/kdb_edit.8: new man pages + + * admin/mod.c: new file + + * admin/life.c: renamed gettime and puttime to getlife and putlife + and moved them to life.c + + * admin/util.c: add print_flags, parse_flags, init_entry, + set_created_by, set_modified_by, edit_entry, set_password. Use + them. + + * admin/get.c: use print_flags + + * admin: removed unused stuff. use krb5_{warn,err}* + + * admin/ank.c: re-organized and abstracted. + + * admin/gettime.c: removed + +Thu Aug 28 00:37:39 1997 Johan Danielsson + + * lib/krb5/{get_cred,get_in_tkt}.c: Check for v4 reply. + + * lib/roken/base64.c: Add base64 functions. + + * kdc/connect.c lib/krb5/send_to_kdc.c: Add http support. + +Wed Aug 27 00:29:20 1997 Johan Danielsson + + * include/Makefile.am: Don't make links to built files. + + * admin/kdb_edit.c: Add command to set the database path. + + * lib/hdb: Include version number in database. + +Tue Aug 26 20:14:54 1997 Johan Danielsson + + * admin/ktutil: Merged v4 srvtab conversion. + +Mon Aug 25 23:02:18 1997 Assar Westerlund + + * lib/roken/roken.h: add F_OK + + * lib/gssapi/acquire_creds.c: fix typo + + * configure.in: call AC_TYPE_MODE_T + + * acinclude.m4: Add AC_TYPE_MODE_T + +Sun Aug 24 16:46:53 1997 Assar Westerlund + + * Release 0.0f + +Sun Aug 24 08:06:54 1997 Assar Westerlund + + * appl/popper/pop_pass.c: log poppers + + * kdc/kaserver.c: some more checks + + * kpasswd/kpasswd.c: removed `-p' + + * kuser/kinit.c: removed `-p' + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): If + KDC_ERR_PREUATH_REQUIRED, add preauthentication and try again. + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): don't print out + krb-error text + + * lib/gssapi/import_name.c (input_name): more names types. + + * admin/load.c (parse_keys): handle the case of an empty salt + + * kdc/kaserver.c: fix up memory deallocation + + * kdc/kaserver.c: quick hack at talking kaserver protocol + + * kdc/kerberos4.c: Make `db-fetch4' global + + * configure.in: add --enable-kaserver + + * kdc/rx.h, kdc/kerberos4.h: new header files + + * lib/krb5/principal.c: fix krb5_build_principal_ext & c:o + +Sun Aug 24 03:52:44 1997 Johan Danielsson + + * lib/krb5/{get_in_tkt,mk_safe,mk_priv}.c: Fix some Cray specific + type conflicts. + + * lib/krb5/{get_cred,get_in_tkt}.c: Mask nonce to 32 bits. + + * lib/des/{md4,md5,sha}.c: Now works on Crays. + +Sat Aug 23 18:15:01 1997 Johan Danielsson + + * appl/afsutil/afslog.c: If no cells or files specified, get + tokens for all local cells. Better test for files. + +Thu Aug 21 23:33:38 1997 Assar Westerlund + + * lib/gssapi/v1.c: new file with v1 compatibility functions. + +Thu Aug 21 20:36:13 1997 Johan Danielsson + + * lib/kafs/afskrb5.c: Don't check ticket file for afs ticket. + + * kdc/kerberos4.c: Check database when converting v4 principals. + + * kdc/kerberos5.c: Include kvno in Ticket. + + * lib/krb5/encrypt.c: Add kvno parameter to encrypt_EncryptedData. + + * kuser/klist.c: Print version number of ticket, include more + flags. + +Wed Aug 20 21:26:58 1997 Johan Danielsson + + * lib/kafs/afskrb5.c (get_cred): Check cached afs tickets for + expiration. + +Wed Aug 20 17:40:31 1997 Assar Westerlund + + * lib/krb5/recvauth.c (krb5_recvauth): Send a KRB-ERROR iff + there's an error. + + * lib/krb5/sendauth.c (krb5_sendauth): correct the protocol + documentation and process KRB-ERROR's + +Tue Aug 19 20:41:30 1997 Johan Danielsson + + * kdc/kerberos4.c: Fix memory leak in v4 protocol handler. + +Mon Aug 18 05:15:09 1997 Assar Westerlund + + * lib/gssapi/accept_sec_context.c: Added + `gsskrb5_register_acceptor_identity' + +Sun Aug 17 01:40:20 1997 Assar Westerlund + + * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): don't + always pass server == NULL to krb5_rd_req. + + * lib/gssapi: new files: canonicalize_name.c export_name.c + context_time.c compare_name.c release_cred.c acquire_cred.c + inquire_cred.c, from Luke Howard + + * lib/krb5/config_file.c: Add netinfo support from Luke Howard + + + * lib/editline/sysunix.c: sgtty-support from Luke Howard + + + * lib/krb5/principal.c: krb5_sname_to_principal fix from Luke + Howard + +Sat Aug 16 00:44:47 1997 Assar Westerlund + + * Release 0.0e + +Sat Aug 16 00:23:46 1997 Johan Danielsson + + * appl/afsutil/afslog.c: Use new libkafs. + + * lib/kafs/afskrb5.c: Get AFS tokens via 524 protocol. + + * lib/krb5/warn.c: Fix format string for *x type. + +Fri Aug 15 22:15:01 1997 Assar Westerlund + + * admin/get.c (get_entry): print more information about the entry + + * lib/des/Makefile.am: build destest, mdtest, des, rpw, speed + + * lib/krb5/config_file.c: new functions `krb5_config_get_time' and + `krb5_config_vget_time'. Use them. + +Fri Aug 15 00:09:37 1997 Johan Danielsson + + * admin/ktutil.c: Keytab manipulation program. + + * lib/krb5/keytab.c: Return sane values from resolve and + start_seq_get. + + * kdc/kerberos5.c: Fix for old clients passing 0 for `no endtime'. + + * lib/45/get_ad_tkt.c: Kerberos 4 get_ad_tkt using + krb524_convert_creds_kdc. + + * lib/krb5/convert_creds.c: Implementation of + krb524_convert_creds_kdc. + + * lib/asn1/k5.asn1: Make kdc-req-body.till OPTIONAL + + * kdc/524.c: A somewhat working 524-protocol module. + + * kdc/kerberos4.c: Add version 4 ticket encoding and encryption + functions. + + * lib/krb5/context.c: Fix kdc_timeout. + + * lib/hdb/{ndbm,db}.c: Free name in close. + + * kdc/kerberos5.c (tgs_check_autenticator): Return error code + +Thu Aug 14 21:29:03 1997 Johan Danielsson + + * kdc/kerberos5.c (tgs_make_reply): Fix endtime in reply. + + * lib/krb5/store_emem.c: Fix reallocation bug. + +Tue Aug 12 01:29:46 1997 Assar Westerlund + + * appl/telnet/libtelnet/kerberos5.c, appl/popper/pop_init.c: Use + `krb5_sock_to_principal'. Send server parameter to + krb5_rd_req/krb5_recvauth. Set addresses in auth_context. + + * lib/krb5/recvauth.c: Set addresses in auth_context if there + aren't any + + * lib/krb5/auth_context.c: New function + `krb5_auth_con_setaddrs_from_fd' + + * lib/krb5/sock_principal.c: new function + `krb5_sock_to_principal' + + * lib/krb5/time.c: new file with `krb5_timeofday' and + `krb5_us_timeofday'. Use these functions. + + * kuser/klist.c: print KDC offset iff verbose + + * lib/krb5/get_in_tkt.c: implement KDC time offset and use it if + [libdefaults]kdc_timesync is set. + + * lib/krb5/fcache.c: Implement version 4 of the ccache format. + +Mon Aug 11 05:34:43 1997 Assar Westerlund + + * lib/krb5/rd_rep.c (krb5_free_ap_rep_enc_part): free all memory + + * lib/krb5/principal.c (krb5_unparse_name): allocate memory + properly + + * kpasswd/kpasswd.c: Use `krb5_change_password' + + * lib/krb5/init_creds_pw.c (init_cred): set realm of server + correctly. + + * lib/krb5/init_creds_pw.c: support changing of password when it + has expired + + * lib/krb5/changepw.c: new file + + * kuser/klist.c: use getarg + + * admin/init.c (init): add `kadmin/changepw' + +Mon Aug 11 04:30:47 1997 Johan Danielsson + + * lib/krb5/get_cred.c: Make get_credentials handle cross-realm. + +Mon Aug 11 00:03:24 1997 Assar Westerlund + + * lib/krb5/config_file.c: implement support for #-comments + +Sat Aug 9 02:21:46 1997 Johan Danielsson + + * kdc/hprop*.c: Add database propagation programs. + + * kdc/connect.c: Max request size. + +Sat Aug 9 00:47:28 1997 Assar Westerlund + + * lib/otp: resurrected from krb4 + + * appl/push: new program for fetching mail with POP. + + * appl/popper/popper.h: new include files. new fields in `POP' + + * appl/popper/pop_pass.c: Implement both v4 and v5. + + * appl/popper/pop_init.c: Implement both v4 and v5. + + * appl/popper/pop_debug.c: use getarg. Talk both v4 and v5 + + * appl/popper: Popper from krb4. + + * configure.in: check for inline and generate + files in appl/popper, appl/push, and lib/otp + +Fri Aug 8 05:51:02 1997 Assar Westerlund + + * lib/krb5/get_cred.c: clean-up and try to free memory even when + there're errors + + * lib/krb5/get_cred.c: adapt to new `extract_ticket' + + * lib/krb5/get_in_tkt.c: reorganize. check everything and try to + return memory even if there are errors. + + * kuser/kverify.c: new file + + * lib/krb5/free_host_realm.c: new file + + * lib/krb5/principal.c (krb5_sname_to_principal): implement + different nametypes. Also free memory. + + * lib/krb5/verify_init.c: more functionality + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): free the checksum + + * lib/krb5/get_in_tkt.c (extract_ticket): don't copy over the + principals in creds. Should also compare them with that received + from the KDC + + * lib/krb5/cache.c (krb5_cc_gen_new): copy the newly allocated + krb5_ccache + (krb5_cc_destroy): call krb5_cc_close + (krb5_cc_retrieve_cred): delete the unused creds + +Fri Aug 8 02:30:40 1997 Johan Danielsson + + * lib/krb5/log.c: Allow better control of destinations of logging + (like passing explicit destinations, and log-functions). + +Fri Aug 8 01:20:39 1997 Assar Westerlund + + * lib/krb5/get_default_principal.c: new file + + * kpasswd/kpasswdd.c: use krb5_log* + +Fri Aug 8 00:37:47 1997 Johan Danielsson + + * lib/krb5/init_creds_pw.c: Implement krb5_get_init_creds_keytab. + +Fri Aug 8 00:37:17 1997 Assar Westerlund + + * lib/krb5/init_creds_pw.c: Use `krb5_get_default_principal'. + Print password expire information. + + * kdc/config.c: new variable `kdc_warn_pwexpire' + + * kpasswd/kpasswd.c: converted to getarg and get_init_creds + +Thu Aug 7 22:17:09 1997 Assar Westerlund + + * lib/krb5/mcache.c: new file + + * admin/gettime.c: new function puttime. Use it. + + * lib/krb5/keyblock.c: Added krb5_free_keyblock and + krb5_copy_keyblock + + * lib/krb5/init_creds_pw.c: more functionality + + * lib/krb5/creds.c: Added krb5_free_creds_contents and + krb5_copy_creds. Changed callers. + + * lib/krb5/config_file.c: new functions krb5_config_get and + krb5_config_vget + + * lib/krb5/cache.c: cleanup added mcache + + * kdc/kerberos5.c: include last-req's of type 6 and 7, if + applicable + +Wed Aug 6 20:38:23 1997 Johan Danielsson + + * lib/krb5/log.c: New parameter `log-level'. Default to `SYSLOG'. + +Tue Aug 5 22:53:54 1997 Assar Westerlund + + * lib/krb5/verify_init.c, init_creds_pw.c, init_creds.c, + prompter_posix.c: the beginning of an implementation of the cygnus + initial-ticket API. + + * lib/krb5/get_in_tkt_pw.c: make `krb5_password_key_proc' global + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): new function that is + almost krb5_get_in_tkt but doesn't write the creds to the ccache. + Small fixes in krb5_get_in_tkt + + * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): don't include + loopback. + +Mon Aug 4 20:20:48 1997 Johan Danielsson + + * kdc: Make context global. + +Fri Aug 1 17:23:56 1997 Assar Westerlund + + * Release 0.0d + + * lib/roken/flock.c: new file + + * kuser/kinit.c: check for and print expiry information in the + `kdc_rep' + + * lib/krb5/get_in_tkt.c: Set `ret_as_reply' if != NULL + + * kdc/kerberos5.c: Check the valid times on client and server. + Check the password expiration. + Check the require_preauth flag. + Send an lr_type == 6 with pw_end. + Set key.expiration to min(valid_end, pw_end) + + * lib/hdb/hdb.asn1: new flags `require_preauth' and `change_pw' + + * admin/util.c, admin/load.c: handle the new flags. + +Fri Aug 1 16:56:12 1997 Johan Danielsson + + * lib/hdb: Add some simple locking. + +Sun Jul 27 04:44:31 1997 Johan Danielsson + + * lib/krb5/log.c: Add some general logging functions. + + * kdc/kerberos4.c: Add version 4 protocol handler. The requrement + for this to work is that all involved principals has a des key in + the database, and that the client has a version 4 (un-)salted + key. Furthermore krb5_425_conv_principal has to do it's job, as + present it's not very clever. + + * lib/krb5/principal.c: Quick patch to make 425_conv work + somewhat. + + * lib/hdb/hdb.c: Add keytype->key and next key functions. + +Fri Jul 25 17:32:12 1997 Assar Westerlund + + * lib/krb5/build_auth.c (krb5_build_authenticator): don't free + `cksum'. It's allocated and freed by the caller + + * lib/krb5/get_cred.c (krb5_get_kdc_cred): Don't free `addresses'. + + * kdc/kerberos5.c (tgs_rep2): make sure we also have an defined + `client' to return as part of the KRB-ERROR + +Thu Jul 24 08:13:59 1997 Johan Danielsson + + * kdc/kerberos5.c: Unseal keys from database before use. + + * kdc/misc.c: New functions set_master_key, unseal_key and + free_key. + + * lib/roken/getarg.c: Handle `-f arg' correctly. + +Thu Jul 24 01:54:43 1997 Assar Westerlund + + * kuser/kinit.c: implement `-l' aka `--lifetime' + + * lib/roken/parse_units.c, parse_time.c: new files + + * admin/gettime.c (gettime): use `parse_time' + + * kdc/kerberos5.c (as_rep): Use `METHOD-DATA' when sending + KRB5KDC_ERR_PREAUTH_REQUIRED, not PA-DATA. + + * kpasswd/kpasswdd.c: fix freeing bug use sequence numbers set + addresses in auth_context bind one socket per interface. + + * kpasswd/kpasswd.c: use sequence numbers + + * lib/krb5/rd_req.c (krb5_verify_ap_req): do abs when verifying + the timestamps + + * lib/krb5/rd_priv.c (krb5_rd_priv): Fetch the correct session key + from auth_context + + * lib/krb5/mk_priv.c (krb5_mk_priv): Fetch the correct session key + from auth_context + + * lib/krb5/mk_error.c (krb5_mk_error): return an error number and + not a comerr'd number. + + * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): interpret the error + number in KRB-ERROR correctly. + + * lib/krb5/get_cred.c (krb5_get_kdc_cred): interpret the error + number in KRB-ERROR correctly. + + * lib/asn1/k5.asn1: Add `METHOD-DATA' + + * removed some memory leaks. + +Wed Jul 23 07:53:18 1997 Assar Westerlund + + * Release 0.0c + + * lib/krb5/rd_cred.c, get_for_creds.c: new files + + * lib/krb5/get_host_realm.c: try default realm as last chance + + * kpasswd/kpasswdd.c: updated to hdb changes + + * appl/telnet/libtelnet/kerberos5.c: Implement forwarding + + * appl/telnet/libtelnet: removed totally unused files + + * admin/ank.c: fix prompts and generation of random keys + +Wed Jul 23 04:02:32 1997 Johan Danielsson + + * admin/dump.c: Include salt in dump. + + * admin: Mostly updated for new db-format. + + * kdc/kerberos5.c: Update to use new db format. Better checking of + flags and such. More logging. + + * lib/hdb/hdb.c: Use generated encode and decode functions. + + * lib/hdb/hdb.h: Get hdb_entry from ASN.1 generated code. + + * lib/krb5/get_cred.c: Get addresses from krbtgt if there are none + in the reply. + +Sun Jul 20 16:22:30 1997 Assar Westerlund + + * kuser/kinit.c: break if des_read_pw_string() != 0 + + * kpasswd/kpasswdd.c: send a reply + + * kpasswd/kpasswd.c: restructured code. better report on + krb-error break if des_read_pw_string() != 0 + + * kdc/kerberos5.c: Check `require_enc_timestamp' malloc space for + starttime and renew_till + + * appl/telnet/libtelnet/kerberos5.c (kerberos5_is): Send a + keyblock to krb5_verify_chekcsum + +Sun Jul 20 06:35:46 1997 Johan Danielsson + + * Release 0.0b + + * kpasswd/kpasswd.c: Avoid using non-standard struct names. + +Sat Jul 19 19:26:23 1997 Assar Westerlund + + * lib/krb5/keytab.c (krb5_kt_get_entry): check return from + `krb5_kt_start_seq_get'. From + +Sat Jul 19 04:07:39 1997 Johan Danielsson + + * lib/asn1/k5.asn1: Update with more pa-data types from + draft-ietf-cat-kerberos-revisions-00.txt + + * admin/load.c: Update to match current db-format. + + * kdc/kerberos5.c (as_rep): Try all valid pa-datas before giving + up. Send back an empty pa-data if the client has the v4 flag set. + + * lib/krb5/get_in_tkt.c: Pass both version5 and version4 salted + pa-data. DTRT if there is any pa-data in the reply. + + * lib/krb5/str2key.c: XOR with some sane value. + + * lib/hdb/hdb.h: Add `version 4 salted key' flag. + + * kuser/kinit.c: Ask for password before calling get_in_tkt. This + makes it possible to call key_proc more than once. + + * kdc/string2key.c: Add flags to output version 5 (DES only), + version 4, and AFS string-to-key of a password. + + * lib/asn1/gen_copy.c: copy_* functions now returns an int (0 or + ENOMEM). + +Fri Jul 18 02:54:58 1997 Assar Westerlund + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): do the + name2name thing + + * kdc/misc.c: check result of hdb_open + + * admin/kdb_edit: updated to new sl + + * lib/sl: sl_func now returns an int. != 0 means to exit. + + * kpasswd/kpasswdd: A crude (but somewhat working) implementation + of `draft-ietf-cat-kerb-chg-password-00.txt' + +Fri Jul 18 00:55:39 1997 Johan Danielsson + + * kuser/krenew.c: Crude ticket renewing program. + + * kdc/kerberos5.c: Rewritten flags parsing, it now might work to + get forwarded and renewed tickets. + + * kuser/kinit.c: Add `-r' flag. + + * lib/krb5/get_cred.c: Move most of contents of get_creds to new + function get_kdc_cred, that always contacts the kdc and doesn't + save in the cache. This is a hack. + + * lib/krb5/get_in_tkt.c: Pass starttime and renew_till in request + (a bit kludgy). + + * lib/krb5/mk_req_ext.c: Make an auth_context if none passed in. + + * lib/krb5/send_to_kdc.c: Get timeout from context. + + * lib/krb5/context.c: Add kdc_timeout to context struct. + +Thu Jul 17 20:35:45 1997 Johan Danielsson + + * kuser/klist.c: Print start time of ticket if available. + + * lib/krb5/get_host_realm.c: Return error if no realm was found. + +Thu Jul 17 20:28:21 1997 Assar Westerlund + + * kpasswd: non-working kpasswd added + +Thu Jul 17 00:21:22 1997 Johan Danielsson + + * Release 0.0a + + * kdc/main.c: Add -p flag to disable pa-enc-timestamp requirement. + +Wed Jul 16 03:37:41 1997 Johan Danielsson + + * kdc/kerberos5.c (tgs_rep2): Free ticket and ap_req. + + * lib/krb5/auth_context.c (krb5_auth_con_free): Free remote + subkey. + + * lib/krb5/principal.c (krb5_free_principal): Check for NULL. + + * lib/krb5/send_to_kdc.c: Check for NULL return from + gethostbyname. + + * lib/krb5/set_default_realm.c: Try to get realm of local host if + no default realm is available. + + * Remove non ASN.1 principal code. + +Wed Jul 16 03:17:30 1997 Johan Danielsson + + * kdc/kerberos5.c: Split tgs_rep in smaller functions. Add better + error handing. Do some logging. + + * kdc/log.c: Some simple logging facilities. + + * kdc/misc.c (db_fetch): Take a krb5_principal. + + * kdc/connect.c: Pass address of request to as_rep and + tgs_rep. Send KRB-ERROR. + + * lib/krb5/mk_error.c: Add more fields. + + * lib/krb5/get_cred.c: Print normal error code if no e_text is + available. + +Wed Jul 16 03:07:50 1997 Assar Westerlund + + * lib/krb5/get_in_tkt.c: implement `krb5_init_etype'. + Change encryption type of pa_enc_timestamp to DES-CBC-MD5 + + * lib/krb5/context.c: recognize all encryption types actually + implemented + + * lib/krb5/auth_context.c (krb5_auth_con_init): Change default + encryption type to `DES_CBC_MD5' + + * lib/krb5/read_message.c, write_message.c: new files + +Tue Jul 15 17:14:21 1997 Assar Westerlund + + * lib/asn1: replaced asn1_locl.h by `der_locl.h' and `gen_locl.h'. + + * lib/error/compile_et.awk: generate a prototype for the + `destroy_foo_error_table' function. + +Mon Jul 14 12:24:40 1997 Assar Westerlund + + * lib/krb5/krbhst.c (krb5_get_krbhst): Get all kdc's and try also + with `kerberos.REALM' + + * kdc/kerberos5.c, lib/krb5/rd_priv.c, lib/krb5/rd_safe.c: use + `max_skew' + + * lib/krb5/rd_req.c (krb5_verify_ap_req): record authenticator + subkey + + * lib/krb5/build_auth.c (krb5_build_authenticator): always + generate a subkey. + + * lib/krb5/address.c: implement `krb5_address_order' + + * lib/gssapi/import_name.c: Implement `gss_import_name' + + * lib/gssapi/external.c: Use new OID + + * lib/gssapi/encapsulate.c: New functions + `gssapi_krb5_encap_length' and `gssapi_krb5_make_header'. Changed + callers. + + * lib/gssapi/decapsulate.c: New function + `gssaspi_krb5_verify_header'. Changed callers. + + * lib/asn1/gen*.c: Give tags to generated structs. + Use `err' and `asprintf' + + * appl/test/gss_common.c: new file + + * appl/test/gssapi_server.c: removed all krb5 calls + + * appl/telnet/libtelnet/kerberos5.c: Add support for genering and + verifying checksums. Also start using session subkeys. + +Mon Jul 14 12:08:25 1997 Johan Danielsson + + * lib/krb5/rd_req.c (krb5_rd_req_with_keyblock): Split up. + +Sun Jul 13 03:07:44 1997 Assar Westerlund + + * lib/krb5/rd_safe.c, mk_safe.c: made bug-compatible with MIT + + * lib/krb5/encrypt.c: new functions `DES_encrypt_null_ivec' and + `DES_encrypt_key_ivec' + + * lib/krb5/checksum.c: implement rsa-md4-des and rsa-md5-des + + * kdc/kerberos5.c (tgs_rep): support keyed checksums + + * lib/krb5/creds.c: new file + + * lib/krb5/get_in_tkt.c: better freeing + + * lib/krb5/context.c (krb5_free_context): more freeing + + * lib/krb5/config_file.c: New function `krb5_config_file_free' + + * lib/error/compile_et.awk: Generate a `destroy_' function. + + * kuser/kinit.c, klist.c: Don't leak memory. + +Sun Jul 13 02:46:27 1997 Johan Danielsson + + * kdc/connect.c: Check filedescriptor in select. + + * kdc/kerberos5.c: Remove most of the most common memory leaks. + + * lib/krb5/rd_req.c: Free allocated data. + + * lib/krb5/auth_context.c (krb5_auth_con_free): Free a lot of + fields. + +Sun Jul 13 00:32:16 1997 Assar Westerlund + + * appl/telnet: Conditionalize the krb4-support. + + * configure.in: Test for krb4 + +Sat Jul 12 17:14:12 1997 Assar Westerlund + + * kdc/kerberos5.c: check if the pre-auth was decrypted properly. + set the `pre_authent' flag + + * lib/krb5/get_cred.c, lib/krb5/get_in_tkt.c: generate a random nonce. + + * lib/krb5/encrypt.c: Made `generate_random_block' global. + + * appl/test: Added gssapi_client and gssapi_server. + + * lib/krb5/data.c: Add `krb5_data_zero' + + * appl/test/tcp_client.c: try `mk_safe' and `mk_priv' + + * appl/test/tcp_server.c: try `rd_safe' and `rd_priv' + +Sat Jul 12 16:45:58 1997 Johan Danielsson + + * lib/krb5/get_addrs.c: Fix for systems that has sa_len, but + returns zero length from SIOCGIFCONF. + +Sat Jul 12 16:38:34 1997 Assar Westerlund + + * appl/test: new programs + + * lib/krb5/rd_req.c: add address compare + + * lib/krb5/mk_req_ext.c: allow no checksum + + * lib/krb5/keytab.c (krb5_kt_ret_string): 0-terminate string + + * lib/krb5/address.c: fix `krb5_address_compare' + +Sat Jul 12 15:03:16 1997 Johan Danielsson + + * lib/krb5/get_addrs.c: Fix ip4 address extraction. + + * kuser/klist.c: Add verbose flag, and split main into smaller + pieces. + + * lib/krb5/fcache.c: Save ticket flags. + + * lib/krb5/get_in_tkt.c (extract_ticket): Extract addresses and + flags. + + * lib/krb5/krb5.h: Add ticket_flags to krb5_creds. + +Sat Jul 12 13:12:48 1997 Assar Westerlund + + * configure.in: Call `AC_KRB_PROG_LN_S' + + * acinclude.m4: Add `AC_KRB_PROG_LN_S' from krb4 + +Sat Jul 12 00:57:01 1997 Johan Danielsson + + * lib/krb5/get_in_tkt.c: Use union of krb5_flags and KDCOptions to + pass options. + +Fri Jul 11 15:04:22 1997 Assar Westerlund + + * appl/telnet: telnet & telnetd seems to be working. + + * lib/krb5/config_file.c: Added krb5_config_v?get_list Fixed + krb5_config_vget_next + + * appl/telnet/libtelnet/kerberos5.c: update to current API + +Thu Jul 10 14:54:39 1997 Assar Westerlund + + * appl/telnet/libtelnet/kerberos5.c (kerberos5_status): call + `krb5_kuserok' + + * appl/telnet: Added. + +Thu Jul 10 05:09:25 1997 Johan Danielsson + + * lib/error/compile_et.awk: Remove usage of sub, gsub, and + functions for compatibility with awk. + + * include/bits.c: Must use signed char. + + * lib/krb5/context.c: Move krb5_get_err_text, and krb5_init_ets + here. + + * lib/error/error.c: Replace krb5_get_err_text with new function + com_right. + + * lib/error/compile_et.awk: Avoid using static variables. + + * lib/error/error.c: Don't use krb5_locl.h + + * lib/error/error.h: Move definitions of error_table and + error_list from krb5.h. + + * lib/error: Moved from lib/krb5. + +Wed Jul 9 07:42:04 1997 Johan Danielsson + + * lib/krb5/encrypt.c: Temporary hack to avoid des_rand_data. + +Wed Jul 9 06:58:00 1997 Assar Westerlund + + * lib/krb5/{rd,mk}_{*}.c: more checking for addresses and stuff + according to pseudocode from 1510 + +Wed Jul 9 06:06:06 1997 Johan Danielsson + + * lib/hdb/hdb.c: Add hdb_etype2key. + + * kdc/kerberos5.c: Check authenticator. Use more general etype + functions. + +Wed Jul 9 03:51:12 1997 Assar Westerlund + + * lib/asn1/k5.asn1: Made all `s_address' OPTIONAL according to + draft-ietf-cat-kerberos-r-00.txt + + * lib/krb5/principal.c (krb5_parse_name): default to local realm + if none given + + * kuser/kinit.c: New option `-p' and prompt + +Wed Jul 9 02:30:06 1997 Johan Danielsson + + * lib/krb5/keyblock.c: Keyblock generation functions. + + * lib/krb5/encrypt.c: Use functions from checksum.c. + + * lib/krb5/checksum.c: Move checksum functions here. Add + krb5_cksumsize function. + +Wed Jul 9 01:15:38 1997 Assar Westerlund + + * lib/krb5/get_host_realm.c: implemented + + * lib/krb5/config_file.c: Redid part. New functions: + krb5_config_v?get_next + + * kuser/kdestroy.c: new program + + * kuser/kinit.c: new flag `-f' + + * lib/asn1/k5.asn1: Made HostAddresses = SEQUENCE OF HostAddress + + * acinclude.m4: Added AC_KRB_STRUCT_SOCKADDR_SA_LEN + + * lib/krb5/krb5.h: krb5_addresses == HostAddresses. Changed all + users. + + * lib/krb5/get_addrs.c: figure out all local addresses, possibly + even IPv6! + + * lib/krb5/checksum.c: table-driven checksum + +Mon Jul 7 21:13:28 1997 Johan Danielsson + + * lib/krb5/encrypt.c: Make krb5_decrypt use the same struct as + krb5_encrypt. + +Mon Jul 7 11:15:51 1997 Assar Westerlund + + * lib/roken/vsyslog.c: new file + + * lib/krb5/encrypt.c: add des-cbc-md4. + adjust krb5_encrypt and krb5_decrypt to reality + +Mon Jul 7 02:46:31 1997 Johan Danielsson + + * lib/krb5/encrypt.c: Implement as a vector of function pointers. + + * lib/krb5/{decrypt,encrypt}.c: Implement des-cbc-crc, and + des-cbc-md5 in separate functions. + + * lib/krb5/krb5.h: Add more checksum and encryption types. + + * lib/krb5/krb5_locl.h: Add etype to krb5_decrypt. + +Sun Jul 6 23:02:59 1997 Assar Westerlund + + * lib/krb5/[gs]et_default_realm.c, kuserok.c: new files + + * lib/krb5/config_file.[ch]: new c-based configuration reading + stuff + +Wed Jul 2 23:12:56 1997 Assar Westerlund + + * configure.in: Set WFLAGS if using gcc + +Wed Jul 2 17:47:03 1997 Johan Danielsson + + * lib/asn1/der_put.c (der_put_int): Return size correctly. + + * admin/ank.c: Be compatible with the asn1 principal format. + +Wed Jul 1 23:52:20 1997 Johan Danielsson + + * lib/asn1: Now all decode_* and encode_* functions now take a + final size_t* argument, that they return the size in. Return + values are zero for success, and anything else (such as some + ASN1_* constant) for error. + +Mon Jun 30 06:08:14 1997 Assar Westerlund + + * lib/krb5/keytab.c (krb5_kt_add_entry): change open mode to + O_WRONLY | O_APPEND + + * lib/krb5/get_cred.c: removed stale prototype for + `extract_ticket' and corrected call. + + * lib/asn1/gen_length.c (length_type): Make the length functions + for SequenceOf non-destructive + + * admin/ank.c (doit): Fix reading of `y/n'. + +Mon Jun 16 05:41:43 1997 Assar Westerlund + + * lib/gssapi/wrap.c, unwrap.c: do encrypt and add sequence number + + * lib/gssapi/get_mic.c, verify_mic.c: Add sequence number. + + * lib/gssapi/accept_sec_context.c (gss_accept_sec_context): Set + KRB5_AUTH_CONTEXT_DO_SEQUENCE. Verify 8003 checksum. + + * lib/gssapi/8003.c: New file. + + * lib/krb/krb5.h: Define a `krb_authenticator' as an ASN.1 + Authenticator. + + * lib/krb5/auth_context.c: New functions + `krb5_auth_setlocalseqnumber' and `krb5_auth_setremoteseqnumber' + +Tue Jun 10 00:35:54 1997 Johan Danielsson + + * lib/krb5: Preapre for use of some asn1-types. + + * lib/asn1/*.c (copy_*): Constness. + + * lib/krb5/krb5.h: Include asn1.h; krb5_data is now an + octet_string. + + * lib/asn1/der*,gen.c: krb5_data -> octet_string, char * -> + general_string + + * lib/asn1/libasn1.h: Moved stuff from asn1_locl.h that doesn't + have anything to do with asn1_compile. + + * lib/asn1/asn1_locl.h: Remove der.h. Add some prototypes. + +Sun Jun 8 03:51:55 1997 Assar Westerlund + + * kdc/kerberos5.c: Fix PA-ENC-TS-ENC + + * kdc/connect.c(process_request): Set `new' + + * lib/krb5/get_in_tkt.c: Do PA-ENC-TS-ENC the correct way. + + * lib: Added editline,sl,roken. + +Mon Jun 2 00:37:48 1997 Johan Danielsson + + * lib/krb5/fcache.c: Move file cache from cache.c. + + * lib/krb5/cache.c: Allow more than one cache type. + +Sun Jun 1 23:45:33 1997 Johan Danielsson + + * admin/extkeytab.c: Merged with kdb_edit. + +Sun Jun 1 23:23:08 1997 Assar Westerlund + + * kdc/kdc.c: more support for ENC-TS-ENC + + * lib/krb5/get_in_tkt.c: redone to enable pre-authentication + +Sun Jun 1 22:45:11 1997 Johan Danielsson + + * lib/hdb/db.c: Merge fetch and store. + + * admin: Merge to one program. + + * lib/krb5/str2key.c: Fill in keytype and length. + +Sun Jun 1 16:31:23 1997 Assar Westerlund + + * lib/krb5/rd_safe.c, lib/krb5/rd_priv.c, lib/krb5/mk_rep.c, + lib/krb5/mk_priv.c, lib/krb5/build_auth.c: Some support for + KRB5_AUTH_CONTEXT_DO_SEQUENCE + + * lib/krb5/get_in_tkt.c (get_in_tkt): be prepared to parse an + KRB_ERROR. Some support for PA_ENC_TS_ENC. + + * lib/krb5/auth_context.c: implemented seq_number functions + + * lib/krb5/generate_subkey.c, generate_seq_number.c: new files + + * lib/gssapi/gssapi.h: avoid including + + * lib/asn1/Makefile.am: SUFFIXES as a variable to make automake + happy + + * kdc/kdc.c: preliminary PREAUTH_ENC_TIMESTAMP + + * configure.in: adapted to automake 1.1p + +Mon May 26 22:26:21 1997 Johan Danielsson + + * lib/krb5/principal.c: Add contexts to many functions. + +Thu May 15 20:25:37 1997 Johan Danielsson + + * lib/krb5/verify_user.c: First stab at a verify user. + + * lib/auth/sia/sia5.c: SIA module for Kerberos 5. + +Mon Apr 14 00:09:03 1997 Assar Westerlund + + * lib/gssapi: Enough of a gssapi-over-krb5 implementation to be + able to (mostly) run gss-client and gss-server. + + * lib/krb5/keytab.c: implemented krb5_kt_add_entry, + krb5_kt_store_principal, krb5_kt_store_keyblock + + * lib/des/md5.[ch], sha.[ch]: new files + + * lib/asn1/der_get.c (generalizedtime2time): use `timegm' + + * lib/asn1/timegm.c: new file + + * admin/extkeytab.c: new program + + * admin/admin_locl.h: new file + + * admin/Makefile.am: Added extkeytab + + * configure.in: moved config to include + removed timezone garbage + added lib/gssapi and admin + + * Makefile.am: Added admin + +Mon Mar 17 11:34:05 1997 Johan Danielsson + + * kdc/kdc.c: Use new copying functions, and free some data. + + * lib/asn1/Makefile.am: Try to not always rebuild generated files. + + * lib/asn1/der_put.c: Add fix_dce(). + + * lib/asn1/der_{get,length,put}.c: Fix include files. + + * lib/asn1/der_free.c: Remove unused functions. + + * lib/asn1/gen.c: Split into gen_encode, gen_decode, gen_free, + gen_length, and gen_copy. + +Sun Mar 16 18:13:52 1997 Assar Westerlund + + * lib/krb5/sendauth.c: implemented functionality + + * lib/krb5/rd_rep.c: Use `krb5_decrypt' + + * lib/krb5/cache.c (krb5_cc_get_name): return default if `id' == + NULL + + * lib/krb5/principal.c (krb5_free_principal): added `context' + argument. Changed all callers. + + (krb5_sname_to_principal): new function + + * lib/krb5/auth_context.c (krb5_free_authenticator): add `context' + argument. Changed all callers + + * lib/krb5/{net_write.c,net_read.c,recvauth.c}: new files + + * lib/asn1/gen.c: Fix encoding and decoding of BitStrings + +Fri Mar 14 11:29:00 1997 Assar Westerlund + + * configure.in: look for *dbm? + + * lib/asn1/gen.c: Fix filename in generated files. Check fopens. + Put trailing newline in asn1_files. + +Fri Mar 14 05:06:44 1997 Johan Danielsson + + * lib/krb5/get_in_tkt.c: Fix some memory leaks. + + * lib/krb5/krbhst.c: Properly free hostlist. + + * lib/krb5/decrypt.c: CRCs are 32 bits. + +Fri Mar 14 04:39:15 1997 Johan Danielsson + + * lib/asn1/gen.c: Generate one file for each type. + +Fri Mar 14 04:13:47 1997 Assar Westerlund + + * lib/asn1/gen.c: Generate `length_FOO' functions + + * lib/asn1/der_length.c: new file + + * kuser/klist.c: renamed stime -> printable_time to avoid conflict + on HP/UX + +Fri Mar 14 03:37:23 1997 Johan Danielsson + + * lib/hdb/ndbm.c: Return NOENTRY if fetch fails. Don't free + datums. Don't add .db to filename. + +Fri Mar 14 02:49:51 1997 Johan Danielsson + + * kdc/dump.c: Database dump program. + + * kdc/ank.c: Trivial database editing program. + + * kdc/{kdc.c, load.c}: Use libhdb. + + * lib/hdb: New database routine library. + + * lib/krb5/error/Makefile.am: Add hdb_err. + +Wed Mar 12 17:41:14 1997 Johan Danielsson + + * kdc/kdc.c: Rewritten AS, and somewhat more working TGS support. + + * lib/asn1/gen.c: Generate free functions. + + * Some specific free functions. + +Wed Mar 12 12:30:13 1997 Assar Westerlund + + * lib/krb5/krb5_mk_req_ext.c: new file + + * lib/asn1/gen.c: optimize the case with a simple type + + * lib/krb5/get_cred.c (krb5_get_credentials): Use + `mk_req_extended' and remove old code. + + * lib/krb5/get_in_tkt.c (decrypt_tkt): First try with an + EncASRepPart, then with an EncTGSRepPart. + +Wed Mar 12 08:26:04 1997 Johan Danielsson + + * lib/krb5/store_emem.c: New resizable memory storage. + + * lib/krb5/{store.c, store_fd.c, store_mem.c}: Split of store.c + + * lib/krb5/krb5.h: Add free entry to krb5_storage. + + * lib/krb5/decrypt.c: Make keyblock const. + +Tue Mar 11 20:22:17 1997 Johan Danielsson + + * lib/krb5/krb5.h: Add EncTicketPart to krb5_ticket. + + * lib/krb5/rd_req.c: Return whole asn.1 ticket in + krb5_ticket->tkt. + + * lib/krb5/get_in_tkt.c: TGS -> AS + + * kuser/kfoo.c: Print error string rather than number. + + * kdc/kdc.c: Some kind of non-working TGS support. + +Mon Mar 10 01:43:22 1997 Assar Westerlund + + * lib/asn1/gen.c: reduced generated code by 1/5 + + * lib/asn1/der_put.c: (der_put_length_and_tag): new function + + * lib/asn1/der_get.c (der_match_tag_and_length): new function + + * lib/asn1/der.h: added prototypes + +Mon Mar 10 01:15:43 1997 Johan Danielsson + + * lib/krb5/krb5.h: Include . Add prototype for + krb5_rd_req_with_keyblock. + + * lib/krb5/rd_req.c: Add function krb5_rd_req_with_keyblock that + takes a precomputed keyblock. + + * lib/krb5/get_cred.c: Use krb5_mk_req rather than inlined code. + + * lib/krb5/mk_req.c: Calculate checksum of in_data. + +Sun Mar 9 21:17:58 1997 Johan Danielsson + + * lib/krb5/error/compile_et.awk: Add a declaration of struct + error_list, and multiple inclusion block to header files. + +Sun Mar 9 21:01:12 1997 Assar Westerlund + + * lib/krb5/rd_req.c: do some checks on times + + * lib/krb/{mk_priv.c, rd_priv.c, sendauth.c, decrypt.c, + address.c}: new files + + * lib/krb5/auth_context.c: more code + + * configure.in: try to figure out timezone + +Sat Mar 8 11:41:07 1997 Johan Danielsson + + * lib/krb5/error/error.c: Try strerror if error code wasn't found. + + * lib/krb5/get_in_tkt.c: Remove realm parameter from + krb5_get_salt. + + * lib/krb5/context.c: Initialize error table. + + * kdc: The beginnings of a kdc. + +Sat Mar 8 08:16:28 1997 Assar Westerlund + + * lib/krb5/rd_safe.c: new file + + * lib/krb5/checksum.c (krb5_verify_checksum): New function + + * lib/krb5/get_cred.c: use krb5_create_checksum + + * lib/krb5/checksum.c: new file + + * lib/krb5/store.c: no more arithmetic with void* + + * lib/krb5/cache.c: now seems to work again + +Sat Mar 8 06:58:09 1997 Johan Danielsson + + * lib/krb5/Makefile.am: Add asn1_glue.c and error/*.c to libkrb5. + + * lib/krb5/get_in_tkt.c: Moved some functions to asn1_glue.c. + + * lib/krb5/asn1_glue.c: Moved some asn1-stuff here. + + * lib/krb5/{cache,keytab}.c: Use new storage functions. + + * lib/krb5/krb5.h: Protypes for new storage functions. + + * lib/krb5/krb5.h: Make krb5_{ret,store}_* functions able to write + data to more than file descriptors. + +Sat Mar 8 01:01:17 1997 Assar Westerlund + + * lib/krb5/encrypt.c: New file. + + * lib/krb5/Makefile.am: More -I + + * configure.in: Test for big endian, random, rand, setitimer + + * lib/asn1/gen.c: perhaps even decodes bitstrings + +Thu Mar 6 19:05:29 1997 Johan Danielsson + + * lib/krb5/config_file.y: Better return values on error. + +Sat Feb 8 15:59:56 1997 Assar Westerlund + + * lib/asn1/parse.y: ifdef HAVE_STRDUP + + * lib/asn1/lex.l: ifdef strdup + brange-dead version of list of special characters to make stupid + lex accept it. + + * lib/asn1/gen.c: A DER integer should really be a `unsigned' + + * lib/asn1/der_put.c: A DER integer should really be a `unsigned' + + * lib/asn1/der_get.c: A DER integer should really be a `unsigned' + + * lib/krb5/error/Makefile.am: It seems "$(SHELL) ./compile_et" is + needed. + + * lib/krb/mk_rep.c, lib/krb/rd_req.c, lib/krb/store.c, + lib/krb/store.h: new files. + + * lib/krb5/keytab.c: now even with some functionality. + + * lib/asn1/gen.c: changed paramater from void * to Foo * + + * lib/asn1/der_get.c (der_get_octet_string): Fixed bug with empty + string. + +Sun Jan 19 06:17:39 1997 Assar Westerlund + + * lib/krb5/get_cred.c (krb5_get_credentials): Check for creds in + cc before getting new ones. + + * lib/krb5/krb5.h (krb5_free_keyblock): Fix prototype. + + * lib/krb5/build_auth.c (krb5_build_authenticator): It seems the + CRC should be stored LSW first. (?) + + * lib/krb5/auth_context.c: Implement `krb5_auth_con_getkey' and + `krb5_free_keyblock' + + * lib/**/Makefile.am: Rename foo libfoo.a + + * include/Makefile.in: Use test instead of [ + -e does not work with /bin/sh on psoriasis + + * configure.in: Search for awk + create lib/krb/error/compile_et + +Tue Jan 14 03:46:26 1997 Assar Westerlund + + * lib/krb5/Makefile.am: replaced mit-crc.c by crc.c + +Wed Dec 18 00:53:55 1996 Johan Danielsson + + * kuser/kinit.c: Guess principal. + + * lib/krb5/error/compile_et.awk: Don't include krb5.h. Fix some + warnings. + + * lib/krb5/error/asn1_err.et: Add ASN.1 error messages. + + * lib/krb5/mk_req.c: Get client from cache. + + * lib/krb5/cache.c: Add better error checking some useful return + values. + + * lib/krb5/krb5.h: Fix krb5_auth_context. + + * lib/asn1/der.h: Make krb5_data compatible with krb5.h + +Tue Dec 17 01:32:36 1996 Johan Danielsson + + * lib/krb5/error: Add primitive error library. + +Mon Dec 16 16:30:20 1996 Johan Danielsson + + * lib/krb5/cache.c: Get correct address type from cache. + + * lib/krb5/krb5.h: Change int16 to int to be compatible with asn1. + diff --git a/third_party/heimdal/ChangeLog.1999 b/third_party/heimdal/ChangeLog.1999 new file mode 100644 index 0000000..e022b96 --- /dev/null +++ b/third_party/heimdal/ChangeLog.1999 @@ -0,0 +1,2194 @@ +1999-12-30 Assar Westerlund + + * configure.in (krb4): use `-ldes' in tests + +1999-12-26 Assar Westerlund + + * lib/hdb/print.c (event2string): handle events without principal. + From Luke Howard + +1999-12-25 Assar Westerlund + + * Release 0.2j + +Tue Dec 21 18:03:17 1999 Assar Westerlund + + * lib/hdb/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and + related systems + + * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) for cygwin and + related systems + + * include/Makefile.am (krb5-types.h): add $(EXEEXT) for cygwin and + related systems + +1999-12-20 Assar Westerlund + + * Release 0.2i + +1999-12-20 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to 6:3:1 + + * lib/krb5/send_to_kdc.c (send_via_proxy): free data + * lib/krb5/send_to_kdc.c (send_via_proxy): new function use + getaddrinfo instead of gethostbyname{,2} + * lib/krb5/get_for_creds.c: use getaddrinfo instead of + getnodebyname{,2} + +1999-12-17 Assar Westerlund + + * Release 0.2h + +1999-12-17 Assar Westerlund + + * Release 0.2g + +1999-12-16 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 6:2:1 + + * lib/krb5/principal.c (krb5_sname_to_principal): handle + ai_canonname not being set + * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle + ai_canonname not being set + + * appl/test/uu_server.c: print messages to stderr + * appl/test/tcp_server.c: print messages to stderr + * appl/test/nt_gss_server.c: print messages to stderr + * appl/test/gssapi_server.c: print messages to stderr + + * appl/test/tcp_client.c (proto): remove shadowing `context' + * appl/test/common.c (client_doit): add forgotten ntohs + +1999-12-13 Assar Westerlund + + * configure.in (VERISON): bump to 0.2g-pre + +1999-12-12 Assar Westerlund + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): be more + robust and handle extra dot at the beginning of default_domain + +1999-12-12 Assar Westerlund + + * Release 0.2f + +1999-12-12 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 6:1:1 + + * lib/krb5/changepw.c (get_kdc_address): use + `krb5_get_krb_changepw_hst' + + * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): add + + * lib/krb5/get_host_realm.c: add support for _kerberos.domain + (according to draft-ietf-cat-krb-dns-locate-01.txt) + +1999-12-06 Assar Westerlund + + * Release 0.2e + +1999-12-06 Assar Westerlund + + * lib/krb5/changepw.c (krb5_change_password): use the correct + address + + * lib/krb5/Makefile.am: bump version to 6:0:1 + + * lib/asn1/Makefile.am: bump version to 1:4:0 + +1999-12-04 Assar Westerlund + + * configure.in: move AC_KRB_IPv6 to make sure it's performed + before AC_BROKEN + (el_init): use new feature of AC_FIND_FUNC_NO_LIBS + + * appl/test/uu_client.c: use client_doit + * appl/test/test_locl.h (client_doit): add prototype + * appl/test/tcp_client.c: use client_doit + * appl/test/nt_gss_client.c: use client_doit + * appl/test/gssapi_client.c: use client_doit + * appl/test/common.c (client_doit): move identical code here and + start using getaddrinfo + + * appl/kf/kf.c (doit): rewrite to use getaddrinfo + * kdc/hprop.c: re-write to use getaddrinfo + * lib/krb5/principal.c (krb5_sname_to_principal): use getaddrinfo + * lib/krb5/expand_hostname.c (krb5_expand_hostname): use + getaddrinfo + * lib/krb5/changepw.c: re-write to use getaddrinfo + * lib/krb5/addr_families.c (krb5_parse_address): use getaddrinfo + +1999-12-03 Assar Westerlund + + * configure.in (BROKEN): check for freeaddrinfo, getaddrinfo, + getnameinfo, gai_strerror + (socklen_t): check for + +1999-12-02 Johan Danielsson + + * lib/krb5/crypto.c: ARCFOUR_set_key -> RC4_set_key + +1999-11-23 Assar Westerlund + + * lib/krb5/crypto.c (ARCFOUR_string_to_key): change order of bytes + within unicode characters. this should probably be done in some + arbitrarly complex way to do it properly and you would have to + know what character encoding was used for the password and salt + string. + + * lib/krb5/addr_families.c (ipv4_uninteresting): ignore 0.0.0.0 + (INADDR_ANY) + (ipv6_uninteresting): remove unused macro + +1999-11-22 Johan Danielsson + + * lib/krb5/krb5.h: rc4->arcfour + + * lib/krb5/crypto.c: rc4->arcfour + +1999-11-17 Assar Westerlund + + * lib/krb5/krb5_locl.h: add + * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_RC4 + * lib/krb5/crypto.c: some code for doing RC4/MD5/HMAC which might + not be totally different from some small company up in the + north-west corner of the US + + * lib/krb5/get_addrs.c (find_all_addresses): change code to + actually increment buf_size + +1999-11-14 Assar Westerlund + + * lib/krb5/krb5.h (krb5_context_data): add `scan_interfaces' + * lib/krb5/get_addrs.c (krb5_get_all_client_addrs): make interaces + scanning optional + * lib/krb5/context.c (init_context_from_config_file): set + `scan_interfaces' + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add add_et_list.c + * lib/krb5/add_et_list.c (krb5_add_et_list): new function + +1999-11-12 Assar Westerlund + + * lib/krb5/get_default_realm.c (krb5_get_default_realm, + krb5_get_default_realms): set realms if they were unset + * lib/krb5/context.c (init_context_from_config_file): don't + initialize default realms here. it's done lazily instead. + + * lib/krb5/krb5.h (KRB5_TC_*): make constants unsigned + * lib/asn1/gen_glue.c (generate_2int, generate_units): make sure + bit constants are unsigned + * lib/asn1/gen.c (define_type): make length in sequences be + unsigned. + + * configure.in: remove duplicate test for setsockopt test for + struct tm.tm_isdst + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): generate + preauthentication information if we get back ERR_PREAUTH_REQUIRED + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): remove + preauthentication generation code. it's now in krb5_get_in_cred + + * configure.in (AC_BROKEN_SNPRINTF): add strptime check for struct + tm.tm_gmtoff and timezone + +1999-11-11 Johan Danielsson + + * kdc/main.c: make this work with multi-db + + * kdc/kdc_locl.h: make this work with multi-db + + * kdc/config.c: make this work with multi-db + +1999-11-09 Johan Danielsson + + * kdc/misc.c: update for multi-database code + + * kdc/main.c: update for multi-database code + + * kdc/kdc_locl.h: update + + * kdc/config.c: allow us to have more than one database + +1999-11-04 Assar Westerlund + + * Release 0.2d + + * lib/krb5/Makefile.am: bump version to 5:0:0 to be safe + (krb5_context_data has changed and some code do (might) access + fields directly) + + * lib/krb5/krb5.h (krb5_context_data): add `etypes_des' + + * lib/krb5/get_cred.c (init_tgs_req): use + krb5_keytype_to_enctypes_default + + * lib/krb5/crypto.c (krb5_keytype_to_enctypes_default): new + function + + * lib/krb5/context.c (set_etypes): new function + (init_context_from_config_file): set both `etypes' and `etypes_des' + +1999-11-02 Assar Westerlund + + * configure.in (VERSION): bump to 0.2d-pre + +1999-10-29 Assar Westerlund + + * lib/krb5/principal.c (krb5_parse_name): check memory allocations + +1999-10-28 Assar Westerlund + + * Release 0.2c + + * lib/krb5/dump_config.c (print_tree): check for empty tree + + * lib/krb5/string-to-key-test.c (tests): update the test cases + with empty principals so that they actually use an empty realm and + not the default. use the correct etype for 3DES + + * lib/krb5/Makefile.am: bump version to 4:1:0 + + * kdc/config.c (configure): more careful with the port string + +1999-10-26 Assar Westerlund + + * Release 0.2b + +1999-10-20 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 4:0:0 + (krb524_convert_creds_kdc and potentially some other functions + have changed prototypes) + + * lib/hdb/Makefile.am: bump version to 4:0:1 + + * lib/asn1/Makefile.am: bump version to 1:3:0 + + * configure.in (LIB_roken): add dbopen. getcap in roken + references dbopen and with shared libraries we need to add this + dependency. + + * lib/krb5/verify_krb5_conf.c (main): support speicifying the + configuration file to test on the command line + + * lib/krb5/config_file.c (parse_binding): handle line with no + whitespace before = + (krb5_config_parse_file_debug): set lineno earlier so that we don't + use it unitialized + + * configure.in (AM_INIT_AUTOMAKE): bump to 0.2b-pre opt*: need + more include files for these tests + + * lib/krb5/set_default_realm.c (krb5_set_default_realm): use + krb5_config_get_strings, which means that your configuration file + should look like: + + [libdefaults] + default_realm = realm1 realm2 realm3 + + * lib/krb5/set_default_realm.c (config_binding_to_list): fix + copy-o. From Michal Vocu + + * kdc/config.c (configure): add a missing strdup. From Michal + Vocu + +1999-10-17 Assar Westerlund + + * Release 0.2a + + * configure.in: only test for db.h with using berkeley_db. remember + to link with LIB_tgetent when checking for el_init. add xnlock + + * appl/Makefile.am: add xnlock + + * kdc/kerberos5.c (find_etype): support null keys + + * kdc/kerberos4.c (get_des_key): support null keys + + * lib/krb5/crypto.c (krb5_get_wrapped_length): more correct + calculation + +1999-10-16 Johan Danielsson + + * kuser/kinit.c (main): pass ccache to krb524_convert_creds_kdc + +1999-10-12 Johan Danielsson + + * lib/krb5/crypto.c (krb5_enctype_to_keytype): remove warning + +1999-10-10 Assar Westerlund + + * lib/krb5/mk_req.c (krb5_mk_req): use krb5_free_host_realm + + * lib/krb5/krb5.h (krb5_ccache_data): make `ops' const + + * lib/krb5/crypto.c (krb5_string_to_salttype): new function + + * **/*.[ch]: const-ize + +1999-10-06 Assar Westerlund + + * lib/krb5/creds.c (krb5_compare_creds): const-ify + + * lib/krb5/cache.c: clean-up and comment-up + + * lib/krb5/copy_host_realm.c (krb5_copy_host_realm): copy all the + strings + + * lib/krb5/verify_user.c (krb5_verify_user_lrealm): free the + correct realm part + + * kdc/connect.c (handle_tcp): things work much better when ret is + initialized + +1999-10-03 Assar Westerlund + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): look at the + type of the session key + + * lib/krb5/crypto.c (krb5_enctypes_compatible_keys): spell + correctly + + * lib/krb5/creds.c (krb5_compare_creds): fix spelling of + krb5_enctypes_compatible_keys + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): get new + credentials from the KDC if the existing one doesn't have a DES + session key. + + * lib/45/get_ad_tkt.c (get_ad_tkt): update to new + krb524_convert_creds_kdc + +1999-10-03 Johan Danielsson + + * lib/krb5/keytab_keyfile.c: make krb5_akf_ops const + + * lib/krb5/keytab_memory.c: make krb5_mkt_ops const + + * lib/krb5/keytab_file.c: make krb5_fkt_ops const + +1999-10-01 Assar Westerlund + + * lib/krb5/config_file.c: rewritten to allow error messages + + * lib/krb5/Makefile.am (bin_PROGRAMS): add verify_krb5_conf + (libkrb5_la_SOURCES): add config_file_netinfo.c + + * lib/krb5/verify_krb5_conf.c: new program for verifying that + krb5.conf is corret + + * lib/krb5/config_file_netinfo.c: moved netinfo code here from + config_file.c + +1999-09-28 Assar Westerlund + + * kdc/hpropd.c (dump_krb4): kludge default_realm + + * lib/asn1/check-der.c: add test cases for Generalized time and + make sure we return the correct value + + * lib/asn1/der_put.c: simplify by using der_put_length_and_tag + + * lib/krb5/verify_user.c (krb5_verify_user_lrealm): ariant of + krb5_verify_user that tries in all the local realms + + * lib/krb5/set_default_realm.c: add support for having several + default realms + + * lib/krb5/kuserok.c (krb5_kuserok): use `krb5_get_default_realms' + + * lib/krb5/get_default_realm.c (krb5_get_default_realms): add + + * lib/krb5/krb5.h (krb5_context_data): change `default_realm' to + `default_realms' + + * lib/krb5/context.c: change from `default_realm' to + `default_realms' + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use + krb5_get_default_realms + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add copy_host_realm.c + + * lib/krb5/copy_host_realm.c: new file + +1999-09-27 Johan Danielsson + + * lib/asn1/der_put.c (encode_generalized_time): encode length + + * lib/krb5/recvauth.c: new function `krb5_recvauth_match_version' + that allows more intelligent matching of the application version + +1999-09-26 Assar Westerlund + + * lib/asn1/asn1_print.c: add err.h + + * kdc/config.c (configure): use parse_bytes + + * appl/test/nt_gss_common.c: use the correct header file + +1999-09-24 Johan Danielsson + + * kuser/klist.c: add a `--cache' flag + + * kuser/kinit.c (main): only get default value for `get_v4_tgt' if + it's explicitly set in krb5.conf + +1999-09-23 Assar Westerlund + + * lib/asn1/asn1_print.c (tag_names); add another univeral tag + + * lib/asn1/der.h: update universal tags + +1999-09-22 Assar Westerlund + + * lib/asn1/asn1_print.c (loop): print length of octet string + +1999-09-21 Johan Danielsson + + * admin/ktutil.c (kt_get): add `--help' + +1999-09-21 Assar Westerlund + + * kuser/Makefile.am: add kdecode_ticket + + * kuser/kdecode_ticket.c: new debug program + + * appl/test/nt_gss_server.c: new program to test against `Sample * + SSPI Code' in Windows 2000 RC1 SDK. + + * appl/test/Makefile.am: add nt_gss_client and nt_gss_server + + * lib/asn1/der_get.c (decode_general_string): remember to advance + ret over the length-len + + * lib/asn1/Makefile.am: add asn1_print + + * lib/asn1/asn1_print.c: new program for printing DER-structures + + * lib/asn1/der_put.c: make functions more consistent + + * lib/asn1/der_get.c: make functions more consistent + +1999-09-20 Johan Danielsson + + * kdc/kerberos5.c: be more informative in pa-data error messages + +1999-09-16 Assar Westerlund + + * configure.in: test for strlcpy, strlcat + +1999-09-14 Assar Westerlund + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): return + KRB5_LIBOS_PWDINTR when interrupted + + * lib/krb5/get_in_tkt_pw.c (krb5_password_key_proc): check return + value from des_read_pw_string + + * kuser/kinit.c (main): don't print any error if reading the + password was interrupted + + * kpasswd/kpasswd.c (main): don't print any error if reading the + password was interrupted + + * kdc/string2key.c (main): check the return value from fgets + + * kdc/kstash.c (main): check return value from des_read_pw_string + + * admin/ktutil.c (kt_add): check the return-value from fgets and + overwrite the password for paranoid reasons + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): only remove the + newline if it's there + +1999-09-13 Assar Westerlund + + * kdc/hpropd.c (main): remove bogus error with `--print'. remove + sysloging of number of principals transferred + + * kdc/hprop.c (ka_convert): set flags correctly for krbtgt/CELL + principals + (main): get rid of bogus opening of hdb database when propagating + ka-server database + +1999-09-12 Assar Westerlund + + * lib/krb5/krb5_locl.h (O_BINARY): add fallback definition + + * lib/krb5/krb5.h (krb5_context_data): add keytab types + + * configure.in: revert back awk test, not worked around in + roken.awk + + * lib/krb5/keytab_krb4.c: remove O_BINARY + + * lib/krb5/keytab_keyfile.c: some support for AFS KeyFile's. From + Love + + * lib/krb5/keytab_file.c: remove O_BINARY + + * lib/krb5/keytab.c: move the list of keytab types to the context + + * lib/krb5/fcache.c: remove O_BINARY + + * lib/krb5/context.c (init_context_from_config_file): register all + standard cache and keytab types + (krb5_free_context): free `kt_types' + + * lib/krb5/cache.c (krb5_cc_resolve): move the registration of the + standard types of credential caches to context + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_keyfile.c + +1999-09-10 Assar Westerlund + + * lib/krb5/keytab.c: add comments and clean-up + + * admin/ktutil.c: add `ktutil copy' + + * lib/krb5/keytab_krb4.c: new file + + * lib/krb5/krb5.h (krb5_kt_cursor): add a `data' field + + * lib/krb5/Makefile.am: add keytab_krb4.c + + * lib/krb5/keytab.c: add krb4 and correct some if's + + * admin/srvconvert.c (srvconv): move common code + + * lib/krb5/krb5.h (krb5_fkt_ops, krb5_mkt_ops): new variables + + * lib/krb5/keytab.c: move out file and memory functions + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_file.c, + keytab_memory.c + + * lib/krb5/keytab_memory.c: new file + + * lib/krb5/keytab_file.c: new file + + * kpasswd/kpasswdd.c: move out password quality functions + +1999-09-07 Assar Westerlund + + * lib/hdb/Makefile.am (libhdb_la_SOURCES): add keytab.c. From + Love + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): check + return value from `krb5_sendto_kdc' + +1999-09-06 Assar Westerlund + + * lib/krb5/send_to_kdc.c (send_and_recv): rename to recv_loop and + remove the sending of data. add a parameter `limit'. let callers + send the date themselves (and preferably with net_write on tcp + sockets) + (send_and_recv_tcp): read first the length field and then only that + many bytes + +1999-09-05 Assar Westerlund + + * kdc/connect.c (handle_tcp): try to print warning `TCP data of + strange type' less often + + * lib/krb5/send_to_kdc.c (send_and_recv): handle EINTR properly. + return on EOF. always free data. check return value from + realloc. + (send_and_recv_tcp, send_and_recv_http): check advertised length + against actual length + +1999-09-01 Johan Danielsson + + * configure.in: check for sgi capabilities + +1999-08-27 Johan Danielsson + + * lib/krb5/get_addrs.c: krb5_get_all_server_addrs shouldn't return + extra addresses + + * kpasswd/kpasswdd.c: use HDB keytabs; change some error messages; + add --realm flag + + * lib/krb5/address.c (krb5_append_addresses): remove duplicates + +1999-08-26 Johan Danielsson + + * lib/hdb/keytab.c: HDB keytab backend + +1999-08-25 Johan Danielsson + + * lib/krb5/keytab.c + (krb5_kt_{start_seq_get,next_entry,end_seq_get}): check for NULL + pointer + +1999-08-24 Johan Danielsson + + * kpasswd/kpasswdd.c: add `--keytab' flag + +1999-08-23 Assar Westerlund + + * lib/krb5/addr_families.c (IN6_ADDR_V6_TO_V4): use `s6_addr' + instead of the non-standard `s6_addr32'. From Yoshinobu Inoue + by way of the KAME repository + +1999-08-18 Assar Westerlund + + * configure.in (--enable-new-des3-code): remove check for `struct + addrinfo' + + * lib/krb5/crypto.c (etypes): remove NEW_DES3_CODE, enable + des3-cbc-sha1 and keep old-des3-cbc-sha1 for backwards + compatability + + * lib/krb5/krb5.h (krb5_enctype): des3-cbc-sha1 (with key + derivation) just got assigned etype 16 by . keep the + old etype at 7. + +1999-08-16 Assar Westerlund + + * lib/krb5/sendauth.c (krb5_sendauth): only look at errno if + krb5_net_read actually returns -1 + + * lib/krb5/recvauth.c (krb5_recvauth): only look at errno if + krb5_net_read actually returns -1 + + * appl/kf/kf.c (proto): don't trust errno if krb5_net_read hasn't + returned -1 + + * appl/test/tcp_server.c (proto): only trust errno if + krb5_net_read actually returns -1 + + * appl/kf/kfd.c (proto): be more careful with the return value + from krb5_net_read + +1999-08-13 Assar Westerlund + + * lib/krb5/get_addrs.c (get_addrs_int): try the different ways + sequentially instead of just one. this helps if your heimdal was + built with v6-support but your kernel doesn't have it, for + example. + +1999-08-12 Assar Westerlund + + * kdc/hpropd.c: add inetd flag. default means try to figure out + if stdin is a socket or not. + + * Makefile.am (ACLOCAL): just use `cf', this variable is only used + when the current directory is $(top_srcdir) anyways and having + $(top_srcdir) there breaks if it's a relative path + +1999-08-09 Johan Danielsson + + * configure.in: check for setproctitle + +1999-08-05 Assar Westerlund + + * lib/krb5/principal.c (krb5_sname_to_principal): remember to call + freehostent + + * appl/test/tcp_client.c: call freehostent + + * appl/kf/kf.c (doit): call freehostent + + * appl/kf/kf.c: make v6 friendly and simplify + + * appl/kf/kfd.c: make v6 friendly and simplify + + * appl/test/tcp_server.c: simplify by using krb5_err instead of + errx + + * appl/test/tcp_client.c: simplify by using krb5_err instead of + errx + + * appl/test/tcp_server.c: make v6 friendly and simplify + + * appl/test/tcp_client.c: make v6 friendly and simplify + +1999-08-04 Assar Westerlund + + * Release 0.1m + +1999-08-04 Assar Westerlund + + * kuser/kinit.c (main): some more KRB4-conditionalizing + + * lib/krb5/get_in_tkt.c: type correctness + + * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): set forwarded in + flags. From Miroslav Ruda + + * kuser/kinit.c (main): add config file support for forwardable + and krb4 support. From Miroslav Ruda + + * kdc/kerberos5.c (as_rep): add an empty X500-compress string as + transited. + (fix_transited_encoding): check length. + From Miroslav Ruda + + * kdc/hpropd.c (dump_krb4): check the realm so that we don't dump + principals in some other realm. From Miroslav Ruda + + (main): rename sa_len -> sin_len, sa_lan is a define on some + platforms. + + * appl/kf/kfd.c: add regpag support. From Miroslav Ruda + + + * appl/kf/kf.c: add `-G' and forwardable option in krb5.conf. + From Miroslav Ruda + + * lib/krb5/config_file.c (parse_list): don't run past end of line + + * appl/test/gss_common.h: new prototypes + + * appl/test/gssapi_client.c: use gss_err instead of abort + + * appl/test/gss_common.c (gss_verr, gss_err): add + +1999-08-03 Assar Westerlund + + * lib/krb5/Makefile.am (n_fold_test_LDADD): need to set this + otherwise it doesn't build with shared libraries + + * kdc/hpropd.c: v6-ify + + * kdc/hprop.c: v6-ify + +1999-08-01 Assar Westerlund + + * lib/krb5/mk_req.c (krb5_mk_req): use krb5_expand_hostname + +1999-07-31 Assar Westerlund + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): new + function that takes a FQDN + + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add exapnd_hostname.c + + * lib/krb5/expand_hostname.c: new file + +1999-07-28 Assar Westerlund + + * Release 0.1l + +1999-07-28 Assar Westerlund + + * lib/asn1/Makefile.am: bump version to 1:2:0 + + * lib/krb5/Makefile.am: bump version to 3:1:0 + + * configure.in: more inet_pton to roken + + * lib/krb5/principal.c (krb5_sname_to_principal): use + getipnodebyname + +1999-07-26 Assar Westerlund + + * Release 0.1k + +1999-07-26 Johan Danielsson + + * lib/krb5/Makefile.am: bump version number (changed function + signatures) + + * lib/hdb/Makefile.am: bump version number (changes to some + function signatures) + +1999-07-26 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 3:0:2 + + * lib/hdb/Makefile.am: bump version to 2:1:0 + + * lib/asn1/Makefile.am: bump version to 1:1:0 + +1999-07-26 Assar Westerlund + + * Release 0.1j + +1999-07-26 Assar Westerlund + + * configure.in: rokenize inet_ntop + + * lib/krb5/store_fd.c: lots of changes from size_t to ssize_t + + * lib/krb5/store_mem.c: lots of changes from size_t to ssize_t + + * lib/krb5/store_emem.c: lots of changes from size_t to ssize_t + + * lib/krb5/store.c: lots of changes from size_t to ssize_t + (krb5_ret_stringz): check return value from realloc + + * lib/krb5/mk_safe.c: some type correctness + + * lib/krb5/mk_priv.c: some type correctness + + * lib/krb5/krb5.h (krb5_storage): change return values of + functions from size_t to ssize_t + +1999-07-24 Assar Westerlund + + * Release 0.1i + + * configure.in (AC_PROG_AWK): disable. mawk seems to mishandle \# + in lib/roken/roken.awk + + * lib/krb5/get_addrs.c (find_all_addresses): try to use SA_LEN to + step over addresses if there's no `sa_lan' field + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): simplify by + using `struct sockaddr_storage' + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): simplify by using + `struct sockaddr_storage' + + * lib/krb5/changepw.c (krb5_change_password): simplify by using + `struct sockaddr_storage' + + * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): + simplify by using `struct sockaddr_storage' + + * kpasswd/kpasswdd.c (*): simplify by using `struct + sockaddr_storage' + + * kdc/connect.c (*): simplify by using `struct sockaddr_storage' + + * configure.in (sa_family_t): just test for existence + (sockaddr_storage): also specify include file + + * configure.in (AM_INIT_AUTOMAKE): bump version to 0.1i + (sa_family_t): test for + (struct sockaddr_storage): test for + + * kdc/hprop.c (propagate_database): typo, NULL should be + auth_context + + * lib/krb5/get_addrs.c: conditionalize on HAVE_IPV6 instead of + AF_INET6 + + * appl/kf/kf.c (main): use warnx + + * appl/kf/kf.c (proto): remove shadowing context + + * lib/krb5/get_addrs.c (find_all_addresses): try to handle the + case of getting back an `sockaddr_in6' address when sizeof(struct + sockaddr_in6) > sizeof(struct sockaddr) and we have no sa_len to + tell us how large the address is. This obviously doesn't work + with unknown protocol types. + +1999-07-24 Assar Westerlund + + * Release 0.1h + +1999-07-23 Assar Westerlund + + * appl/kf/kfd.c: clean-up and more paranoia + + * etc/services.append: add kf + + * appl/kf/kf.c: rename tk_file to ccache for consistency. clean-up + +1999-07-22 Assar Westerlund + + * lib/krb5/n-fold-test.c (main): print the correct data + + * appl/Makefile.am (SUBDIRS): add kf + + * appl/kf: new program. From Miroslav Ruda + + * kdc/hprop.c: declare some variables unconditionally to simplify + things + + * kpasswd/kpasswdd.c: initialize kadm5 connection for every change + (otherwise the modifier in the database doesn't get set) + + * kdc/hpropd.c: clean-up and re-organize + + * kdc/hprop.c: clean-up and re-organize + + * configure.in (SunOS): define to xy for SunOS x.y + +1999-07-19 Assar Westerlund + + * configure.in (AC_BROKEN): test for copyhostent, freehostent, + getipnodebyaddr, getipnodebyname + +1999-07-15 Assar Westerlund + + * lib/asn1/check-der.c: more test cases for integers + + * lib/asn1/der_length.c (length_int): handle the case of the + largest negative integer by not calling abs + +1999-07-14 Assar Westerlund + + * lib/asn1/check-der.c (generic_test): check malloc return value + properly + + * lib/krb5/Makefile.am: add string_to_key_test + + * lib/krb5/prog_setup.c (krb5_program_setup): always initialize + the context + + * lib/krb5/n-fold-test.c (main): return a relevant return value + + * lib/krb5/krbhst.c: do SRV lookups for admin server as well. + some clean-up. + +1999-07-12 Assar Westerlund + + * configure.in: handle not building X programs + +1999-07-06 Assar Westerlund + + * lib/krb5/addr_families.c (ipv6_parse_addr): remove duplicate + variable + (ipv6_sockaddr2port): fix typo + + * etc/services.append: beginning of a file with services + + * lib/krb5/cache.c (krb5_cc_resolve): fall-back to files if + there's no prefix. also clean-up a little bit. + + * kdc/hprop.c (--kaspecials): new flag for handling special KA + server entries. From "Brandon S. Allbery KF8NH" + + +1999-07-05 Assar Westerlund + + * kdc/connect.c (handle_tcp): make sure we have data before + starting to look for HTTP + + * kdc/connect.c (handle_tcp): always do getpeername, we can't + trust recvfrom to return anything sensible + +1999-07-04 Assar Westerlund + + * lib/krb5/get_in_tkt.c (add_padat): encrypt pre-auth data with + all enctypes + + * kpasswd/kpasswdd.c (change): fetch the salt-type from the entry + + * admin/srvconvert.c (srvconv): better error messages + +1999-07-03 Assar Westerlund + + * lib/krb5/principal.c (unparse_name): error check malloc properly + + * lib/krb5/get_in_tkt.c (krb5_init_etype): error check malloc + properly + + * lib/krb5/crypto.c (*): do some malloc return-value checks + properly + + * lib/hdb/hdb.c (hdb_process_master_key): simplify by using + krb5_data_alloc + + * lib/hdb/hdb.c (hdb_process_master_key): check return value from + malloc + + * lib/asn1/gen_decode.c (decode_type): fix generation of decoding + information for TSequenceOf. + + * kdc/kerberos5.c (get_pa_etype_info): check return value from + malloc + +1999-07-02 Assar Westerlund + + * lib/asn1/der_copy.c (copy_octet_string): don't fail if length == + 0 and malloc returns NULL + +1999-06-29 Assar Westerlund + + * lib/krb5/addr_families.c (ipv6_parse_addr): implement + +1999-06-24 Assar Westerlund + + * lib/krb5/rd_cred.c (krb5_rd_cred): compare the sender's address + as an addrport one + + * lib/krb5/krb5.h (KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_IPPORT): + add + (krb5_auth_context): add local and remote port + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): get the + local and remote address and add them to the krb-cred packet + + * lib/krb5/auth_context.c: save the local and remove ports in the + auth_context + + * lib/krb5/address.c (krb5_make_addrport): create an address of + type KRB5_ADDRESS_ADDRPORT from (addr, port) + + * lib/krb5/addr_families.c (krb5_sockaddr2port): new function for + grabbing the port number out of the sockaddr + +1999-06-23 Assar Westerlund + + * admin/srvcreate.c (srvcreate): always take the DES-CBC-MD5 key. + increase possible verbosity. + + * lib/krb5/config_file.c (parse_list): handle blank lines at + another place + + * kdc/connect.c (add_port_string): don't return a value + + * lib/kadm5/init_c.c (get_cred_cache): you cannot reuse the cred + cache if the principals are different. close and NULL the old one + so that we create a new one. + + * configure.in: move around cgywin et al + (LIB_kdb): set at the end of krb4-block + (krb4): test for krb_enable_debug and krb_disable_debug + +1999-06-16 Assar Westerlund + + * kuser/kdestroy.c (main): try to destroy v4 ticket even if the + destruction of the v5 one fails + + * lib/krb5/crypto.c (DES3_postproc): new version that does the + right thing + (*): don't put and recover length in 3DES encoding + other small fixes + +1999-06-15 Assar Westerlund + + * lib/krb5/get_default_principal.c: rewrite to use + get_default_username + + * lib/krb5/Makefile.am: add n-fold-test + + * kdc/connect.c: add fallbacks for all lookups by service name + (handle_tcp): break-up and clean-up + +1999-06-09 Assar Westerlund + + * lib/krb5/addr_families.c (ipv6_uninteresting): don't consider + the loopback address as uninteresting + + * lib/krb5/get_addrs.c: new magic flag to get loopback address if + there are no other addresses. + (krb5_get_all_client_addrs): use that flag + +1999-06-04 Assar Westerlund + + * lib/krb5/crypto.c (HMAC_SHA1_DES3_checksum): don't include the + length + (checksum_sha1, checksum_hmac_sha1_des3): blocksize should be 64 + (encrypt_internal_derived): don't include the length and don't + decrease by the checksum size twice + (_get_derived_key): the constant should be 5 bytes + +1999-06-02 Johan Danielsson + + * configure.in: use KRB_CHECK_X + + * configure.in: check for netinet/ip.h + +1999-05-31 Assar Westerlund + + * kpasswd/kpasswdd.c (setup_passwd_quality_check): conditionalize + on RTLD_NOW + +1999-05-23 Assar Westerlund + + * appl/test/uu_server.c: removed unused stuff + + * appl/test/uu_client.c: removed unused stuff + +1999-05-21 Assar Westerlund + + * kuser/kgetcred.c (main): correct error message + + * lib/krb5/crypto.c (verify_checksum): call (*ct->checksum) + directly, avoiding redundant lookups and memory leaks + + * lib/krb5/auth_context.c (krb5_auth_con_setaddrs_from_fd): free + local and remote addresses + + * lib/krb5/get_default_principal.c (get_logname): also try + $USERNAME + + * lib/asn1/Makefile.am (asn1_files): add $(EXEEXT) + + * lib/krb5/principal.c (USE_RESOLVER): try to define only if we + have a libresolv (currently by checking for res_search) + +1999-05-18 Johan Danielsson + + * kdc/connect.c (handle_tcp): remove %-escapes in request + +1999-05-14 Assar Westerlund + + * Release 0.1g + + * admin/ktutil.c (kt_remove): -t should be -e + + * configure.in (CHECK_NETINET_IP_AND_TCP): use + + * kdc/hpropd.c: support for dumping to krb4. From Miroslav Ruda + + + * admin/ktutil.c (kt_add): new option `--no-salt'. From Miroslav + Ruda + + * configure.in: add cygwin and DOS tests replace sendmsg, recvmsg, + and innetgr with roken versions + + * kuser/kgetcred.c: new program + +Tue May 11 14:09:33 1999 Johan Danielsson + + * lib/krb5/mcache.c: fix paste-o + +1999-05-10 Johan Danielsson + + * configure.in: don't use uname + +1999-05-10 Assar Westerlund + + * acconfig.h (KRB_PUT_INT): if we don't have KRB4 use four + arguments :-) + + * appl/test/uu_server.c (setsockopt): cast to get rid of a warning + + * appl/test/tcp_server.c (setsockopt): cast to get rid of a + warning + + * appl/test/tcp_client.c (proto): call krb5_sendauth with ccache + == NULL + + * appl/test/gssapi_server.c (setsockopt): cast to get rid of a + warning + + * lib/krb5/sendauth.c (krb5_sendauth): handle ccache == NULL by + setting the default ccache. + + * configure.in (getsockopt, setsockopt): test for + (AM_INIT_AUTOMAKE): bump version to 0.1g + + * appl/Makefile.am (SUBDIRS): add kx + + * lib/hdb/convert_db.c (main): handle the case of no master key + +1999-05-09 Assar Westerlund + + * Release 0.1f + + * kuser/kinit.c: add --noaddresses + + * lib/krb5/get_in_tkt.c (init_as_req): interpret `addrs' being an + empty sit of list as to not ask for any addresses. + +1999-05-08 Assar Westerlund + + * acconfig.h (_GNU_SOURCE): define this to enable (used) + extensions on glibc-based systems such as linux + +1999-05-03 Assar Westerlund + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): allocate and free + `*out_creds' properly + + * lib/krb5/creds.c (krb5_compare_creds): just verify that the + keytypes/enctypes are compatible, not that they are the same + + * kuser/kdestroy.c (cache): const-correctness + +1999-05-03 Johan Danielsson + + * lib/hdb/hdb.c (hdb_set_master_key): initialise master key + version + + * lib/hdb/convert_db.c: add support for upgrading database + versions + + * kdc/misc.c: add flags to fetch + + * kdc/kstash.c: unlink keyfile on failure, chmod to 400 + + * kdc/hpropd.c: add --print option + + * kdc/hprop.c: pass flags to hdb_foreach + + * lib/hdb/convert_db.c: add some flags + + * lib/hdb/Makefile.am: remove extra LDFLAGS, update version to 2; + build prototype headers + + * lib/hdb/hdb_locl.h: update prototypes + + * lib/hdb/print.c: move printable version of entry from kadmin + + * lib/hdb/hdb.c: change hdb_{seal,unseal}_* to check if the key is + sealed or not; add flags to hdb_foreach + + * lib/hdb/ndbm.c: add flags to NDBM_seq, NDBM_firstkey, and + NDBM_nextkey + + * lib/hdb/db.c: add flags to DB_seq, DB_firstkey, and DB_nextkey + + * lib/hdb/common.c: add flags to _hdb_{fetch,store} + + * lib/hdb/hdb.h: add master_key_version to struct hdb, update + prototypes + + * lib/hdb/hdb.asn1: make mkvno optional, update version to 2 + + * configure.in: --enable-netinfo + + * lib/krb5/config_file.c: HAVE_NETINFO_NI_H -> HAVE_NETINFO + + * config.sub: fix for crays + + * config.guess: new version from automake 1.4 + + * config.sub: new version from automake 1.4 + +Wed Apr 28 00:21:17 1999 Assar Westerlund + + * Release 0.1e + + * lib/krb5/mcache.c (mcc_get_next): get the current cursor + correctly + + * acconfig.h: correct definition of KRB_PUT_INT for old krb4 code. + From Ake Sandgren + +1999-04-27 Johan Danielsson + + * kdc/kerberos5.c: fix arguments to decrypt_ticket + +1999-04-25 Assar Westerlund + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): try to handle old + DCE secd's that are not able to handle MD5 checksums by defaulting + to MD4 if the keytype was DES-CBC-CRC + + * lib/krb5/mk_req.c (krb5_mk_req): use auth_context->keytype + + * lib/krb5/krb5.h (krb5_auth_context_data): add `keytype' and + `cksumtype' + + * lib/krb5/get_cred.c (make_pa_tgs_req): remove old kludge for + secd + (init_tgs_req): add all supported enctypes for the keytype in + `in_creds->session.keytype' if it's set + + * lib/krb5/crypto.c (F_PSEUDO): new flag for non-protocol + encryption types + (do_checksum): new function + (verify_checksum): take the checksum to use from the checksum message + and not from the crypto struct + (etypes): add F_PSEUDO flags + (krb5_keytype_to_enctypes): new function + + * lib/krb5/auth_context.c (krb5_auth_con_init): initalize keytype + and cksumtype + (krb5_auth_setcksumtype, krb5_auth_getcksumtype): implement + (krb5_auth_setkeytype, krb5_auth_getkeytype): implement + (krb5_auth_setenctype): comment out, it's rather bogus anyway + +Sun Apr 25 16:55:50 1999 Johan Danielsson + + * lib/krb5/krb5_locl.h: fix for stupid aix warnings + + * lib/krb5/fcache.c (erase_file): don't malloc + +Sat Apr 24 18:35:21 1999 Johan Danielsson + + * kdc/config.c: pass context to krb5_config_file_free + + * kuser/kinit.c: add `--fcache-version' to set cache version to + create + + * kuser/klist.c: print cache version if verbose + + * lib/krb5/transited.c (krb5_domain_x500_decode): don't abort + + * lib/krb5/principal.c: abort -> krb5_abortx + + * lib/krb5/mk_rep.c: abort -> krb5_abortx + + * lib/krb5/config_file.c: abort -> krb5_abortx + + * lib/krb5/context.c (init_context_from_config_file): init + fcache_version; add krb5_{get,set}_fcache_version + + * lib/krb5/keytab.c: add support for reading (and writing?) old + version keytabs + + * lib/krb5/cache.c: add krb5_cc_get_version + + * lib/krb5/fcache.c: add support for reading and writing old + version cache files + + * lib/krb5/store_mem.c (krb5_storage_from_mem): zero flags + + * lib/krb5/store_emem.c (krb5_storage_emem): zero flags + + * lib/krb5/store_fd.c (krb5_storage_from_fd): zero flags + + * lib/krb5/store.c: add flags to change how various fields are + stored, used for old cache version support + + * lib/krb5/krb5.h: add support for reading and writing old version + cache files, and keytabs + +Wed Apr 21 00:09:26 1999 Assar Westerlund + + * configure.in: fix test for readline.h remember to link with + $LIB_tgetent when trying linking with readline + + * lib/krb5/init_creds_pw.c (get_init_creds_common): if start_time + is given, request a postdated ticket. + + * lib/krb5/data.c (krb5_data_free): free data as long as it's not + NULL + +Tue Apr 20 20:18:14 1999 Assar Westerlund + + * kpasswd/Makefile.am (kpasswdd_LDADD): add LIB_dlopen + + * lib/krb5/krb5.h (KRB5_VERIFY_AP_REQ_IGNORE_INVALID): add + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): add `flags` and + KRB5_VERIFY_AP_REQ_IGNORE_INVALID for ignoring that the ticket is + invalid + +Tue Apr 20 12:42:08 1999 Johan Danielsson + + * kpasswd/kpasswdd.c: don't try to load library by default; get + library and function name from krb5.conf + + * kpasswd/sample_passwd_check.c: sample password checking + functions + +Mon Apr 19 22:22:19 1999 Assar Westerlund + + * lib/krb5/store.c (krb5_storage_to_data, krb5_ret_data): use + krb5_data_alloc and be careful with checking allocation and sizes. + + * kuser/klist.c (--tokens): conditionalize on KRB4 + + * kuser/kinit.c (renew_validate): set all flags + (main): fix cut-n-paste error when setting start-time + + * kdc/kerberos5.c (check_tgs_flags): starttime of a validate + ticket should be > than current time + (*): send flags to krb5_verify_ap_req and krb5_decrypt_ticket + + * kuser/kinit.c (renew_validate): use the client realm instead of + the local realm when renewing tickets. + + * lib/krb5/get_for_creds.c (krb5_fwd_tgs_creds): compat function + (krb5_get_forwarded_creds): correct freeing of out_creds + + * kuser/kinit.c (renew_validate): hopefully fix up freeing of + memory + + * configure.in: do all the krb4 tests with "$krb4" != "no" + + * lib/krb5/keyblock.c (krb5_free_keyblock_contents): don't zero + keyvalue if it's NULL. noticed by Ake Sandgren + + * lib/krb5/get_in_tkt.c (add_padata): loop over all enctypes + instead of just taking the first one. fix all callers. From + "Brandon S. Allbery KF8NH" + + * kdc/kdc_locl.h (enable_kaserver): declaration + + * kdc/hprop.c (ka_convert): print the failing principal. AFS 3.4a + creates krbtgt.REALMOFCELL as NOTGS+NOSEAL, work around. From + "Brandon S. Allbery KF8NH" + + * kdc/hpropd.c (open_socket): stupid cast to get rid of a warning + + * kdc/connect.c (add_standard_ports, process_request): look at + enable_kaserver. From "Brandon S. Allbery KF8NH" + + + * kdc/config.c: new flag --kaserver and config file option + enable-kaserver. From "Brandon S. Allbery KF8NH" + + +Mon Apr 19 12:32:04 1999 Johan Danielsson + + * configure.in: check for dlopen, and dlfcn.h + + * kpasswd/kpasswdd.c: add support for dlopen:ing password quality + check library + + * configure.in: add appl/su + +Sun Apr 18 15:46:53 1999 Johan Danielsson + + * lib/krb5/cache.c: add krb5_cc_get_type that returns type of a + cache + +Fri Apr 16 17:58:51 1999 Assar Westerlund + + * configure.in: LIB_kdb: -L should be before -lkdb + test for prototype of strsep + +Thu Apr 15 11:34:38 1999 Johan Danielsson + + * lib/krb5/Makefile.am: update version + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use + ALLOC_SEQ + + * lib/krb5/fcache.c: add some support for reading and writing old + cache formats; + (fcc_store_cred): use krb5_store_creds; (fcc_read_cred): use + krb5_ret_creds + + * lib/krb5/store_mem.c (krb5_storage_from_mem): check malloc, + initialize host_byteorder + + * lib/krb5/store_fd.c (krb5_storage_from_fd): initialize + host_byteorder + + * lib/krb5/store_emem.c (krb5_storage_emem): initialize + host_byteorder + + * lib/krb5/store.c (krb5_storage_set_host_byteorder): add; + (krb5_store_int32,krb5_ret_int32,krb5_store_int16,krb5_ret_int16): + check host_byteorder flag; (krb5_store_creds): add; + (krb5_ret_creds): add + + * lib/krb5/krb5.h (krb5_storage): add `host_byteorder' flag for + storage of numbers + + * lib/krb5/heim_err.et: add `host not found' error + + * kdc/connect.c: don't use data after clearing decriptor + + * lib/krb5/auth_context.c: abort -> krb5_abortx + + * lib/krb5/warn.c: add __attribute__; add *abort functions + + * configure.in: check for __attribute__ + + * kdc/connect.c: log bogus requests + +Tue Apr 13 18:38:05 1999 Johan Danielsson + + * lib/kadm5/create_s.c (kadm5_s_create_principal): create v4 salts + for all DES keys + +1999-04-12 Assar Westerlund + + * lib/krb5/get_cred.c (init_tgs_req): re-structure a little bit + + * lib/krb5/get_cred.c (init_tgs_req): some more error checking + + * lib/krb5/generate_subkey.c (krb5_generate_subkey): check return + value from malloc + +Sun Apr 11 03:47:23 1999 Johan Danielsson + + * lib/krb5/krb5.conf.5: update to reality + + * lib/krb5/krb5_425_conv_principal.3: update to reality + +1999-04-11 Assar Westerlund + + * lib/krb5/get_host_realm.c: handle more than one realm for a host + + * kpasswd/kpasswd.c (main): use krb5_program_setup and + print_version + + * kdc/string2key.c (main): use krb5_program_setup and + print_version + +Sun Apr 11 02:35:58 1999 Johan Danielsson + + * lib/krb5/principal.c (krb5_524_conv_principal): make it actually + work, and check built-in list of host-type first-components + + * lib/krb5/krbhst.c: lookup SRV-records to find a kdc for a realm + + * lib/krb5/context.c: add srv_* flags to context + + * lib/krb5/principal.c: add default v4_name_convert entries + + * lib/krb5/krb5.h: add srv_* flags to context + +Sat Apr 10 22:52:28 1999 Johan Danielsson + + * kadmin/kadmin.c: complain about un-recognised commands + + * admin/ktutil.c: complain about un-recognised commands + +Sat Apr 10 15:41:49 1999 Assar Westerlund + + * kadmin/load.c (doit): fix error message + + * lib/krb5/crypto.c (encrypt_internal): free checksum if lengths + fail to match. + (krb5_get_wrapped_length): new function + + * configure.in: security/pam_modules.h: check for + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): kludge + around `ret_as_reply' semantics by only freeing it when ret == 0 + +Fri Apr 9 20:24:04 1999 Assar Westerlund + + * kuser/klist.c (print_cred_verbose): handle the case of a bad + enctype + + * configure.in: test for more header files + (LIB_roken): set + +Thu Apr 8 15:01:59 1999 Johan Danielsson + + * configure.in: fixes for building w/o krb4 + + * ltmain.sh: update to libtool 1.2d + + * ltconfig: update to libtool 1.2d + +Wed Apr 7 23:37:26 1999 Assar Westerlund + + * kdc/hpropd.c: fix some error messages to be more understandable. + + * kdc/hprop.c (ka_dump): remove unused variables + + * appl/test/tcp_server.c: remove unused variables + + * appl/test/gssapi_server.c: remove unused variables + + * appl/test/gssapi_client.c: remove unused variables + +Wed Apr 7 14:05:15 1999 Johan Danielsson + + * lib/krb5/context.c (krb5_get_err_text): long -> krb5_error_code + + * kuser/klist.c: make it compile w/o krb4 + + * kuser/kdestroy.c: make it compile w/o krb4 + + * admin/ktutil.c: fix {srv,key}2{srv,key}tab confusion; add help + strings + +Mon Apr 5 16:13:46 1999 Johan Danielsson + + * configure.in: test for MIPS ABI; new test_package + +Thu Apr 1 11:00:40 1999 Johan Danielsson + + * include/Makefile.am: clean krb5-private.h + + * Release 0.1d + + * kpasswd/kpasswdd.c (doit): pass context to + krb5_get_all_client_addrs + + * kdc/connect.c (init_sockets): pass context to + krb5_get_all_server_addrs + + * lib/krb5/get_in_tkt.c (init_as_req): pass context to + krb5_get_all_client_addrs + + * lib/krb5/get_cred.c (get_cred_kdc_la): pass context to + krb5_get_all_client_addrs + + * lib/krb5/get_addrs.c (get_addrs_int): add extra host addresses + + * lib/krb5/krb5.h: add support for adding an extra set of + addresses + + * lib/krb5/context.c: add support for adding an extra set of + addresses + + * lib/krb5/addr_families.c: add krb5_parse_address + + * lib/krb5/address.c: krb5_append_addresses + + * lib/krb5/config_file.c (parse_binding): don't zap everything + after first whitespace + + * kuser/kinit.c (renew_validate): don't allocate out + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't + allocate out_creds + + * lib/krb5/get_cred.c (get_cred_kdc, get_cred_kdc_la): make + out_creds pointer; + (krb5_get_kdc_cred): allocate out_creds; (get_cred_from_kdc_flags): + free more memory + + * lib/krb5/crypto.c (encrypt_internal): free checksum + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): free reply, + and ticket + + * kuser/Makefile.am: remove kfoo + + * lib/Makefile.am: add auth + + * lib/kadm5/iprop.h: getarg.h + + * lib/kadm5/replay_log.c: use getarg + + * lib/kadm5/ipropd_slave.c: use getarg + + * lib/kadm5/ipropd_master.c: use getarg + + * lib/kadm5/dump_log.c: use getarg + + * kpasswd/kpasswdd.c: use getarg + + * Makefile.am.common: make a more working check-local target + + * lib/asn1/main.c: use getargs + +Mon Mar 29 20:19:57 1999 Johan Danielsson + + * kuser/klist.c (print_cred_verbose): use krb5_print_address + + * lib/kadm5/server.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/addr_families.c (krb5_print_address): handle unknown + address types; (ipv6_print_addr): print in 16-bit groups (as it + should) + + * lib/krb5/crc.c: crc_{init_table,update} -> + _krb5_crc_{init_table,update} + + * lib/krb5/crypto.c: k_{put,get}_int -> _krb5_{put,get}_int + crc_{init_table,update} -> _krb5_crc_{init_table,update} + + * lib/krb5/send_to_kdc.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/store.c: k_{put,get}_int -> _krb5_{put,get}_int + + * lib/krb5/krb5_locl.h: include krb5-private.h + + * kdc/connect.c (addr_to_string): use krb5_print_address + + * lib/krb5/addr_families.c (krb5_print_address): int -> size_t + + * lib/krb5/addr_families.c: add support for printing ipv6 + addresses, either with inet_ntop, or ugly for-loop + + * kdc/524.c: check that the ticket came from a valid address; use + the address of the connection as the address to put in the v4 + ticket (if this address is AF_INET) + + * kdc/connect.c: pass addr to do_524 + + * kdc/kdc_locl.h: prototype for do_524 + +Sat Mar 27 17:48:31 1999 Johan Danielsson + + * configure.in: check for OSF C2; bind/bitypes.h, getudbnam, + setlim; check for auth modules; siad.h, getpwnam_r; + lib/auth/Makefile, lib/auth/sia/Makefile + + * lib/krb5/crypto.c: n_fold -> _krb5_n_fold + + * lib/krb5/n-fold.c: n_fold -> _krb5_n_fold + +Thu Mar 25 04:35:21 1999 Assar Westerlund + + * lib/kadm5/set_keys.c (_kadm5_set_keys): free salt when zapping + it + + * lib/kadm5/free.c (kadm5_free_principal_ent): free `key_data' + + * lib/hdb/ndbm.c (NDBM_destroy): clear master key + + * lib/hdb/db.c (DB_destroy): clear master key + (DB_open): check malloc + + * kdc/connect.c (init_sockets): free addresses + + * kadmin/kadmin.c (main): make code more consistent. always free + configuration information. + + * kadmin/init.c (create_random_entry): free the entry + +Wed Mar 24 04:02:03 1999 Assar Westerlund + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): + re-organize the code to always free `kdc_reply' + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): be more careful about + freeing memory + + * lib/krb5/fcache.c (fcc_destroy): don't call fcc_close + + * lib/krb5/crypto.c (krb5_crypto_destroy): free `crypto' + + * lib/hdb/hdb_locl.h: try db_185.h first in case db.h is a DB 2.0 + header + + * configure.in (db_185.h): check for + + * admin/srvcreate.c: new file. contributed by Daniel Kouril + + + * admin/ktutil.c: srvcreate: new command + + * kuser/klist.c: add support for printing AFS tokens + + * kuser/kdestroy.c: add support for destroying v4 tickets and AFS + tokens. based on code by Love + + * kuser/Makefile.am (kdestroy_LDADD, klist_LDADD): more libraries + + * configure.in: sys/ioccom.h: test for + + * kuser/klist.c (main): don't print `no ticket file' with --test. + From: Love + + * kpasswd/kpasswdd.c (doit): more braces to make gcc happy + + * kdc/connect.c (init_socket): get rid of a stupid warning + + * include/bits.c (my_strupr): cast away some stupid warnings + +Tue Mar 23 14:34:44 1999 Johan Danielsson + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): no infinite + loops, please + +Tue Mar 23 00:00:45 1999 Assar Westerlund + + * lib/kadm5/Makefile.am (install_build_headers): recover from make + rewriting the names of the headers kludge to help solaris make + + * lib/krb5/Makefile.am: kludge to help solaris make + + * lib/hdb/Makefile.am: kludge to help solaris make + + * configure.in (LIB_kdb): make sure there's a -L option in here by + adding $(LIB_krb4) + + * lib/asn1/gen_glue.c (generate_2int, generate_int2): int -> + unsigned + + * configure.in (SunOS): set to a number KRB4, KRB5 conditionals: + remove the `dnl' to work around an automake flaw + +Sun Mar 21 15:08:49 1999 Johan Danielsson + + * lib/krb5/get_default_realm.c: char* -> krb5_realm + +Sun Mar 21 14:08:30 1999 Johan Danielsson + + * include/bits.c: + + * lib/krb5/Makefile.am: create krb5-private.h + +Sat Mar 20 00:08:59 1999 Assar Westerlund + + * configure.in (gethostname): remove duplicate + +Fri Mar 19 14:48:03 1999 Johan Danielsson + + * lib/hdb/Makefile.am: add version-info + + * lib/gssapi/Makefile.am: add version-info + + * lib/asn1/Makefile.am: use $(x:y=z) make syntax; move check-der + to check_PROGRAMS + + * lib/Makefile.am: add 45 + + * lib/kadm5/Makefile.am: split in client and server libraries + (breaks shared libraries otherwise) + +Thu Mar 18 11:33:30 1999 Johan Danielsson + + * include/kadm5/Makefile.am: clean a lot of header files (since + automake lacks a clean-hook) + + * include/Makefile.am: clean a lot of header files (since automake + lacks a clean-hook) + + * lib/kadm5/Makefile.am: fix build-installation of headers + + * lib/krb5/Makefile.am: remove include_dir hack + + * lib/hdb/Makefile.am: remove include_dir hack + + * lib/asn1/Makefile.am: remove include_dir hack + + * include/Makefile.am: remove include_dir hack + + * doc/whatis.texi: define sub for html + + * configure.in: LIB_kdb, have_err_h, have_fnmatch_h, have_glob_h + + * lib/asn1/Makefile.am: der.h + + * kpasswd/kpasswdd.c: admin.h -> kadm5/admin.h + + * kdc/Makefile.am: remove junk + + * kadmin/Makefile.am: sl.a -> sl.la + + * appl/afsutil/Makefile.am: remove EXTRA_bin_PROGRAMS + + * admin/Makefile.am: sl.a -> sl.la + + * configure.in: condition KRB5; AC_CHECK_XAU + + * Makefile.am: include Makefile.am.common + + * include/kadm5/Makefile.am: include Makefile.am.common; don't + install headers from here + + * include/Makefile.am: include Makefile.am.common; don't install + headers from here + + * doc/Makefile.am: include Makefile.am.common + + * lib/krb5/Makefile.am: include Makefile.am.common + + * lib/kadm5/Makefile.am: include Makefile.am.common + + * lib/hdb/Makefile.am: include Makefile.am.common + + * lib/gssapi/Makefile.am: include Makefile.am.common + + * lib/asn1/Makefile.am: include Makefile.am.common + + * lib/Makefile.am: include Makefile.am.common + + * lib/45/Makefile.am: include Makefile.am.common + + * kuser/Makefile.am: include Makefile.am.common + + * kpasswd/Makefile.am: include Makefile.am.common + + * kdc/Makefile.am: include Makefile.am.common + + * kadmin/Makefile.am: include Makefile.am.common + + * appl/test/Makefile.am: include Makefile.am.common + + * appl/afsutil/Makefile.am: include Makefile.am.common + + * appl/Makefile.am: include Makefile.am.common + + * admin/Makefile.am: include Makefile.am.common + +Wed Mar 17 03:04:38 1999 Assar Westerlund + + * lib/krb5/store.c (krb5_store_stringz): braces fix + + * lib/kadm5/get_s.c (kadm5_s_get_principal): braces fix + + * lib/kadm5/ent_setup.c (_kadm5_setup_entry): braces fix + + * kdc/connect.c (loop): braces fix + + * lib/krb5/config_file.c: cast to unsigned char to make is* happy + + * lib/krb5/log.c (krb5_addlog_dest): more braces to make gcc happy + + * lib/krb5/crypto.c (krb5_verify_checksum): rename C -> cksum to + be consistent + + * kadmin/util.c (timeval2str): more braces to make gcc happy + + * kadmin/load.c: cast in is* to get rid of stupid warning + + * kadmin/dump.c (append_hex): cast in isalnum to get rid of stupid + warning + + * kdc/kaserver.c: malloc checks and fixes + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): include leading + dot (if any) when looking up realms. + +Fri Mar 12 13:57:56 1999 Johan Danielsson + + * lib/krb5/get_host_realm.c: add dns support + + * lib/krb5/set_default_realm.c: use krb5_free_host_realm + + * lib/krb5/free_host_realm.c: check for NULL realmlist + + * lib/krb5/context.c: don't print warning if there is no krb5.conf + +Wed Mar 10 19:29:46 1999 Johan Danielsson + + * configure.in: use AC_WFLAGS + +Mon Mar 8 11:49:43 1999 Johan Danielsson + + * Release 0.1c + + * kuser/klist.c: use print_version + + * kuser/kdestroy.c: use print_version + + * kdc/hpropd.c: use print_version + + * kdc/hprop.c: use print_version + + * kdc/config.c: use print_version + + * kadmin/kadmind.c: use print_version + + * kadmin/kadmin.c: use print_version + + * appl/test/common.c: use print_version + + * appl/afsutil/afslog.c: use print_version + +Mon Mar 1 10:49:14 1999 Johan Danielsson + + * lib/krb5/get_addrs.c: SOCKADDR_HAS_SA_LEN -> + HAVE_STRUCT_SOCKADDR_SA_LEN + + * configure.in, acconfig.h, cf/*: update to automake 1.4/autoconf 2.13 + +Sun Feb 28 18:19:20 1999 Johan Danielsson + + * lib/asn1/gen.c: make `BIT STRING's unsigned + + * lib/asn1/{symbol.h,gen.c}: add TUInteger type + + * lib/krb5/verify_user.c (krb5_verify_user): pass prompter to + krb5_get_init_creds_password + + * lib/krb5/fcache.c (fcc_gen_new): implement + +Sat Feb 27 22:41:23 1999 Johan Danielsson + + * doc/install.texi: krb4 is now automatically detected + + * doc/misc.texi: update procedure to set supported encryption + types + + * doc/setup.texi: change some silly wordings + +Sat Feb 27 22:17:30 1999 Johan Danielsson + + * lib/krb5/keytab.c (fkt_remove_entry): make this work + + * admin/ktutil.c: add minimally working `get' command + +Sat Feb 27 19:44:49 1999 Johan Danielsson + + * lib/hdb/convert_db.c: more typos + + * include/Makefile.am: remove EXTRA_DATA (as of autoconf + 2.13/automake 1.4) + + * appl/Makefile.am: OTP_dir + +Fri Feb 26 17:37:00 1999 Johan Danielsson + + * doc/setup.texi: add kadmin section + + * lib/asn1/check-der.c: fix printf warnings + +Thu Feb 25 11:16:49 1999 Johan Danielsson + + * configure.in: -O does not belong in WFLAGS + +Thu Feb 25 11:05:57 1999 Johan Danielsson + + * lib/asn1/der_put.c: fix der_put_int + +Tue Feb 23 20:35:12 1999 Johan Danielsson + + * configure.in: use AC_BROKEN_GLOB + +Mon Feb 22 15:12:44 1999 Johan Danielsson + + * configure.in: check for glob + +Mon Feb 22 11:32:42 1999 Johan Danielsson + + * Release 0.1b + +Sat Feb 20 15:48:06 1999 Johan Danielsson + + * lib/hdb/convert_db.c: convert DES3 keys to des3-cbc-sha1, and + des3-cbc-md5 + + * lib/krb5/crypto.c (DES3_string_to_key): make this actually do + what the draft said it should + + * lib/hdb/convert_db.c: little program for database conversion + + * lib/hdb/db.c (DB_open): try to open database w/o .db extension + + * lib/hdb/ndbm.c (NDBM_open): add test for database format + + * lib/hdb/db.c (DB_open): add test for database format + + * lib/asn1/gen_glue.c (generate_2int): don't depend on flags being + unsigned + + * lib/hdb/hdb.c: change `hdb_set_master_key' to take an + EncryptionKey, and add a new function `hdb_set_master_keyfile' to + do what `hdb_set_master_key' used to do + + * kdc/kstash.c: add `--convert-file' option to change keytype of + existing master key file + +Fri Feb 19 07:04:14 1999 Assar Westerlund + + * Release 0.1a + +Sat Feb 13 17:12:53 1999 Assar Westerlund + + * lib/krb5/mk_safe.c (krb5_mk_safe): sizeof(buf) -> buf_size, buf + is now a `u_char *' + + * lib/krb5/get_in_tkt.c (krb5_init_etype): etypes are now `int' + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): constize + orig_host + + (krb5_salttype_to_string): new function (RSA_MD5_DES_verify, + RSA_MD5_DES3_verify): initialize ret + + * lib/gssapi/init_sec_context.c (init_auth): remove unnecessary + gssapi_krb5_init. ask for KEYTYPE_DES credentials + + * kadmin/get.c (print_entry_long): print the keytypes and salts + available for the principal + + * configure.in (WFLAGS): add `-O' to catch unitialized variables + and such + (gethostname, mkstemp, getusershell, inet_aton): more tests + + * lib/hdb/hdb.h: update prototypes + + * configure.in: homogenize broken detection with krb4 + + * lib/kadm5/init_c.c (kadm5_c_init_with_context): remove unused + `error' + + * lib/asn1/Makefile.am (check-der): add + + * lib/asn1/gen.c (define_type): map ASN1 Integer to `int' instead + of `unsigned' + + * lib/asn1/der_length.c (length_unsigned): new function + (length_int): handle signed integers + + * lib/asn1/der_put.c (der_put_unsigned): new function + (der_put_int): handle signed integers + + * lib/asn1/der_get.c (der_get_unsigned): new function + (der_get_int): handle signed integers + + * lib/asn1/der.h: all integer functions take `int' instead of + `unsigned' + + * lib/asn1/lex.l (filename): unused. remove. + + * lib/asn1/check-der.c: new test program for der encoding and + decoding. + +Mon Feb 1 04:09:06 1999 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): only call + gethostbyname2 with AF_INET6 if we actually have IPv6. From + "Brandon S. Allbery KF8NH" + + * lib/krb5/changepw.c (get_kdc_address): dito + +Sun Jan 31 06:26:36 1999 Assar Westerlund + + * kdc/connect.c (parse_prots): always bind to AF_INET, there are + v6-implementations without support for `mapped V4 addresses'. + From Jun-ichiro itojun Hagino + +Sat Jan 30 22:38:27 1999 Assar Westerlund + + * Release 0.0u + +Sat Jan 30 13:43:02 1999 Assar Westerlund + + * lib/krb5/Makefile.am: explicit rules for *.et files + + * lib/kadm5/init_c.c (get_kadm_ticket): only remove creds if + krb5_get_credentials was succesful. + (get_new_cache): return better error codes and return earlier. + (get_cred_cache): only delete default_client if it's different + from client + (kadm5_c_init_with_context): return a more descriptive error. + + * kdc/kerberos5.c (check_flags): handle NULL client or server + + * lib/krb5/sendauth.c (krb5_sendauth): return the error in + `ret_error' iff != NULL + + * lib/krb5/rd_error.c (krb5_free_error, krb5_free_error_contents): + new functions + + * lib/krb5/mk_req_ext.c (krb5_mk_req_extended): more + type-correctness + + * lib/krb5/krb5.h (krb5_error): typedef to KRB_ERROR + + * lib/krb5/init_creds_pw.c: KRB5_TGS_NAME: use + + * lib/krb5/get_cred.c: KRB5_TGS_NAME: use + + * lib/kafs/afskrb5.c (afslog_uid_int): update to changes + + * lib/kadm5/rename_s.c (kadm5_s_rename_principal): call remove + instead of rename, but shouldn't this just call rename? + + * lib/kadm5/get_s.c (kadm5_s_get_principal): always return an + error if the principal wasn't found. + + * lib/hdb/ndbm.c (NDBM_seq): unseal key + + * lib/hdb/db.c (DB_seq): unseal key + + * lib/asn1/Makefile.am: added explicit rules for asn1_err.[ch] + + * kdc/hprop.c (v4_prop): add krbtgt/THISREALM@OTHERREALM when + finding cross-realm tgts in the v4 database + + * kadmin/mod.c (mod_entry): check the number of arguments. check + that kadm5_get_principal worked. + + * lib/krb5/keytab.c (fkt_remove_entry): remove KRB5_KT_NOTFOUND if + we weren't able to remove it. + + * admin/ktutil.c: less drive-by-deleting. From Love + + + * kdc/connect.c (parse_ports): copy the string before mishandling + it with strtok_r + + * kdc/kerberos5.c (tgs_rep2): print the principal with mismatching + kvnos + + * kadmin/kadmind.c (main): convert `debug_port' to network byte + order + + * kadmin/kadmin.c: allow specification of port number. + + * lib/kadm5/kadm5_locl.h (kadm5_client_context): add + `kadmind_port'. + + * lib/kadm5/init_c.c (_kadm5_c_init_context): move up + initalize_kadm5_error_table_r. + allow specification of port number. + + From Love + + * kuser/klist.c: add option -t | --test + diff --git a/third_party/heimdal/ChangeLog.2000 b/third_party/heimdal/ChangeLog.2000 new file mode 100644 index 0000000..a1cb687 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2000 @@ -0,0 +1,1320 @@ +2000-12-31 Assar Westerlund + + * lib/krb5/test_get_addrs.c (main): handle krb5_init_context + failure consistently + * lib/krb5/string-to-key-test.c (main): handle krb5_init_context + failure consistently + * lib/krb5/prog_setup.c (krb5_program_setup): handle + krb5_init_context failure consistently + * lib/hdb/convert_db.c (main): handle krb5_init_context failure + consistently + * kuser/kverify.c (main): handle krb5_init_context failure + consistently + * kuser/klist.c (main): handle krb5_init_context failure + consistently + * kuser/kinit.c (main): handle krb5_init_context failure + consistently + * kuser/kgetcred.c (main): handle krb5_init_context failure + consistently + * kuser/kdestroy.c (main): handle krb5_init_context failure + consistently + * kuser/kdecode_ticket.c (main): handle krb5_init_context failure + consistently + * kuser/generate-requests.c (generate_requests): handle + krb5_init_context failure consistently + * kpasswd/kpasswd.c (main): handle krb5_init_context failure + consistently + * kpasswd/kpasswd-generator.c (generate_requests): handle + krb5_init_context failure consistently + * kdc/main.c (main): handle krb5_init_context failure consistently + * appl/test/uu_client.c (proto): handle krb5_init_context failure + consistently + * appl/kf/kf.c (main): handle krb5_init_context failure + consistently + * admin/ktutil.c (main): handle krb5_init_context failure + consistently + + * admin/get.c (kt_get): more error checking + +2000-12-29 Assar Westerlund + + * lib/asn1/asn1_print.c (loop): check for length longer than data. + inspired by lha@stacken.kth.se + +2000-12-16 Johan Danielsson + + * admin/ktutil.8: reflect recent changes + + * admin/copy.c: don't copy an entry that already exists in the + keytab, and warn if the keyblock differs + +2000-12-15 Johan Danielsson + + * admin/Makefile.am: merge srvconvert and srvcreate with copy + + * admin/copy.c: merge srvconvert and srvcreate with copy + + * lib/krb5/Makefile.am: always build keytab_krb4.c + + * lib/krb5/context.c: always register the krb4 keytab functions + + * lib/krb5/krb5.h: declare krb4_ftk_ops + + * lib/krb5/keytab_krb4.c: We don't really need to include krb.h + here, since we only use the principal size macros, so define these + here. Theoretically someone could have a krb4 system where these + values are != 40, but this is unlikely, and + krb5_524_conv_principal also assume they are 40. + +2000-12-13 Johan Danielsson + + * lib/krb5/krb5.h: s/krb5_donot_reply/krb5_donot_replay/ + + * lib/krb5/replay.c: fix query-replace-o from MD5 API change, and + the struct is called krb5_donot_replay + +2000-12-12 Assar Westerlund + + * admin/srvconvert.c (srvconvert): do not use data after free:ing + it + +2000-12-11 Assar Westerlund + + * Release 0.3d + +2000-12-11 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 14:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 6:3:0 + * lib/krb5/Makefile.am (libkrb5_la_LIBADD): add library + dependencies + +2000-12-10 Johan Danielsson + + * lib/krb5/auth_context.c: implement krb5_auth_con_{get,set}rcache + +2000-12-08 Assar Westerlund + + * lib/krb5/krb5.h (krb5_enctype): add ETYPE_DES3_CBC_NONE_IVEC as + a new pseudo-type + + * lib/krb5/crypto.c (DES_AFS3_CMU_string_to_key): always treat + cell names as lower case + (krb5_encrypt_ivec, krb5_decrypt_ivec): new functions that allow an + explicit ivec to be specified. fix all sub-functions. + (DES3_CBC_encrypt_ivec): new function that takes an explicit ivec + +2000-12-06 Johan Danielsson + + * lib/krb5/Makefile.am: actually build replay cache code + + * lib/krb5/replay.c: implement krb5_get_server_rcache + + * kpasswd/kpasswdd.c: de-pointerise auth_context parameter to + krb5_mk_rep + + * lib/krb5/recvauth.c: de-pointerise auth_context parameter to + krb5_mk_rep + + * lib/krb5/mk_rep.c: auth_context should not be a pointer + + * lib/krb5/auth_context.c: implement krb5_auth_con_genaddrs, and + make setaddrs_from_fd use that + + * lib/krb5/krb5.h: add some more KRB5_AUTH_CONTEXT_* flags + +2000-12-05 Johan Danielsson + + * lib/krb5/Makefile.am: add kerberos.8 manpage + + * lib/krb5/cache.c: check for NULL remove_cred function + + * lib/krb5/fcache.c: pretend that empty files are non-existant + + * lib/krb5/get_addrs.c (find_all_addresses): use getifaddrs, from + Jason Thorpe + +2000-12-01 Assar Westerlund + + * configure.in: remove configure-time generation of krb5-config + * tools/Makefile.am: add generation of krb5-config at make-time + instead of configure-time + + * tools/krb5-config.in: add --prefix and --exec-prefix + +2000-11-30 Assar Westerlund + + * tools/Makefile.am: add krb5-config.1 + * tools/krb5-config.in: add kadm-client and kadm5-server as + libraries + +2000-11-29 Assar Westerlund + + * tools/krb5-config.in: add --prefix, --exec-prefix and gssapi + +2000-11-29 Johan Danielsson + + * configure.in: add roken/Makefile here, since it can't live in + rk_ROKEN + +2000-11-16 Assar Westerlund + + * configure.in: use the libtool -rpath, do not rely on ld + understanding -rpath + + * configure.in: fix the -Wl stuff for krb4 linking add some + gratuitous extra options when linking with an existing libdes + +2000-11-15 Assar Westerlund + + * lib/hdb/hdb.c (hdb_next_enctype2key): const-ize a little bit + * lib/Makefile.am (SUBDIRS): try to only build des when needed + * kuser/klist.c: print key versions numbers of v4 tickets in + verbose mode + + * kdc/kerberos5.c (tgs_rep2): adapt to new krb5_verify_ap_req2 + * appl/test/gss_common.c (read_token): remove unused variable + + * configure.in (krb4): add -Wl + (MD4Init et al): look for these in more libraries + (getmsg): only run test if we have the function + (AC_OUTPUT): create tools/krb5-config + + * tools/krb5-config.in: new script for storing flags to use + * Makefile.am (SUBDIRS): add tools + + * lib/krb5/get_cred.c (make_pa_tgs_req): update to new + krb5_mk_req_internal + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): allow different + usages for the encryption. change callers + * lib/krb5/rd_req.c (decrypt_authenticator): add an encryption + `usage'. also try the old + (and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility + (krb5_verify_ap_req2): new function for specifying the usage different + from the default (KRB5_KU_AP_REQ_AUTH) + * lib/krb5/build_auth.c (krb5_build_authenticator): add a `usage' + parameter to permit the generation of authenticators with + different crypto usage + + * lib/krb5/mk_req.c (krb5_mk_req_exact): new function that takes a + krb5_principal + (krb5_mk_req): use krb5_mk_req_exact + + * lib/krb5/mcache.c (mcc_close): free data + (mcc_destroy): don't free data + +2000-11-13 Assar Westerlund + + * lib/hdb/ndbm.c: handle both ndbm.h and gdbm/ndbm.h + * lib/hdb/hdb.c: handle both ndbm.h and gdbm/ndbm.h + +2000-11-12 Johan Danielsson + + * kdc/hpropd.8: remove extra .Xc + +2000-10-27 Johan Danielsson + + * kuser/kinit.c: fix v4 fallback lifetime calculation + +2000-10-10 Johan Danielsson + + * kdc/524.c: fix log messge + +2000-10-08 Assar Westerlund + + * lib/krb5/changepw.c (krb5_change_password): check for fd's being + too large to select on + * kpasswd/kpasswdd.c (add_new_tcp): check for the socket fd being + too large to select on + * kdc/connect.c (add_new_tcp): check for the socket fd being too + large to selct on + * kdc/connect.c (loop): check that the socket fd is not too large + to select on + * lib/krb5/send_to_kdc.c (recv_loop): check `fd' for being too + large to be able to select on + + * kdc/kaserver.c (do_authenticate): check for time skew + +2000-10-01 Assar Westerlund + + * kdc/524.c (set_address): allocate memory for storing addresses + in if the original request had an empty set of addresses + * kdc/524.c (set_address): fix bad return of pointer to automatic + data + + * config.sub: update to version 2000-09-11 (aka 1.181) from + subversions.gnu.org + + * config.guess: update to version 2000-09-05 (aka 1.156) from + subversions.gnu.org plus some minor tweaks + +2000-09-20 Assar Westerlund + + * Release 0.3c + +2000-09-19 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 13:1:0 + + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 6:2:0 + +2000-09-17 Assar Westerlund + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): plug some memory leak + (krb5_rd_req): try not to return an allocated auth_context on error + + * lib/krb5/log.c (krb5_vlog_msg): fix const-ness + +2000-09-10 Assar Westerlund + + * kdc/524.c: re-organize + * kdc/kerberos5.c (tgs_rep2): try to avoid leaking auth_context + * kdc/kerberos4.c (valid_princ): check return value of functions + (encode_v4_ticket): add some const + * kdc/misc.c (db_fetch): check malloc + (free_ent): new function + + * lib/krb5/log.c (krb5_vlog_msg): log just the format string it we + fail to allocate the actual string to log, should at least provide + some hint as to where things went wrong + +2000-09-10 Johan Danielsson + + * kdc/log.c: use DEFAULT_LOG_DEST + + * kdc/config.c: use _PATH_KDC_CONF + + * kdc/kdc_locl.h: add macro constants for kdc.conf, and kdc.log + +2000-09-09 Assar Westerlund + + * lib/krb5/crypto.c (_key_schedule): re-use an existing schedule + +2000-09-06 Johan Danielsson + + * configure.in: fix dpagaix test + +2000-09-05 Assar Westerlund + + * configure.in: with_dce -> enable_dce. noticed by Ake Sandgren + + +2000-09-01 Johan Danielsson + + * kdc/kstash.8: update manual page + + * kdc/kstash.c: fix typo, and remove unused option + + * lib/krb5/kerberos.7: short kerberos intro page + +2000-08-27 Assar Westerlund + + * include/bits.c: add __attribute__ for gcc's pleasure + * lib/hdb/keytab.c: re-write to delay the opening of the database + till it's known which principal is being sought, thereby allowing + the usage of multiple databases, however they need to be specified + in /etc/krb5.conf since all the programs using this keytab do not + read kdc.conf + + * appl/test/test_locl.h (keytab): add + * appl/test/common.c: add --keytab + * lib/krb5/crypto.c: remove trailing commas + (KRB5_KU_USAGE_SEQ): renamed from KRB5_KU_USAGE_MIC + +2000-08-26 Assar Westerlund + + * lib/krb5/send_to_kdc.c (send_via_proxy): handle `http://' at the + beginning of the proxy specification. use getaddrinfo correctly + (krb5_sendto): always return a return code + + * lib/krb5/krb5.h (KRB5_KU_USAGE_MIC): rename to KRB5_KU_USAGE_SEQ + * lib/krb5/auth_context.c (krb5_auth_con_free): handle + auth_context == NULL + +2000-08-23 Assar Westerlund + + * kdc/kerberos5.c (find_type): make sure of always setting + `ret_etype' correctly. clean-up structure some + +2000-08-23 Johan Danielsson + + * lib/krb5/mcache.c: implement resolve + +2000-08-18 Assar Westerlund + + * kuser/kdecode_ticket.c: check return value from krb5_crypto_init + * kdc/kerberos5.c, kdc/524.c: check return value from krb5_crypto_init + * lib/krb5/*.c: check return value from krb5_crypto_init + +2000-08-16 Assar Westerlund + + * Release 0.3b + +2000-08-16 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 13:0:0 + + * lib/hdb/Makefile.am: set version to 6:1:0 + + * configure.in: do getmsg testing the same way as in krb4 + + * lib/krb5/config_file.c (krb5_config_parse_file_debug): make sure + of closing the file on error + + * lib/krb5/crypto.c (encrypt_internal_derived): free the checksum + after use + + * lib/krb5/warn.c (_warnerr): initialize args to make third, + purify et al happy + +2000-08-13 Assar Westerlund + + * kdc/kerberos5.c: re-write search for keys code. loop over all + supported enctypes in order, looping over all keys of each type, + and picking the one with the v5 default salt preferably + +2000-08-10 Assar Westerlund + + * appl/test/gss_common.c (enet_read): add and use + * lib/krb5/krb5.h (heimdal_version, heimdal_long_version): make + const + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): add comment on + checksum type selection + + * lib/krb5/context.c (krb5_init_context): do not leak memory on + failure + (default_etypes): prefer arcfour-hmac-md5 to des-cbc-md5 + + * lib/krb5/principal.c: add fnmatch.h + +2000-08-09 Assar Westerlund + + * configure.in: call AC_PROG_CC and AC_PROG_CPP to make sure later + checks that should require them don't fail + * acconfig.h: add HAVE_UINT17_T + +2000-08-09 Johan Danielsson + + * kdc/mit_dump.c: handle all sorts of weird MIT salt types + +2000-08-08 Johan Danielsson + + * doc/setup.texi: port 212 -> 2121 + + * lib/krb5/principal.c: krb5_principal_match + +2000-08-04 Johan Danielsson + + * lib/asn1/der_get.c: add comment on *why* DCE sometimes used BER + encoding + + * kpasswd/Makefile.am: link with pidfile library + + * kpasswd/kpasswdd.c: write a pid file + + * kpasswd/kpasswd_locl.h: util.h + + * kdc/Makefile.am: link with pidfile library + + * kdc/main.c: write a pid file + + * kdc/headers.h: util.h + +2000-08-04 Assar Westerlund + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): always put + hostnames in lower case + (default_v4_name_convert): add imap + +2000-08-03 Assar Westerlund + + * lib/krb5/crc.c (_krb5_crc_update): const-ize (finally) + +2000-07-31 Johan Danielsson + + * configure.in: check for uint*_t + * include/bits.c: define uint*_t + +2000-07-29 Assar Westerlund + + * kdc/kerberos5.c (check_tgs_flags): set endtime correctly when + renewing, From Derrick J Brashear + +2000-07-28 Assar Westerlund + + * Release 0.3a + +2000-07-27 Assar Westerlund + + * kdc/hprop.c (dump_database): write an empty message to signal + end of dump + +2000-07-26 Assar Westerlund + + * lib/krb5/changepw.c (krb5_change_password): try to be more + careful when not to resend + + * lib/hdb/db3.c: always create a cursor with db3. From Derrick J + Brashear + +2000-07-25 Johan Danielsson + + * lib/hdb/Makefile.am: bump version to 6:0:0 + + * lib/asn1/Makefile.am: bump version to 3:0:1 + + * lib/krb5/Makefile.am: bump version to 12:0:1 + + * lib/krb5/krb5_config.3: manpage + + * lib/krb5/krb5_appdefault.3: manpage + + * lib/krb5/appdefault.c: implementation of the krb5_appdefault set + of functions + +2000-07-23 Assar Westerlund + + * lib/krb5/init_creds_pw.c (change_password): reset forwardable + and proxiable. copy preauthentication list correctly from + supplied options + + * kdc/hpropd.c (main): check that the ticket was for `hprop/' for + paranoid reasons + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): look in + aliases for the real name + +2000-07-22 Johan Danielsson + + * doc/setup.texi: say something about starting kadmind from the + command line + +2000-07-22 Assar Westerlund + + * kpasswd/kpasswdd.c: use kadm5_s_chpass_principal_cond instead of + mis-doing it here + + * lib/krb5/changepw.c (krb5_change_password): make timeout 1 + + 2^{0,1,...}. also keep track if we got an old packet back and + then just wait without sending a new packet + * lib/krb5/changepw.c: use a datagram socket and remove the + sequence numbers + * lib/krb5/changepw.c (krb5_change_password): clarify an + expression, avoiding a warning + +2000-07-22 Johan Danielsson + + * kuser/klist.c: make -a and -n aliases for -v + + * lib/krb5/write_message.c: ws + + * kdc/hprop-common.c: nuke extra definitions of + krb5_read_priv_message et.al + + * lib/krb5/read_message.c (krb5_read_message): return error if EOF + +2000-07-20 Assar Westerlund + + * kpasswd/kpasswd.c: print usage consistently + * kdc/hprop.h (HPROP_KEYTAB): use HDB for the keytab + * kdc/hpropd.c: add --keytab + * kdc/hpropd.c: don't care what principal we recvauth as + + * lib/krb5/get_cred.c: be more careful of not returning creds at + all when an error is returned + * lib/krb5/fcache.c (fcc_gen_new): do mkstemp correctly + +2000-07-19 Johan Danielsson + + * fix-export: use autoreconf + + * configure.in: remove stuff that belong in roken, and remove some + obsolete constructs + +2000-07-18 Johan Danielsson + + * configure.in: fix some typos + + * appl/Makefile.am: dceutil*s* + + * missing: update to missing from automake 1.4a + +2000-07-17 Johan Danielsson + + * configure.in: try to get xlc flags from ibmcxx.cfg use + conditional for X use readline cf macro + + * configure.in: subst AIX compiler flags + +2000-07-15 Johan Danielsson + + * configure.in: pass sixth parameter to test-package; use some + newer autoconf constructs + + * ltmain.sh: update to libtool 1.3c + + * ltconfig: update to libtool 1.3c + + * configure.in: update this to newer auto*/libtool + + * appl/Makefile.am: use conditional for dce + + * lib/Makefile.am: use conditional for dce + +2000-07-11 Johan Danielsson + + * lib/krb5/write_message.c: krb5_write_{priv,save}_message + * lib/krb5/read_message.c: krb5_read_{priv,save}_message + * lib/krb5/convert_creds.c: try port kerberos/88 if no response on + krb524/4444 + + * lib/krb5/convert_creds.c: use krb5_sendto + + * lib/krb5/send_to_kdc.c: add more generic krb5_sendto that send + to a port at arbitrary list of hosts + +2000-07-10 Johan Danielsson + + * doc/misc.texi: language; say something about kadmin del_enctype + +2000-07-10 Assar Westerlund + + * appl/kf/Makefile.am: actually install + +2000-07-08 Assar Westerlund + + * configure.in (AM_INIT_AUTOMAKE): bump to 0.3a-pre + (AC_ROKEN): roken is now at 10 + + * lib/krb5/string-to-key-test.c: add a arcfour-hmac-md5 test case + * kdc/Makefile.am (INCLUDES): add ../lib/krb5 + * configure.in: update for standalone roken + * lib/Makefile.am (SUBDIRS): make roken conditional + * kdc/hprop.c: update to new hdb_seal_keys_mkey + * lib/hdb/mkey.c (_hdb_unseal_keys_int, _hdb_seal_keys_int): + rename and export them + + * kdc/headers.h: add krb5_locl.h (since we just use some stuff + from there) + +2000-07-08 Johan Danielsson + + * kuser/klist.1: update for -f and add some more text for -v + + * kuser/klist.c: use rtbl to format cred listing, add -f and -s + + * lib/krb5/crypto.c: fix type in des3-cbc-none + + * lib/hdb/mkey.c: add key usage + + * kdc/kstash.c: remove writing of old keyfile, and treat + --convert-file as just reading and writing the keyfile without + asking for a new key + + * lib/hdb/mkey.c (read_master_encryptionkey): handle old keytype + based files, and convert the key to cfb64 + + * lib/hdb/mkey.c (hdb_read_master_key): set mkey to NULL before + doing anything else + + * lib/krb5/send_to_kdc.c: use krb5_eai_to_heim_errno + + * lib/krb5/get_for_creds.c: use krb5_eai_to_heim_errno + + * lib/krb5/changepw.c: use krb5_eai_to_heim_errno + + * lib/krb5/addr_families.c: use krb5_eai_to_heim_errno + + * lib/krb5/eai_to_heim_errno.c: convert getaddrinfo error codes to + something that can be passed to get_err_text + +2000-07-07 Assar Westerlund + + * lib/hdb/hdb.c (hdb_next_enctype2key): make sure of skipping + `*key' + + * kdc/kerberos4.c (get_des_key): rewrite some, be more careful + +2000-07-06 Assar Westerlund + + * kdc/kerberos5.c (as_rep): be careful as to now overflowing when + calculating the end of lifetime of a ticket. + + * lib/krb5/context.c (default_etypes): add ETYPE_ARCFOUR_HMAC_MD5 + + * lib/hdb/db3.c: only use a cursor when needed, from Derrick J + Brashear + + * lib/krb5/crypto.c: introduce the `special' encryption methods + that are not like all other encryption methods and implement + arcfour-hmac-md5 + +2000-07-05 Johan Danielsson + + * kdc/mit_dump.c: set initial master key version number to 0 + instead of 1; if we lated bump the mkvno we don't risk using the + wrong key to decrypt + + * kdc/hprop.c: only get master key if we're actually going to use + it; enable reading of MIT krb5 dump files + + * kdc/mit_dump.c: read MIT krb5 dump files + + * lib/hdb/mkey.c (read_master_mit): fix this + + * kdc/kstash.c: make this work with the new mkey code + + * lib/hdb/Makefile.am: add mkey.c, and bump version number + + * lib/hdb/hdb.h: rewrite master key handling + + * lib/hdb/mkey.c: rewrite master key handling + + * lib/krb5/crypto.c: add some more pseudo crypto types + + * lib/krb5/krb5.h: change some funny etypes to use negative + numbers, and add some more + +2000-07-04 Assar Westerlund + + * lib/krb5/krbhst.c (get_krbhst): only try SRV lookup if there are + none in the configuration file + +2000-07-02 Assar Westerlund + + * lib/krb5/keytab_keyfile.c (akf_add_entry): remove unused + variable + + * kpasswd/kpasswd-generator.c: new test program + * kpasswd/Makefile.am: add kpasswd-generator + + * include/Makefile.am (CLEANFILES): add rc4.h + + * kuser/generate-requests.c: new test program + * kuser/Makefile.am (noinst_PROGRAMS): add generate-requests + +2000-07-01 Assar Westerlund + + * configure.in: add --enable-dce and related stuff + * appl/Makefile.am (SUBDIRS): add $(APPL_dce) + +2000-06-29 Assar Westerlund + + * kdc/kerberos4.c (get_des_key): fix thinkos/typos + +2000-06-29 Johan Danielsson + + * admin/purge.c: use parse_time to parse age + + * lib/krb5/log.c (krb5_vlog_msg): use krb5_format_time + + * admin/list.c: add printing of timestamp and key data; some + cleanup + + * lib/krb5/time.c (krb5_format_time): new function to format time + + * lib/krb5/context.c (init_context_from_config_file): init + date_fmt, also do some cleanup + + * lib/krb5/krb5.h: add date_fmt to context + +2000-06-28 Johan Danielsson + + * kdc/{kerberos4,kaserver,524}.c (get_des_key): change to return + v4 or afs keys if possible + +2000-06-25 Johan Danielsson + + * kdc/hprop.c (ka_convert): allow using null salt, and treat 0 + pw_expire as never (from Derrick Brashear) + +2000-06-24 Johan Danielsson + + * kdc/connect.c (add_standard_ports): only listen to port 750 if + serving v4 requests + +2000-06-22 Assar Westerlund + + * lib/asn1/lex.l: fix includes, and lex stuff + * lib/asn1/lex.h (error_message): update prototype + (yylex): add + * lib/asn1/gen_length.c (length_type): fail on malloc error + * lib/asn1/gen_decode.c (decode_type): fail on malloc error + +2000-06-21 Assar Westerlund + + * lib/krb5/get_for_creds.c: be more compatible with MIT code. + From Daniel Kouril + * lib/krb5/rd_cred.c: be more compatible with MIT code. From + Daniel Kouril + * kdc/kerberos5.c (get_pa_etype_info): do not set salttype if it's + vanilla pw-salt, that keeps win2k happy. also do the malloc check + correctly. From Daniel Kouril + +2000-06-21 Johan Danielsson + + * kdc/hprop.c: add hdb keytabs + +2000-06-20 Johan Danielsson + + * lib/krb5/principal.c: back out rev. 1.64 + +2000-06-19 Johan Danielsson + + * kdc/kerberos5.c: pa_* -> KRB5_PADATA_* + + * kdc/hpropd.c: add realm override flag + + * kdc/v4_dump.c: code for reading krb4 dump files + + * kdc/hprop.c: generalize source database handing, add support for + non-standard local realms (from by Daniel Kouril + and Miroslav Ruda ), and + support for using different ports (requested by the Czechs, but + implemented differently) + + * lib/krb5/get_cred.c: pa_* -> KRB5_PADATA_* + + * lib/krb5/get_in_tkt.c: pa_* -> KRB5_PADATA_* + + * lib/krb5/krb5.h: use some definitions from asn1.h + + * lib/hdb/hdb.asn1: use new import syntax + + * lib/asn1/k5.asn1: use distinguished value integers + + * lib/asn1/gen_length.c: support for distinguished value integers + + * lib/asn1/gen_encode.c: support for distinguished value integers + + * lib/asn1/gen_decode.c: support for distinguished value integers + + * lib/asn1/gen.c: support for distinguished value integers + + * lib/asn1/lex.l: add support for more standards like import + statements + + * lib/asn1/parse.y: add support for more standards like import + statements, and distinguished value integers + +2000-06-11 Assar Westerlund + + * lib/krb5/get_for_creds.c (add_addrs): ignore addresses of + unknown type + * lib/krb5/get_for_creds.c (add_addrs): zero memory before + starting to copy memory + +2000-06-10 Assar Westerlund + + * lib/krb5/test_get_addrs.c: test program for get_addrs + * lib/krb5/get_addrs.c (find_all_addresses): remember to add in + the size of ifr->ifr_name when using SA_LEN. noticed by Ken + Raeburn + +2000-06-07 Assar Westerlund + + * configure.in: add db3 detection stuff do not use streamsptys on + HP-UX 11 + * lib/hdb/hdb.h (HDB): add dbc for db3 + * kdc/connect.c (add_standard_ports): also listen on krb524 aka + 4444 + * etc/services.append (krb524): add + * lib/hdb/db3.c: add berkeley db3 interface. contributed by + Derrick J Brashear + * lib/hdb/hdb.h (struct HDB): add + +2000-06-07 Johan Danielsson + + * kdc/524.c: if 524 is not enabled, just generate error reply and + exit + + * kdc/kerberos4.c: if v4 is not enabled, just generate error reply + and exit + + * kdc/connect.c: only listen to port 4444 if 524 is enabled + + * kdc/config.c: add options to enable/disable v4 and 524 requests + +2000-06-06 Johan Danielsson + + * kdc/524.c: handle non-existant server principals (from Daniel + Kouril) + +2000-06-03 Assar Westerlund + + * admin/ktutil.c: print name when failing to open keytab + + * kuser/kinit.c: try also to fallback to v4 when no KDC is found + +2000-05-28 Assar Westerlund + + * kuser/klist.c: continue even we have no v5 ccache. make showing + your krb4 tickets the default (if build with krb4 support) + * kuser/kinit.c: add a fallback that tries to get a v4 ticket if + built with krb4 support and we got back a version error from the + KDC + +2000-05-23 Johan Danielsson + + * lib/krb5/keytab_keyfile.c: make this actually work + +2000-05-19 Assar Westerlund + + * lib/krb5/store_emem.c (emem_store): make it write-compatible + * lib/krb5/store_fd.c (fd_store): make it write-compatible + * lib/krb5/store_mem.c (mem_store): make it write-compatible + * lib/krb5/krb5.h (krb5_storage): make store write-compatible + +2000-05-18 Assar Westerlund + + * configure.in: add stdio.h in dbopen test + +2000-05-16 Assar Westerlund + + * Release 0.2t + +2000-05-16 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:1:0 + * lib/krb5/fcache.c: fix second lseek + * lib/krb5/principal.c (krb5_524_conv_principal): fix typo + +2000-05-15 Assar Westerlund + + * Release 0.2s + +2000-05-15 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 11:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 4:2:1 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump to 2:0:0 + * lib/krb5/principal.c (krb5_524_conv_principal): comment-ize, and + simplify string copying + +2000-05-12 Assar Westerlund + + * lib/krb5/fcache.c (scrub_file): new function + (erase_file): re-write, use scrub_file + * lib/krb5/krb5.h (KRB5_DEFAULT_CCFILE_ROOT): add + + * configure.in (dbopen): add header files + + * lib/krb5/krb5.h (krb5_key_usage): add some more + * lib/krb5/fcache.c (erase_file): try to detect symlink games. + also call revoke. + * lib/krb5/changepw.c (krb5_change_password): remember to close + the socket on error + + * kdc/main.c (main): also call sigterm on SIGTERM + +2000-05-06 Assar Westerlund + + * lib/krb5/config_file.c (krb5_config_vget_string_default, + krb5_config_get_string_default): add + +2000-04-25 Assar Westerlund + + * lib/krb5/fcache.c (fcc_initialize): just forget about + over-writing the old cred cache. it's too much of a hazzle trying + to do this safely. + +2000-04-11 Assar Westerlund + + * lib/krb5/crypto.c (krb5_get_wrapped_length): rewrite into + different parts for the derived and non-derived cases + * lib/krb5/crypto.c (krb5_get_wrapped_length): the padding should + be done after having added confounder and checksum + +2000-04-09 Assar Westerlund + + * lib/krb5/get_addrs.c (find_all_addresses): apperently solaris + can return EINVAL when the buffer is too small. cope. + * lib/asn1/Makefile.am (gen_files): add asn1_UNSIGNED.x + * lib/asn1/gen_locl.h (filename): add prototype + (init_generate): const-ize + * lib/asn1/gen.c (filename): new function clean-up a little bit. + * lib/asn1/parse.y: be more tolerant in ranges + * lib/asn1/lex.l: count lines correctly. + (error_message): print filename in messages + +2000-04-08 Assar Westerlund + + * lib/krb5/rd_safe.c (krb5_rd_safe): increment sequence number + after comparing + * lib/krb5/rd_priv.c (krb5_rd_priv): increment sequence number + after comparing + * lib/krb5/mk_safe.c (krb5_mk_safe): make `tmp_seq' unsigned + * lib/krb5/mk_priv.c (krb5_mk_priv): make `tmp_seq' unsigned + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): make + `seqno' be unsigned + * lib/krb5/mk_safe.c (krb5_mk_safe): increment local sequence + number after the fact and only increment it if we were successful + * lib/krb5/mk_priv.c (krb5_mk_priv): increment local sequence + number after the fact and only increment it if we were successful + * lib/krb5/krb5.h (krb5_auth_context_data): make sequence number + unsigned + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): + `in_tkt_service' can be NULL + +2000-04-06 Assar Westerlund + + * lib/asn1/parse.y: regonize INTEGER (0..UNIT_MAX). + (DOTDOT): add + * lib/asn1/lex.l (DOTDOT): add + * lib/asn1/k5.asn1 (UNSIGNED): add. use UNSIGNED for all sequence + numbers. + * lib/asn1/gen_length.c (length_type): add TUInteger + * lib/asn1/gen_free.c (free_type): add TUInteger + * lib/asn1/gen_encode.c (encode_type, generate_type_encode): add + TUInteger + * lib/asn1/gen_decode.c (decode_type, generate_type_decode): add + TUInteger + * lib/asn1/gen_copy.c (copy_type): add TUInteger + * lib/asn1/gen.c (define_asn1): add TUInteger + * lib/asn1/der_put.c (encode_unsigned): add + * lib/asn1/der_length.c (length_unsigned): add + * lib/asn1/der_get.c (decode_unsigned): add + * lib/asn1/der.h (decode_unsigned, encode_unsigned, + length_unsigned): add prototypes + + * lib/asn1/k5.asn1: update pre-authentication types + * lib/krb5/krb5_err.et: add some error codes from pkinit + +2000-04-05 Assar Westerlund + + * lib/hdb/hdb.c: add support for hdb methods (aka back-ends). + include ldap. + * lib/hdb/hdb-ldap.c: tweak the ifdef to OPENLDAP + * lib/hdb/Makefile.am: add hdb-ldap.c and openldap + * kdc/Makefile.am, kpasswd/Makefile.am, kadmin/Makefile.am: add + * configure.in: bump version to 0.2s-pre add options and testing + for (open)ldap + +2000-04-04 Assar Westerlund + + * configure.in (krb4): fix the krb_mk_req test + +2000-04-03 Assar Westerlund + + * configure.in (krb4): add test for const arguments to krb_mk_req + * lib/45/mk_req.c (krb_mk_req): conditionalize const-ness of + arguments + +2000-04-03 Assar Westerlund + + * Release 0.2r + +2000-04-03 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 10:0:0 + * lib/45/mk_req.c (krb_mk_req): const-ize the arguments + +2000-03-30 Assar Westerlund + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): add some + comments. add fall-back on adding the realm name in lower case. + +2000-03-29 Assar Westerlund + + * kdc/connect.c: remember to repoint all descr->sa to _ss after + realloc as this might have moved the memory around. problem + discovered and diagnosed by Brandon S. Allbery + +2000-03-27 Assar Westerlund + + * configure.in: recognize solaris 2.8 + * config.guess, config.sub: update to current version from + :pserver:anoncvs@subversions.gnu.org:/home/cvs + + * lib/krb5/init_creds_pw.c (print_expire): do not assume anything + about the size of time_t, i.e. make it 64-bit happy + +2000-03-13 Assar Westerlund + + * kuser/klist.c: add support for display v4 tickets + +2000-03-11 Assar Westerlund + + * kdc/kaserver.c (do_authenticate, do_getticket): call check_flags + * kdc/kerberos4.c (do_version4): call check_flags. + * kdc/kerberos5.c (check_flags): make global + +2000-03-10 Assar Westerlund + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): evil + hack to avoid recursion + +2000-03-04 Assar Westerlund + + * kuser/kinit.c: add `krb4_get_tickets' per realm. add --anonymous + * lib/krb5/krb5.h (krb5_get_init_creds_opt): add `anonymous' and + KRB5_GET_INIT_CREDS_OPT_ANONYMOUS + * lib/krb5/init_creds_pw.c (get_init_creds_common): set + request_anonymous flag appropriatly + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_anonymous): + add + + * lib/krb5/get_in_tkt.c (_krb5_extract_ticket): new parameter to + determine whetever to ignore client name of not. always copy + client name from kdc. fix callers. + + * kdc: add support for anonymous tickets + + * kdc/string2key.8: add man-page for string2key + +2000-03-03 Assar Westerlund + + * kdc/hpropd.c (dump_krb4): get expiration date from `valid_end' + and not `pw_end' + + * kdc/kadb.h (ka_entry): fix name pw_end -> valid_end. add some + more fields + + * kdc/hprop.c (v4_prop): set the `valid_end' from the v4 + expiration date instead of the `pw_expire' + (ka_convert): set `valid_end' from ka expiration data and `pw_expire' + from pw_change + pw_expire + (main): add a default database for ka dumping + +2000-02-28 Assar Westerlund + + * lib/krb5/context.c (init_context_from_config_file): change + rfc2052 default to no. 2782 says that underscore should be used. + +2000-02-24 Assar Westerlund + + * lib/krb5/fcache.c (fcc_initialize, fcc_store_cred): verify that + stores and close succeed + * lib/krb5/store.c (krb5_store_creds): check to see that the + stores are succesful. + +2000-02-23 Assar Westerlund + + * Release 0.2q + +2000-02-22 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 9:2:0 + + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): copy + the correct hostname + + * kdc/connect.c (add_new_tcp): use the correct entries in the + descriptor table + * kdc/connect.c: initialize `descr' uniformly and correctly + +2000-02-20 Assar Westerlund + + * Release 0.2p + +2000-02-19 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 9:1:0 + + * lib/krb5/expand_hostname.c (krb5_expand_hostname): make sure + that realms is filled in even when getaddrinfo fails or does not + return any canonical name + + * kdc/connect.c (descr): add sockaddr and string representation + (*): re-write to use the above mentioned + +2000-02-16 Assar Westerlund + + * lib/krb5/addr_families.c (krb5_parse_address): use + krb5_sockaddr2address to copy the result from getaddrinfo. + +2000-02-14 Assar Westerlund + + * Release 0.2o + +2000-02-13 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 9:0:0 + + * kdc/kaserver.c (do_authenticate): return the kvno of the server + and not the client. Thanks to Brandon S. Allbery KF8NH + and Chaskiel M Grundman + for debugging. + + * kdc/kerberos4.c (do_version4): if an tgs-req is received with an + old kvno, return an error reply and write a message in the log. + +2000-02-12 Assar Westerlund + + * appl/test/gssapi_server.c (proto): with `--fork', create a child + and send over/receive creds with export/import_sec_context + * appl/test/gssapi_client.c (proto): with `--fork', create a child + and send over/receive creds with export/import_sec_context + * appl/test/common.c: add `--fork' / `-f' (only used by gssapi) + +2000-02-11 Assar Westerlund + + * kdc/kdc_locl.h: remove keyfile add explicit_addresses + * kdc/connect.c (init_sockets): pay attention to + explicit_addresses some more comments. better error messages. + * kdc/config.c: add some comments. + remove --key-file. + add --addresses. + + * lib/krb5/context.c (krb5_set_extra_addresses): const-ize and use + proper abstraction + +2000-02-07 Johan Danielsson + + * lib/krb5/changepw.c: use roken_getaddrinfo_hostspec + +2000-02-07 Assar Westerlund + + * Release 0.2n + +2000-02-07 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 8:0:0 + * lib/krb5/keytab.c (krb5_kt_default_name): use strlcpy + (krb5_kt_add_entry): set timestamp + +2000-02-06 Assar Westerlund + + * lib/krb5/krb5.h: add macros for accessing krb5_realm + * lib/krb5/time.c (krb5_timeofday): use `krb5_timestamp' instead + of `int32_t' + + * lib/krb5/replay.c (checksum_authenticator): update to new API + for md5 + + * lib/krb5/krb5.h: remove des.h, it's not needed and applications + should not have to make sure to find it. + +2000-02-03 Assar Westerlund + + * lib/krb5/rd_req.c (get_key_from_keytab): rename parameter to + `out_key' to avoid conflicting with label. reported by Sean Doran + + +2000-02-02 Assar Westerlund + + * lib/krb5/expand_hostname.c: remember to lower-case host names. + bug reported by + + * kdc/kerberos4.c (do_version4): look at check_ticket_addresses + and emulate that by setting krb_ignore_ip_address (not a great + interface but it doesn't seem like the time to go around fixing + libkrb stuff now) + +2000-02-01 Johan Danielsson + + * kuser/kinit.c: change --noaddresses into --no-addresses + +2000-01-28 Assar Westerlund + + * kpasswd/kpasswd.c (main): make sure the ticket is not + forwardable and not proxiable + +2000-01-26 Assar Westerlund + + * lib/krb5/crypto.c: update to pseudo-standard APIs for + md4,md5,sha. some changes to libdes calls to make them more + portable. + +2000-01-21 Assar Westerlund + + * lib/krb5/verify_init.c (krb5_verify_init_creds): make sure to + clean up the correct creds. + +2000-01-16 Assar Westerlund + + * lib/krb5/principal.c (append_component): change parameter to + `const char *'. check malloc + * lib/krb5/principal.c (append_component, va_ext_princ, va_princ): + const-ize + * lib/krb5/mk_req.c (krb5_mk_req): make `service' and `hostname' + const + * lib/krb5/principal.c (replace_chars): also add space here + * lib/krb5/principal.c: (quotable_chars): add space + +2000-01-12 Assar Westerlund + + * kdc/kerberos4.c (do_version4): check if preauth was required and + bail-out if so since there's no way that could be done in v4. + Return NULL_KEY as an error to the client (which is non-obvious, + but what can you do?) + +2000-01-09 Assar Westerlund + + * lib/krb5/principal.c (krb5_sname_to_principal): use + krb5_expand_hostname_realms + * lib/krb5/mk_req.c (krb5_km_req): use krb5_expand_hostname_realms + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): new + variant of krb5_expand_hostname that tries until it expands into + something that's digestable by krb5_get_host_realm, returning also + the result from that function. + +2000-01-08 Assar Westerlund + + * Release 0.2m + +2000-01-08 Assar Westerlund + + * configure.in: replace AC_C_BIGENDIAN with KRB_C_BIGENDIAN + + * lib/krb5/Makefile.am: bump version to 7:1:0 + + * lib/krb5/principal.c (krb5_sname_to_principal): use + krb5_expand_hostname + * lib/krb5/expand_hostname.c (krb5_expand_hostname): handle + ai_canonname being set in any of the addresses returnedby + getaddrinfo. glibc apparently returns the reverse lookup of every + address in ai_canonname. + +2000-01-06 Assar Westerlund + + * Release 0.2l + +2000-01-06 Assar Westerlund + + * lib/krb5/Makefile.am: set version to 7:0:0 + * lib/krb5/principal.c (krb5_sname_to_principal): remove `hp' + + * lib/hdb/Makefile.am: set version to 4:1:1 + + * kdc/hpropd.c (dump_krb4): use `krb5_get_default_realms' + * lib/krb5/get_in_tkt.c (add_padata): change types to make + everything work out + (krb5_get_in_cred): remove const to make types match + * lib/krb5/crypto.c (ARCFOUR_string_to_key): correct signature + * lib/krb5/principal.c (krb5_sname_to_principal): handle not + getting back a canonname + +2000-01-06 Assar Westerlund + + * Release 0.2k + +2000-01-06 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc): advance colon so that + we actually parse the port number. based on a patch from Leif + Johansson + +2000-01-02 Assar Westerlund + + * admin/purge.c: remove all non-current and old entries from a + keytab + + * admin: break up ktutil.c into files + + * admin/ktutil.c (list): support --verbose (also listning time + stamps) + (kt_add, kt_get): set timestamp in newly created entries + (kt_change): add `change' command + + * admin/srvconvert.c (srvconv): set timestamp in newly created + entries + * lib/krb5/keytab_keyfile.c (akf_next_entry): set timetsamp, + always go the a predicatble position on error + * lib/krb5/keytab.c (krb5_kt_copy_entry_contents): copy timestamp + * lib/krb5/keytab_file.c (fkt_add_entry): store timestamp + (fkt_next_entry_int): return timestamp + * lib/krb5/krb5.h (krb5_keytab_entry): add timestamp diff --git a/third_party/heimdal/ChangeLog.2001 b/third_party/heimdal/ChangeLog.2001 new file mode 100644 index 0000000..b048488 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2001 @@ -0,0 +1,1122 @@ +2001-12-20 Johan Danielsson + + * lib/krb5/crypto.c: use our own des string-to-key function, since + the one from openssl sometimes generates wrong output + +2001-12-05 Jacques Vidrine + + * lib/hdb/mkey.c: fix a bug in which kstash would crash if + there were no /etc/krb5.conf + +2001-11-09 Johan Danielsson + + * lib/krb5/krb5_verify_user.3: sort references (from Thomas + Klausner) + + * lib/krb5/krb5_principal_get_realm.3: add section to reference + (from Thomas Klausner) + + * lib/krb5/krb5_krbhst_init.3: sort references (from Thomas + Klausner) + + * lib/krb5/krb5_keytab.3: white space fixes (from Thomas Klausner) + + * lib/krb5/krb5_get_krbhst.3: remove extra white space (from + Thomas Klausner) + + * lib/krb5/krb5_get_all_client_addrs.3: add section to reference + (from Thomas Klausner) + +2001-10-29 Jacques Vidrine + + * admin/get.c: fix a bug in which a reference to a data + structure on the stack was being kept after the containing + function's lifetime, resulting in a segfault during `ktutil + get'. + +2001-10-22 Assar Westerlund + + * lib/krb5/crypto.c: make all high-level encrypting and decrypting + functions check the return value of the underlying function and + handle errors more consistently. noted by Sam Hartman + + +2001-10-21 Assar Westerlund + + * lib/krb5/crypto.c (enctype_arcfour_hmac_md5): actually use a + non-keyed checksum when it should be non-keyed + +2001-09-29 Assar Westerlund + + * kuser/kinit.1: add the kauth alias + * kuser/kinit.c: allow specification of afslog in krb5.conf, noted + by jhutz@cs.cmu.edu + +2001-09-27 Assar Westerlund + + * lib/asn1/gen.c: remove the need for libasn1.h, also make + generated files include all files from IMPORTed modules + + * lib/krb5/krb5.h (KRB5_KPASSWD_*): set correct values + * kpasswd/kpasswd.c: improve error message printing + * lib/krb5/changepw.c (krb5_passwd_result_to_string): add change + to use sequence numbers connect the udp socket so that we can + figure out the local address + +2001-09-25 Assar Westerlund + + * lib/asn1: implement OBJECT IDENTIFIER and ENUMERATED + +2001-09-20 Johan Danielsson + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): try using + lower case realm as domain, but only when given a verification + function + +2001-09-20 Assar Westerlund + + * lib/asn1/der_put.c (der_put_length): do not even try writing + anything when len == 0 + +2001-09-18 Johan Danielsson + + * kdc/hpropd.c: add realm override option + + * lib/krb5/set_default_realm.c (krb5_set_default_realm): make + realm parameter const + + * kdc/hprop.c: more free's + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_keytab): free key + proc data + + * lib/krb5/expand_hostname.c (krb5_expand_hostname_realms): free + addrinfo + + * lib/hdb/mkey.c (hdb_set_master_keyfile): clear error string when + not returning error + +2001-09-16 Assar Westerlund + + * lib/krb5/appdefault.c (krb5_appdefault_{boolean,string,time): + make realm const + + * lib/krb5/crypto.c: use des functions to avoid generating + warnings with openssl's prototypes + +2001-09-05 Johan Danielsson + + * configure.in: check for termcap.h + + * lib/asn1/lex.l: add another undef ECHO to keep AIX lex happy + +2001-09-03 Assar Westerlund + + * lib/krb5/addr_families.c (krb5_print_address): handle snprintf + returning < 0. noticed by hin@stacken.kth.se + +2001-09-03 Assar Westerlund + + * Release 0.4e + +2001-09-02 Johan Danielsson + + * kuser/Makefile.am: install kauth as a symlink to kinit + + * kuser/kinit.c: get v4_tickets by default + + * lib/asn1/Makefile.am: fix for broken automake + +2001-08-31 Johan Danielsson + + * lib/hdb/hdb-ldap.c: some pretty much untested changes from Luke + Howard + + * kuser/kinit.1: remove references to kauth + + * kuser/Makefile.am: kauth is no more + + * kuser/kinit.c: use appdefaults for everything. defaults are now + as in kauth. + + * lib/krb5/appdefault.c: also check libdefaults, and realms/realm + + * lib/krb5/context.c (krb5_free_context): free more stuff + +2001-08-30 Johan Danielsson + + * lib/krb5/verify_krb5_conf.c: do some checks of the values in the + file + + * lib/krb5/krb5.conf.5: remove srv_try_txt, fix spelling + + * lib/krb5/context.c: don't init srv_try_txt, since it isn't used + anymore + +2001-08-29 Jacques Vidrine + + * configure.in: Check for already-installed com_err. + +2001-08-28 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set versoin to 18:2:1 + +2001-08-24 Assar Westerlund + + * kuser/Makefile.am: remove CHECK_LOCAL - non bin programs require + no special treatment now + + * kuser/generate-requests.c: parse arguments in a useful way + * kuser/kverify.c: add --help/--verify + +2001-08-22 Assar Westerlund + + * configure.in: bump prereq to 2.52 remove unused test_LIB_KRB4 + + * configure.in: re-write the handling of crypto libraries. try to + use the one of openssl's libcrypto or krb4's libdes that has all + the required functionality (md4, md5, sha1, des, rc4). if there + is no such library, the included lib/des is built. + + * kdc/headers.h: include libutil.h if it exists + * kpasswd/kpasswd_locl.h: include libutil.h if it exists + * kdc/kerberos4.c (get_des_key): check for null keys even if + is_server + +2001-08-21 Assar Westerlund + + * lib/asn1/asn1_print.c: print some size_t correctly + * configure.in: remove extra space after -L check for libutil.h + +2001-08-17 Johan Danielsson + + * kdc/kdc_locl.h: fix prototype for get_des_key + + * kdc/kaserver.c: fix call to get_des_key + + * kdc/524.c: fix call to get_des_key + + * kdc/kerberos4.c (get_des_key): if getting a key for a server, + return any des-key not just keys that can be string-to-keyed by + the client + +2001-08-10 Assar Westerlund + + * Release 0.4d + +2001-08-10 Assar Westerlund + + * configure.in: check for openpty + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:4:0 + +2001-08-08 Assar Westerlund + + * configure.in: just add -L (if required) from krb4 when testing + for libdes/libcrypto + +2001-08-04 Assar Westerlund + + * lib/krb5/Makefile.am (man_MANS): add some missing man pages + * fix-export: fix the sed expression for finding the man pages + +2001-07-31 Assar Westerlund + + * kpasswd/kpasswd-generator.c (main): implement --version and + --help + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): update version to + 18:1:1 + +2001-07-27 Assar Westerlund + + * lib/krb5/context.c (init_context_from_config_file): check + parsing of addresses + +2001-07-26 Assar Westerlund + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): rename + sa_len -> salen to avoid the macro that's defined on irix. noted + by "Jacques A. Vidrine" + +2001-07-24 Johan Danielsson + + * lib/krb5/addr_families.c: add support for type + KRB5_ADDRESS_ADDRPORT + + * lib/krb5/addr_families.c (krb5_address_order): complain about + unsuppored address types + +2001-07-23 Johan Danielsson + + * admin/get.c: don't open connection to server until we loop over + the principals, at that time we know the realm of the (first) + principal and we can default to that admin server + + * admin: add a rename command + +2001-07-19 Assar Westerlund + + * kdc/hprop.c (usage): clarify a tiny bit + +2001-07-19 Assar Westerlund + + * Release 0.4c + +2001-07-19 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 18:0:1 + + * lib/krb5/get_for_creds.c (krb5_fwd_tgt_creds): make it behave + the same way as the MIT function + + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:3:0 + * lib/krb5/sock_principal.c (krb5_sock_to_principal): use + getnameinfo + + * lib/krb5/krbhst.c (srv_find_realm): handle port numbers + consistenly in local byte order + + * lib/krb5/get_default_realm.c (krb5_get_default_realm): set an + error string + + * kuser/kinit.c (renew_validate): invert condition correctly. get + v4 tickets if we succeed renewing + * lib/krb5/principal.c (krb5_principal_get_type): add + (default_v4_name_convert): add "smtp" + +2001-07-13 Assar Westerlund + + * configure.in: remove make-print-version from LIBOBJS, it's no + longer in lib/roken but always built in lib/vers + +2001-07-12 Johan Danielsson + + * lib/hdb/mkey.c: more set_error_string + +2001-07-12 Assar Westerlund + + * lib/hdb/Makefile.am (libhdb_la_LIBADD): add required library + dependencies + + * lib/asn1/Makefile.am (libasn1_la_LIBADD): add required library + dependencies + +2001-07-11 Johan Danielsson + + * kdc/hprop.c: remove v4 master key handling; remove old v4-db and + ka-db flags; add defaults for v4_realm and afs_cell + +2001-07-09 Assar Westerlund + + * lib/krb5/sock_principal.c (krb5_sock_to_principal): copy hname + before calling krb5_sname_to_principal. from "Jacques A. Vidrine" + + +2001-07-08 Johan Danielsson + + * lib/krb5/context.c: use krb5_copy_addresses instead of + copy_HostAddresses + +2001-07-06 Assar Westerlund + + * configure.in (LIB_des_a, LIB_des_so): add these so that they can + be used by lib/auth/sia + + * kuser/kinit.c: re-do some of the v4 fallbacks: look at + get-tokens flag do not print extra errors do not try to do 524 if + we got tickets from a v4 server + +2001-07-03 Assar Westerlund + + * lib/krb5/replay.c (krb5_get_server_rcache): cast argument to + printf + + * lib/krb5/get_addrs.c (find_all_addresses): call free_addresses + on ignore_addresses correctly + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): change to take a + const realm + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): if the + instance is the first component of the local hostname, the + converted host should be the long hostname. from + + +2001-07-02 Johan Danielsson + + * lib/krb5/Makefile.am: address.c is no more; add a couple of + manpages + + * lib/krb5/krb5_timeofday.3: new manpage + + * lib/krb5/krb5_get_all_client_addrs.3: new manpage + + * lib/krb5/get_in_tkt.c (init_as_req): treat no addresses as + wildcard + + * lib/krb5/get_cred.c (get_cred_kdc_la): treat no addresses as + wildcard + + * lib/krb5/get_addrs.c: don't include client addresses that match + ignore_addresses + + * lib/krb5/context.c: initialise ignore_addresses + + * lib/krb5/addr_families.c: add new `arange' fake address type, + that matches more than one address; this required some internal + changes to many functions, so all of address.c got moved here + (wasn't much left there) + + * lib/krb5/krb5.h: add list of ignored addresses to context + +2001-07-03 Assar Westerlund + + * Release 0.4b + +2001-07-03 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 17:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 7:2:0 + +2001-07-03 Assar Westerlund + + * Release 0.4a + +2001-07-02 Johan Danielsson + + * kuser/kinit.c: make this compile without krb4 support + + * lib/krb5/write_message.c: remove priv parameter from + write_safe_message; don't know why it was there in the first place + + * doc/install.texi: remove kaserver switches, it's always compiled + in now + + * kdc/hprop.c: always include kadb support + + * kdc/kaserver.c: always include kaserver support + +2001-07-02 Assar Westerlund + + * kpasswd/kpasswdd.c (doit): make failing to bind a socket a + non-fatal error, and abort if no sockets were bound + +2001-07-01 Assar Westerlund + + * lib/krb5/krbhst.c: remember the real port number when falling + back from kpasswd -> kadmin, and krb524 -> kdc + +2001-06-29 Assar Westerlund + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if + no_addresses is set, do not add any local addresses to KRB_CRED + + * kuser/kinit.c: remove extra clearing of password and some + redundant code + +2001-06-29 Johan Danielsson + + * kuser/kinit.c: move ticket conversion code to separate function, + and call that from a couple of places, like when renewing a + ticket; also add a flag for just converting a ticket + + * lib/krb5/init_creds_pw.c: set renew-life to some sane value + + * kdc/524.c: don't send more data than required + +2001-06-24 Assar Westerlund + + * lib/krb5/store_fd.c (krb5_storage_from_fd): check malloc returns + + * lib/krb5/keytab_any.c (any_resolve); improving parsing of ANY: + (any_start_seq_get): remove a double free + (any_next_entry): iterate over all (sub) keytabs and avoid leave data + around to be freed again + + * kdc/kdc_locl.h: add a define for des_new_random_key when using + openssl's libcrypto + + * configure.in: move v6 tests down + + * lib/krb5/krb5.h (krb5_context_data): remove srv_try_rfc2052 + + * update to libtool 1.4 and autoconf 2.50 + +2001-06-22 Johan Danielsson + + * lib/hdb/hdb.c: use krb5_add_et_list + +2001-06-21 Johan Danielsson + + * lib/hdb/Makefile.am: add generation number + * lib/hdb/common.c: add generation number code + * lib/hdb/hdb.asn1: add generation number + * lib/hdb/print.c: use krb5_storage to make it more dynamic + +2001-06-21 Assar Westerlund + + * lib/krb5/krb5.conf.5: update to changed names used by + krb5_get_init_creds_opt_set_default_flags + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): make the appdefault + keywords have the same names + + * configure.in: only add -L and -R to the krb4 libdir if we are + actually using it + + * lib/krb5/krbhst.c (fallback_get_hosts): do not copy trailing + dot of hostname add some comments + * lib/krb5/krbhst.c: use getaddrinfo instead of dns_lookup when + testing for kerberos.REALM. this allows reusing that information + when actually contacting the server and thus avoids one DNS lookup + +2001-06-20 Johan Danielsson + + * lib/krb5/krb5.h: include k524_err.h + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): don't test + for keytype, the server will do this for us if it has anything to + complain about + + * lib/krb5/context.c: add protocol compatible krb524 error codes + + * lib/krb5/Makefile.am: add protocol compatible krb524 error codes + + * lib/krb5/k524_err.et: add protocol compatible krb524 error codes + + * lib/krb5/krb5_principal_get_realm.3: manpage + + * lib/krb5/principal.c: add functions `krb5_principal_get_realm' + and `krb5_principal_get_comp_string' that returns parts of a + principal; this is a replacement for the internal + `krb5_princ_realm' and `krb5_princ_component' macros that everyone + seem to use + +2001-06-19 Assar Westerlund + + * kuser/kinit.c (main): dereference result from krb5_princ_realm. + from Thomas Nystrom + +2001-06-18 Johan Danielsson + + * lib/krb5/mk_req.c (krb5_mk_req_exact): free creds when done + * lib/krb5/crypto.c (krb5_string_to_key_derived): fix memory leak + * lib/krb5/krbhst.c (config_get_hosts): free hostlist + * kuser/kinit.c: free principal + +2001-06-18 Assar Westerlund + + * lib/krb5/send_to_kdc.c (krb5_sendto): remove an extra + freeaddrinfo + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc_ccache): + remove some unused variables + + * lib/krb5/krbhst.c (admin_get_next): spell kerberos correctly + * kdc/kerberos5.c: update to new krb5_auth_con* names + * kdc/hpropd.c: update to new krb5_auth_con* names + * lib/krb5/rd_req.c (krb5_rd_req): use krb5_auth_con* functions + and remove some comments + * lib/krb5/rd_safe.c (krb5_rd_safe): pick the keys in the right + order: remote - local - session + * lib/krb5/rd_rep.c (krb5_rd_rep): save the remote sub key in the + auth_context + * lib/krb5/rd_priv.c (krb5_rd_priv): pick keys in the correct + order: remote - local - session + * lib/krb5/mk_safe.c (krb5_mk_safe): pick keys in the right order, + local - remote - session + +2001-06-18 Johan Danielsson + + * lib/krb5/convert_creds.c: use starttime instead of authtime, + from Chris Chiappa + + * lib/krb5/convert_creds.c: make krb524_convert_creds_kdc match + the MIT function by the same name; add + krb524_convert_creds_kdc_ccache that does what the old version did + + * admin/list.c (do_list): make sure list of keys is NULL + terminated; similar to patch sent by Chris Chiappa + +2001-06-18 Assar Westerlund + + * lib/krb5/mcache.c (mcc_remove_cred): use + krb5_free_creds_contents + + * lib/krb5/auth_context.c: name function krb5_auth_con more + consistenly + * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): use + renamed krb5_auth_con_getauthenticator + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): update to + use krb5_krbhst API + * lib/krb5/changepw.c (krb5_change_password): update to use + krb5_krbhst API + * lib/krb5/send_to_kdc.c: update to use krb5_krbhst API + * lib/krb5/krbhst.c (krb5_krbhst_get_addrinfo): add set def_port + in krb5_krbhst_info + (krb5_krbhst_free): free everything + + * lib/krb5/krb5.h (KRB5_VERIFY_NO_ADDRESSES): add + (krb5_krbhst_info): add def_port (default port for this service) + + * lib/krb5/krbhst-test.c: make it more verbose and useful + * lib/krb5/krbhst.c: remove some more memory leaks do not try any + dns operations if there is local configuration admin: fallback to + kerberos.REALM 524: fallback to kdcs kpasswd: fallback to admin + add some comments + + * configure.in: remove initstate and setstate, they should be in + cf/roken-frag.m4 + + * lib/krb5/Makefile.am (noinst_PROGRAMS): add krbhst-test + * lib/krb5/krbhst-test.c: new program for testing krbhst + * lib/krb5/krbhst.c (common_init): remove memory leak + (main): move test program into krbhst-test + +2001-06-17 Johan Danielsson + + * lib/krb5/krb5_krbhst_init.3: manpage + + * lib/krb5/krb5_get_krbhst.3: manpage + +2001-06-16 Johan Danielsson + + * lib/krb5/krb5.h: add opaque krb5_krbhst_handle type + + * lib/krb5/krbhst.c: change void* to krb5_krbhst_handle + + * lib/krb5/krb5.h: types for new krbhst api + + * lib/krb5/krbhst.c: implement a new api that looks up one host at + a time, instead of making a list of hosts + +2001-06-09 Johan Danielsson + + * configure.in: test for initstate and setstate + + * lib/krb5/krbhst.c: remove rfc2052 support + +2001-06-08 Johan Danielsson + + * fix some manpages for broken mdoc.old grog test + +2001-05-28 Assar Westerlund + + * lib/krb5/krb5.conf.5: add [appdefaults] + * lib/krb5/init_creds_pw.c: remove configuration reading that is + now done in krb5_get_init_creds_opt_set_default_flags + * lib/krb5/init_creds.c + (krb5_get_init_creds_opt_set_default_flags): add reading of + libdefaults versions of these and add no_addresses + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear error string + when preauth was required and we retry + +2001-05-25 Assar Westerlund + + * lib/krb5/convert_creds.c (krb524_convert_creds_kdc): call + krb5_get_krb524hst + * lib/krb5/krbhst.c (krb5_get_krb524hst): add and restructure the + support functions + +2001-05-22 Assar Westerlund + + * kdc/kerberos5.c (tgs_rep2): alloc and free csec and cusec + properly + +2001-05-17 Assar Westerlund + + * Release 0.3f + +2001-05-17 Assar Westerlund + + * lib/krb5/Makefile.am: bump version to 16:0:0 + * lib/hdb/Makefile.am: bump version to 7:1:0 + * lib/asn1/Makefile.am: bump version to 5:0:0 + * lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4 + * lib/krb5/codec.c: remove dead code + +2001-05-17 Johan Danielsson + + * kdc/config.c: actually check the ticket addresses + +2001-05-15 Assar Westerlund + + * lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct + parenthesis + + * lib/krb5/eai_to_heim_errno.c (krb5_eai_to_heim_errno): add + `errno' (called system_error) to allow callers to make sure they + pass the current and relevant value. update callers + +2001-05-14 Johan Danielsson + + * lib/krb5/verify_user.c: krb5_verify_user_opt + + * lib/krb5/krb5.h: verify_opt + + * kdc/kerberos5.c: pass context to krb5_domain_x500_decode + +2001-05-14 Assar Westerlund + + * kpasswd/kpasswdd.c: adapt to new address functions + * kdc/kerberos5.c: adapt to changing address functions use LR_TYPE + * kdc/connect.c: adapt to changing address functions + * kdc/config.c: new krb5_config_parse_file + * kdc/524.c: new krb5_sockaddr2address + * lib/krb5/*: add some krb5_{set,clear}_error_string + + * lib/asn1/k5.asn1 (LR_TYPE): add + * lib/asn1/Makefile.am (gen_files): add asn1_LR_TYPE.x + +2001-05-11 Assar Westerlund + + * kdc/kerberos5.c (tsg_rep): fix typo in variable name + + * kpasswd/kpasswd-generator.c (nop_prompter): update prototype + * lib/krb5/init_creds_pw.c: update to new prompter, use prompter + types and send two prompts at once when changning password + * lib/krb5/prompter_posix.c (krb5_prompter_posix): add name + * lib/krb5/krb5.h (krb5_prompt): add type + (krb5_prompter_fct): add anem + + * lib/krb5/cache.c (krb5_cc_next_cred): transpose last two + paramaters to krb5_cc_next_cred (as MIT does, and not as they + document). From "Jacques A. Vidrine" + +2001-05-11 Johan Danielsson + + * lib/krb5/Makefile.am: store-test + + * lib/krb5/store-test.c: simple bit storage test + + * lib/krb5/store.c: add more byteorder storage flags + + * lib/krb5/krb5.h: add more byteorder storage flags + + * kdc/kerberos5.c: don't use NULL where we mean 0 + + * kdc/kerberos5.c: put referral test code in separate function, + and test for KRB5_NT_SRV_INST + +2001-05-10 Assar Westerlund + + * admin/list.c (do_list): do not close the keytab if opening it + failed + * admin/list.c (do_list): always print complete names. print + everything to stdout. + * admin/list.c: print both v5 and v4 list by default + * admin/remove.c (kt_remove): reorganize some. open the keytab + (defaulting to the modify one). + * admin/purge.c (kt_purge): reorganize some. open the keytab + (defaulting to the modify one). correct usage strings + * admin/list.c (kt_list): reorganize some. open the keytab + * admin/get.c (kt_get): reorganize some. open the keytab + (defaulting to the modify one) + * admin/copy.c (kt_copy): default to modify key name. re-organise + * admin/change.c (kt_change): reorganize some. open the keytab + (defaulting to the modify one) + * admin/add.c (kt_add): reorganize some. open the keytab + (defaulting to the modify one) + * admin/ktutil.c (main): do not open the keytab, let every + sub-function handle it + + * kdc/config.c (configure): call free_getarg_strings + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set error strings for + a few more errors + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): make + `use_dns' parameter boolean + + * lib/krb5/krb5.h (krb5_context_data): add default_keytab_modify + * lib/krb5/context.c (init_context_from_config_file): set + default_keytab_modify + * lib/krb5/krb5_locl.h (KEYTAB_DEFAULT): change to + ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab + (KEYTAB_DEFAULT_MODIFY): add + * lib/krb5/keytab.c (krb5_kt_default_modify_name): add + (krb5_kt_resolve): set error string for failed keytab type + +2001-05-08 Assar Westerlund + + * lib/krb5/crypto.c (encryption_type): make field names more + consistent + (create_checksum): separate usage and type + (krb5_create_checksum): add a separate type parameter + (encrypt_internal): only free once on mismatched checksum length + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc2): try to tell what + realm we didn't manage to reach any KDC for in the error string + + * lib/krb5/generate_seq_number.c (krb5_generate_seq_number): free + the entire subkey. from + +2001-05-07 Johan Danielsson + + * lib/krb5/keytab_keyfile.c (akf_start_seq_get): return + KT_NOTFOUND if the file is empty + +2001-05-07 Assar Westerlund + + * lib/krb5/fcache.c: call krb5_set_error_string when open fails + fatally + * lib/krb5/keytab_file.c: call krb5_set_error_string when open + fails fatally + + * lib/krb5/warn.c (_warnerr): print error_string in context in + preference to error string derived from error code + * kuser/kinit.c (main): try to print the error string + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): set some sensible + error strings for errors + + * lib/krb5/krb5.h (krb5_context_data): add error_string and + error_buf + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add error_string.c + * lib/krb5/error_string.c: new file + +2001-05-02 Johan Danielsson + + * lib/krb5/time.c: krb5_string_to_deltat + + * lib/krb5/sock_principal.c: one less data copy + + * lib/krb5/eai_to_heim_errno.c: conversion function for h_errno's + + * lib/krb5/get_default_principal.c: change this slightly + + * lib/krb5/crypto.c: make checksum_types into an array of pointers + + * lib/krb5/convert_creds.c: make sure we always use a des-cbc-crc + ticket + +2001-04-29 Assar Westerlund + + * kdc/kerberos5.c (tgs_rep2): return a reference to a krbtgt for + the right realm if we fail to find a non-krbtgt service in the + database and the second component does a succesful non-dns lookup + to get the real realm (which has to be different from the + originally-supplied realm). this should help windows 2000 clients + that always start their lookups in `their' realm and do not have + any idea of how to map hostnames into realms + * kdc/kerberos5.c (is_krbtgt): rename to get_krbtgt_realm + +2001-04-27 Johan Danielsson + + * lib/krb5/get_host_realm.c (krb5_get_host_realm_int): add extra + parameter to request use of dns or not + +2001-04-25 Assar Westerlund + + * admin/get.c (kt_get): allow specification of encryption types + * lib/krb5/verify_init.c (krb5_verify_init_creds): do not try to + close an unopened ccache, noted by + + * lib/krb5/krb5.h (krb5_any_ops): add declaration + * lib/krb5/context.c (init_context_from_config_file): register + krb5_any_ops + + * lib/krb5/keytab_any.c: new file, implementing union of keytabs + * lib/krb5/Makefile.am (libkrb5_la_SOURCES): add keytab_any.c + + * lib/krb5/init_creds_pw.c (get_init_creds_common): handle options + == NULL. noted by + +2001-04-19 Johan Danielsson + + * lib/krb5/rd_cred.c: set ret_creds to NULL before doing anything + else, from Jacques Vidrine + +2001-04-18 Johan Danielsson + + * lib/hdb/libasn1.h: asn1.h -> krb5_asn1.h + + * lib/asn1/Makefile.am: add asn1_ENCTYPE.x + + * lib/krb5/krb5.h: adapt to asn1 changes + + * lib/asn1/k5.asn1: move enctypes here + + * lib/asn1/libasn1.h: rename asn1.h to krb5_asn1.h to avoid + conflicts + + * lib/asn1/Makefile.am: rename asn1.h to krb5_asn1.h to avoid + conflicts + + * lib/asn1/lex.l: use strtol to parse constants + +2001-04-06 Johan Danielsson + + * kuser/kinit.c: add simple support for running commands + +2001-03-26 Assar Westerlund + + * lib/hdb/hdb-ldap.c: change order of includes to allow it to work + with more versions of openldap + + * kdc/kerberos5.c (tgs_rep2): try to set sec and usec in error + replies + (*): update callers of krb5_km_error + (check_tgs_flags): handle renews requesting non-renewable tickets + + * lib/krb5/mk_error.c (krb5_mk_error): allow specifying both ctime + and cusec + + * lib/krb5/krb5.h (krb5_checksum, krb5_keyusage): add + compatibility names + + * lib/krb5/crypto.c (create_checksum): change so that `type == 0' + means pick from the `crypto' (context) and otherwise use that + type. this is not a large change in practice and allows callers + to specify the exact checksum algorithm to use + +2001-03-13 Assar Westerlund + + * lib/krb5/get_cred.c (get_cred_kdc): add support for falling back + to KRB5_KU_AP_REQ_AUTH when KRB5_KU_TGS_REQ_AUTH gives `bad + integrity'. this helps for talking to old (pre 0.3d) KDCs + +2001-03-12 Assar Westerlund + + * lib/krb5/crypto.c (krb5_derive_key): new function, used by + derived-key-test.c + * lib/krb5/string-to-key-test.c: add new test vectors posted by + Ken Raeburn in to + ietf-krb-wg@anl.gov + * lib/krb5/n-fold-test.c: more test vectors from same source + * lib/krb5/derived-key-test.c: more tests from same source + +2001-03-06 Assar Westerlund + + * acconfig.h: include roken_rename.h when appropriate + +2001-03-06 Assar Westerlund + + * lib/krb5/krb5.h (krb5_enctype): remove trailing comma + +2001-03-04 Assar Westerlund + + * lib/krb5/krb5.h (krb5_enctype): add ENCTYPE_* aliases for + compatibility with MIT krb5 + +2001-03-02 Assar Westerlund + + * kuser/kinit.c (main): only request a renewable ticket when + explicitly requested. it still gets a renewable one if the renew + life is specified + * kuser/kinit.c (renew_validate): treat -1 as flags not being set + +2001-02-28 Johan Danielsson + + * lib/krb5/context.c (krb5_init_ets): use krb5_add_et_list + +2001-02-27 Johan Danielsson + + * lib/krb5/get_cred.c: implement krb5_get_cred_from_kdc_opt + +2001-02-25 Assar Westerlund + + * configure.in: do not use -R when testing for des functions + +2001-02-14 Assar Westerlund + + * configure.in: test for lber.h when trying to link against + openldap to handle openldap v1, from Sumit Bose + + +2001-02-19 Assar Westerlund + + * lib/asn1/libasn1.h: add string.h (for memset) + +2001-02-15 Assar Westerlund + + * lib/krb5/warn.c (_warnerr): add printf attributes + * lib/krb5/send_to_kdc.c (krb5_sendto): loop over all address + returned by getaddrinfo before trying the next kdc. from + thorpej@netbsd.org + + * lib/krb5/krb5.conf.5: fix default_realm in example + + * kdc/connect.c: fix a few kdc_log format types + + * configure.in: try to handle libdes/libcrypto ont requiring -L + +2001-02-10 Assar Westerlund + + * lib/asn1/gen_decode.c (generate_type_decode): zero the data at + the beginning of the generated function, and add a label `fail' + that the code jumps to in case of errors that frees all allocated + data + +2001-02-07 Assar Westerlund + + * configure.in: aix dce: fix misquotes, from Ake Sandgren + + + * configure.in (dpagaix_LDFLAGS): try to add export file + +2001-02-05 Assar Westerlund + + * lib/krb5/krb5_keytab.3: new man page, contributed by + + + * kdc/kaserver.c: update to new db_fetch4 + +2001-02-05 Assar Westerlund + + * Release 0.3e + +2001-01-30 Assar Westerlund + + * kdc/hprop.c (v4_get_masterkey): check kdb_verify_master_key + properly + (kdb_prop): decrypt key properly + * kdc/hprop.c: handle building with KRB4 always try to decrypt v4 + data with the master key leave it up to the v5 how to encrypt with + that master key + + * kdc/kstash.c: include file name in error messages + * kdc/hprop.c: fix a typo and check some more return values + * lib/hdb/hdb-ldap.c (LDAP__lookup_princ): call ldap_search_s + correctly. From Jacques Vidrine + * kdc/misc.c (db_fetch): HDB_ERR_NOENTRY makes more sense than + ENOENT + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 15:0:0 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:0:0 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 4:0:2 + * kdc/misc.c (db_fetch): return an error code. change callers to + look at this and try to print it in log messages + + * lib/krb5/crypto.c (decrypt_internal_derived): check that there's + enough data + +2001-01-29 Assar Westerlund + + * kdc/hprop.c (realm_buf): move it so it becomes properly + conditional on KRB4 + + * lib/hdb/mkey.c (hdb_unseal_keys_mkey, hdb_seal_keys_mkey, + hdb_unseal_keys, hdb_seal_keys): check that we have the correct + master key and that we manage to decrypt the key properly, + returning an error code. fix all callers to check return value. + + * tools/krb5-config.in: use @LIB_des_appl@ + * tools/Makefile.am (krb5-config): add LIB_des_appl + * configure.in (LIB_des): set correctly + (LIB_des_appl): add for the use by krb5-config.in + + * lib/krb5/store_fd.c (fd_fetch, fd_store): use net_{read,write} + to make sure of not dropping data when doing it over a socket. + (this might break when used with ordinary files on win32) + + * lib/hdb/hdb_err.et (NO_MKEY): add + + * kdc/kerberos5.c (as_rep): be paranoid and check + krb5_enctype_to_string for failure, noted by + + * lib/krb5/krb5_init_context.3, lib/krb5/krb5_context.3, + lib/krb5/krb5_auth_context.3: add new man pages, contributed by + + + * use the openssl api for md4/md5/sha and handle openssl/*.h + + * kdc/kaserver.c (do_getticket): check length of ticket. noted by + + +2001-01-28 Assar Westerlund + + * configure.in: send -R instead of -rpath to libtool to set + runtime library paths + + * lib/krb5/Makefile.am: remove all dependencies on libkrb + +2001-01-27 Assar Westerlund + + * appl/rcp: add port of bsd rcp changed to use existing rsh, + contributed by Richard Nyberg + +2001-01-27 Johan Danielsson + + * lib/krb5/get_port.c: don't warn if the port name can't be found, + nobody cares anyway + +2001-01-26 Johan Danielsson + + * kdc/hprop.c: make it possible to convert a v4 dump file without + having any v4 libraries; the kdb backend still require them + + * kdc/v4_dump.c: include shadow definition of kdb Principal, so we + don't have to depend on any v4 libraries + + * kdc/hprop.h: include shadow definition of kdb Principal, so we + don't have to depend on any v4 libraries + + * lib/hdb/print.c: reduce number of memory allocations + + * lib/hdb/mkey.c: add support for reading krb4 /.k files + +2001-01-19 Assar Westerlund + + * lib/krb5/krb5.conf.5: document admin_server and kpasswd_server + for realms document capath better + + * lib/krb5/krbhst.c (krb5_get_krb_changepw_hst): preferably look + at kpasswd_server before admin_server + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): look in + [libdefaults]capath for better hint of realm to send request to. + this allows the client to specify `realm routing information' in + case it cannot be done at the server (which is preferred) + + * lib/krb5/rd_priv.c (krb5_rd_priv): handle no sequence number as + zero when we were expecting a sequence number. MIT krb5 cannot + generate a sequence number of zero, instead generating no sequence + number + * lib/krb5/rd_safe.c (krb5_rd_safe): dito + +2001-01-11 Assar Westerlund + + * kpasswd/kpasswdd.c: add --port option + +2001-01-10 Assar Westerlund + + * lib/krb5/appdefault.c (krb5_appdefault_string): fix condition + just before returning + +2001-01-09 Assar Westerlund + + * appl/kf/kfd.c (proto): use krb5_rd_cred2 instead of krb5_rd_cred + +2001-01-05 Johan Danielsson + + * kuser/kinit.c: call a time `time', and not `seconds' + + * lib/krb5/init_creds.c: not much point in setting the anonymous + flag here + + * lib/krb5/krb5_appdefault.3: document appdefault_time + +2001-01-04 Johan Danielsson + + * lib/krb5/verify_user.c: use + krb5_get_init_creds_opt_set_default_flags + + * kuser/kinit.c: use krb5_get_init_creds_opt_set_default_flags + + * lib/krb5/init_creds.c: new function + krb5_get_init_creds_opt_set_default_flags to set options from + krb5.conf + + * lib/krb5/rd_cred.c: make this match the MIT function + + * lib/krb5/appdefault.c (krb5_appdefault_string): handle NULL + def_val + (krb5_appdefault_time): new function + +2001-01-03 Assar Westerlund + + * kdc/hpropd.c (main): handle EOF when reading from stdin diff --git a/third_party/heimdal/ChangeLog.2002 b/third_party/heimdal/ChangeLog.2002 new file mode 100644 index 0000000..8101be1 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2002 @@ -0,0 +1,726 @@ +2002-12-19 Johan Danielsson + + * lib/krb5/mk_rep.c: free allocated storage; reported by Howard + Chu + +2002-12-08 Johan Danielsson + + * kdc/kdc_locl.h: remove old encrypt_v4_ticket prototype + +2002-12-02 Johan Danielsson + + * kpasswd/kpasswdd.c (doit): initialise sa_size to size of + sockaddr_storage + + * kdc/connect.c (init_socket): initialise sa_size to size of + sockaddr_storage + +2002-11-15 Johan Danielsson + + * lib/krb5/krb5.h: remove trailing comma in enum + +2002-11-07 Johan Danielsson + + * kdc/524.c: implement crude b2 style (non-)conversion for use + with afs + + * kdc/kerberos4.c: move encrypt_v4_ticket to 524.c, since that's + where it's used + +2002-10-21 Johan Danielsson + + * lib/krb5/keytab_keyfile.c: more strcspn + + * lib/krb5/store_emem.c (emem_store): limit how much we allocate + (from Olaf Kirch) + + * lib/krb5/principal.c: don't allow trailing backslashes in + components + + * kdc/connect.c: check that %-quotes are followed by two hex + digits + + * lib/krb5/keytab_any.c: properly close the open keytabs (from + Larry Greenfield) + + * kdc/kaserver.c: make sure life is positive (from John Godehn) + +2002-10-17 Johan Danielsson + + * kuser/klist.c (display_tokens): allow tokens up to size of + buffer (from Magnus Holmberg) + +2002-09-29 Johan Danielsson + + * lib/krb5/changepw.c (process_reply): fix reply length check + calculation (reported by various people) + +2002-09-24 Johan Danielsson + + * lib/krb5/keytab_file.c (fkt_remove_entry): check return value + from start_seq_get (from Wynn Wilkes) + +2002-09-19 Johan Danielsson + + * lib/krb5/context.c (krb5_set_config_files): return ENXIO instead + of ENOENT when "unconfigured" + +2002-09-16 Jacques Vidrine + + * lib/krb5/kuserok.c, lib/krb5/prompter_posix.c: use strcspn + to convert the newline to NUL in fgets results. + +2002-09-13 Johan Danielsson + + * kuser/kinit.1: remove unneeded Ns + + * lib/krb5/krb5_appdefault.3: remove extra "application" + + * fix-export: remove autom4ate.cache + +2002-09-10 Johan Danielsson + + * include/make_crypto.c: don't use function macros if possible + + * lib/krb5/krb5_locl.h: get limits.h for UINT_MAX + + * include/Makefile.am: use make_crypto to create crypto-headers.h + + * include/make_crypto.c: crypto header generation tool + + * configure.in: move crypto test to just after testing for krb4, + and move roken tests to after both, this speeds up various failure + cases with krb4 + + * lib/krb5/config_file.c: don't use NULL when we mean 0 + + * configure.in: we don't set package_libdir anymore, so no point + in testing for it + + * tools/Makefile.am: subst INCLUDE_des + + * tools/krb5-config.in: add INCLUDE_des to cflags + + * configure.in: use AC_CONFIG_SRCDIR + + * fix-export: remove some unneeded stuff + + * kuser/kinit.c (do_524init): free principals + +2002-09-09 Jacques Vidrine + + * kdc/kerberos5.c (get_pa_etype_info, fix_transited_encoding), + kdc/kaserver.c (krb5_ret_xdr_data), + lib/krb5/transited.c (krb5_domain_x500_decode): Validate some + counts: Check that they are non-negative, and that they are small + enough to avoid integer overflow when used in memory allocation + calculations. Potential problem areas pointed out by + Sebastian Krahmer . + + * lib/krb5/keytab_keyfile.c (akf_add_entry): Use O_EXCL when + creating a new keyfile. + +2002-09-09 Johan Danielsson + + * configure.in: don't try to build pam module + +2002-09-05 Johan Danielsson + + * appl/kf/kf.c: fix warning string + + * lib/krb5/log.c (krb5_vlog_msg): delay message formating till we + know we need it + +2002-09-04 Assar Westerlund + + * kdc/kerberos5.c (encode_reply): correct error logging + +2002-09-04 Johan Danielsson + + * lib/krb5/sendauth.c: close ccache if we opened it + + * appl/kf/kf.c: handle new protocol + + * appl/kf/kfd.c: use krb5_err instead of sysloging directly, + handle the new protocol, and bail out if an old client tries to + connect + + * appl/kf/kf_locl.h: we need a protocol version string + + * lib/hdb/hdb-ldap.c: use ASN1_MALLOC_ENCODE + + * kdc/kerberos5.c: use ASN1_MALLOC_ENCODE + + * kdc/hprop.c: set AP_OPTS_USE_SUBKEY + + * lib/hdb/common.c: use ASN1_MALLOC_ENCODE + + * lib/asn1/gen.c: add convenience macro that allocates a buffer + and encoded into that + + * lib/krb5/get_cred.c (init_tgs_req): use + in_creds->session.keytype literally instead of trying to convert + to a list of enctypes (it should already be an enctype) + + * lib/krb5/get_cred.c (init_tgs_req): init ret + +2002-09-03 Johan Danielsson + + * lib/asn1/k5.asn1: remove ETYPE_DES3_CBC_NONE_IVEC + + * lib/krb5/krb5.h: remove ENCTYPE_DES3_CBC_NONE_IVEC + + * lib/krb5/crypto.c: get rid of DES3_CBC_encrypt_ivec, just use + zero ivec in DES3_CBC_encrypt if passed ivec is NULL + + * lib/krb5/Makefile.am: back out 1.144, since it will re-create + krb5-protos.h at build-time, which requires perl, which is bad + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): don't + blindly use the local subkey + + * lib/krb5/crypto.c: add function krb5_crypto_getblocksize that + extracts the required blocksize from a crypto context + + * lib/krb5/build_auth.c: just get the length of the encoded + authenticator instead of trying to grow a buffer + +2002-09-03 Assar Westerlund + + * configure.in: add --disable-mmap option, and tests for + sys/mman.h and mmap + +2002-09-03 Jacques Vidrine + + * lib/krb5/changepw.c: verify lengths in response + + * lib/asn1/der_get.c (decode_integer, decode_unsigned): check for + truncated integers + +2002-09-02 Johan Danielsson + + * lib/krb5/mk_req_ext.c: generate a local subkey if + AP_OPTS_USE_SUBKEY is set + + * lib/krb5/build_auth.c: we don't have enough information about + whether to generate a local subkey here, so don't try to + + * lib/krb5/auth_context.c: new function + krb5_auth_con_generatelocalsubkey + + * lib/krb5/get_in_tkt.c: only set kdc_sec_offset if looking at an + initial ticket + + * lib/krb5/context.c (init_context_from_config_file): simplify + initialisation of srv_lookup + + * lib/krb5/changepw.c (send_request): set AP_OPTS_USE_SUBKEY + + * lib/krb5/krb5.h: add AP_OPTS_USE_SUBKEY + +2002-08-30 Assar Westerlund + + * lib/krb5/name-45-test.c: also test krb5_524_conv_principal + * lib/krb5/Makefile.am (TESTS): add name-45-test + * lib/krb5/name-45-test.c: add testcases for + krb5_425_conv_principal + +2002-08-29 Assar Westerlund + + * lib/krb5/parse-name-test.c: also test unparse_short functions + * lib/asn1/asn1_print.c: use com_err/error_message API + * lib/krb5/Makefile.am: add parse-name-test + * lib/krb5/parse-name-test.c: add a program for testing parsing + and unparsing principal names + +2002-08-28 Assar Westerlund + + * kdc/config.c: add missing ifdef DAEMON + +2002-08-28 Johan Danielsson + + * configure.in: use rk_SUNOS + + * kdc/config.c: add detach options + + * kdc/main.c: maybe detach from console? + + * kdc/kdc.8: markup changes + + * configure.in: AC_TEST_PACKAGE_NEW -> rk_TEST_PACKAGE + + * configure.in: use rk_TELNET, rename some other macros, and don't + add -ldes to krb4 link command + + * kuser/kinit.1: whitespace fix (from NetBSD) + + * include/bits.c: we may need unistd.h for ssize_t + +2002-08-26 Assar Westerlund + + * lib/krb5/principal.c (krb5_425_conv_principal_ext): lookup AAAA + rrs before A ones when using the resolver to verify a mapping, + also use getaddrinfo when resolver is not available + + * lib/hdb/keytab.c (find_db): const-correctness in parameters to + krb5_config_get_next + + * lib/asn1/gen.c: include in the generated files (for + memset) + +2002-08-22 Assar Westerlund + + * lib/krb5/test_get_addrs.c, lib/krb5/krbhst-test.c: make it use + getarg so that it can handle --help and --version (and thus make + check can pass) + + * lib/asn1/check-der.c: make this build again + +2002-08-22 Assar Westerlund + + * lib/asn1/der_get.c (der_get_int): handle len == 0. based on a + patch from Love + +2002-08-22 Johan Danielsson + + * lib/krb5/krb5.h: we seem to call KRB5KDC_ERR_KEY_EXP + KRB5KDC_ERR_KEY_EXPIRED, so define the former to the latter + + * kdc/kdc.8: add blurb about adding and removing addresses; update + kdc.conf section to match reality + + * configure.in: KRB_SENDAUTH_VLEN seems to always have existed, so + don't define it + +2002-08-21 Assar Westerlund + + * lib/asn1/asn1_print.c: print OIDs too, based on a patch from + Love + +2002-08-21 Johan Danielsson + + * kuser/kinit.c (do_v4_fallback): don't use krb_get_pw_in_tkt2 + since it might not exist, and we don't actually care about the key + +2002-08-20 Johan Danielsson + + * lib/krb5/krb5.conf.5: correct documentation for + verify_ap_req_nofail + + * lib/krb5/log.c: rename syslog_data to avoid name conflicts (from + Mattias Amnefelt) + + * kuser/klist.c (display_tokens): increase token buffer size, and + add more checks of the kernel data (from Love) + +2002-08-19 Johan Danielsson + + * fix-export: use make to parse Makefile.am instead of perl + + * configure.in: use argument-less AM_INIT_AUTOMAKE, now that it + groks AC_INIT with package name etc. + + * kpasswd/kpasswdd.c: include + + * lib/asn1/asn1_print.c: include com_right.h + + * lib/krb5/addr_families.c: socklen_t -> krb5_socklen_t + + * include/bits.c: define krb5_socklen_t type; this should really + go someplace else, but this was easy + + * lib/krb5/verify_krb5_conf.c: don't bail out if parsing of a file + fails, just warn about it + + * kdc/log.c (kdc_openlog): no need for a config_file parameter + + * kdc/config.c: just treat kdc.conf like any other config file + + * lib/krb5/context.c (krb5_get_default_config_files): ignore + duplicate files + +2002-08-16 Johan Danielsson + + * lib/krb5/krb5.h: turn strings into pointers, so we can assign to + them + + * lib/krb5/constants.c: turn strings into pointers, so we can + assign to them + + * lib/krb5/get_addrs.c (get_addrs_int): initialise res if + SCAN_INTERFACES is not set + + * lib/krb5/context.c: fix various borked stuff in previous commits + +2002-08-16 Jacques Vidrine + + * lib/krb5/krbhst.c (kpasswd_get_next): if we fall back to using + the `admin_server' entry for kpasswd, override the `proto' result + to be UDP. + +2002-08-15 Johan Danielsson + + * lib/krb5/auth_context.c: check return value of + krb5_sockaddr2address + + * lib/krb5/addr_families.c: check return value of + krb5_sockaddr2address + + * lib/krb5/context.c: get the default keytab from KRB5_KTNAME + +2002-08-14 Johan Danielsson + + * lib/krb5/verify_krb5_conf.c: allow parsing of more than one file + + * lib/krb5/context.c: allow changing config files with the + function krb5_set_config_files, there are also related functions + krb5_get_default_config_files and krb5_free_config_files; these + should work similar to their MIT counterparts + + * lib/krb5/config_file.c: allow the use of more than one config + file by using the new function krb5_config_parse_file_multi + +2002-08-12 Johan Danielsson + + * use sysconfdir instead of /etc + + * configure.in: require autoconf 2.53; rename dpagaix_LDFLAGS etc + to appease automake; force sysconfdir and localstatedir to /etc + and /var/heimdal for now + + * kdc/connect.c (addr_to_string): check return value of + sockaddr2address + +2002-08-09 Johan Danielsson + + * lib/krb5/rd_cred.c: if the remote address isn't an addrport, + don't try comparing to one; this should make old clients work with + new servers + + * lib/asn1/gen_decode.c: remove unused variable + +2002-07-31 Johan Danielsson + + * kdc/{kerberos5,524}.c: ENOENT -> HDB_ERR_NOENTRY (from Derrick + Brashear) + + * lib/krb5/principal.c: actually lower case the lower case + instance name (spotted by Derrick Brashear) + +2002-07-24 Johan Danielsson + + * fix-export: if DATEDVERSION is set, change the version to + current date + + * configure.in: don't use AC_PROG_RANLIB, and use magic foo to set + LTLIBOBJS + +2002-07-04 Johan Danielsson + + * kdc/connect.c: add some cache-control-foo to the http responses + (from Gombas Gabor) + + * lib/krb5/addr_families.c (krb5_print_address): don't copy size + if ret_len == NULL + +2002-06-28 Johan Danielsson + + * kuser/klist.c (display_tokens): don't bail out before we get + EDOM (signaling the end of the tokens), the kernel can also return + ENOTCONN, meaning that the index does not exist anymore (for + example if the token has expired) + +2002-06-06 Johan Danielsson + + * lib/krb5/changepw.c: make sure we return an error if there are + no changepw hosts found; from Wynn Wilkes + +2002-05-29 Johan Danielsson + + * lib/krb5/cache.c (krb5_cc_register): break out of loop when the + same type is found; spotted by Wynn Wilkes + +2002-05-28 Johan Danielsson + + * lib/krb5/keytab_file.c: check size of entry before trying to + read 32-bit kvno; also fix typo in previous + +2002-05-24 Johan Danielsson + + * include/Makefile.am: only add to INCLUDES + + * lib/45/mk_req.c: fix for storage change + + * lib/hdb/print.c: fix for storage change + +2002-05-15 Johan Danielsson + + * kdc/kerberos5.c: don't free encrypted padata until we're really + done with it + +2002-05-07 Johan Danielsson + + * kdc/kerberos5.c: when decrypting pa-data, try all keys matching + enctype + + * kuser/kinit.1: document -a + + * kuser/kinit.c: add command line switch for extra addresses + +2002-04-30 Johan Danielsson + + * configure.in: remove some duplicate tests + + * configure.in: use AC_HELP_STRING + +2002-04-29 Johan Danielsson + + * lib/krb5/crypto.c (usage2arcfour): don't abort if the usage is + unknown + +2002-04-25 Johan Danielsson + + * configure.in: use rk_DESTDIRS + +2002-04-22 Johan Danielsson + + * lib/krb5/krb5_verify_user.3: make it clear that _lrealm modifies + the principal + +2002-04-19 Johan Danielsson + + * lib/krb5/verify_init.c: fix typo in error string + +2002-04-18 Johan Danielsson + + * acconfig.h: remove some stuff that is defined elsewhere + + * lib/krb5/krb5_locl.h: include + + * lib/krb5/acl.c: rename acl_string parameter + + * lib/krb5/Makefile.am: remove __P from protos, and put parameter + names in comments + + * kuser/klist.c: better align some headers + + * kdc/kerberos4.c: storage tweaks + + * kdc/kaserver.c: storage tweaks + + * kdc/524.c: storage tweaks + + * lib/krb5/keytab_krb4.c: storage tweaks + + * lib/krb5/keytab_keyfile.c: storage tweaks + + * lib/krb5/keytab_file.c: storage tweaks; also try to handle zero + sized keytab files + + * lib/krb5/keytab_any.c: use KRB5_KT_END instead of KRB5_CC_END + + * lib/krb5/fcache.c: storage tweaks + + * lib/krb5/store_mem.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store_fd.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store_emem.c: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store.c: make the krb5_storage opaque, and add function + wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/store-int.h: make the krb5_storage opaque, and add + function wrappers for store/fetch/seek, and also make the eof-code + configurable + + * lib/krb5/krb5.h: make the krb5_storage opaque, and add function + wrappers for store/fetch/seek, and also make the eof-code + configurable + + * include/bits.c: include to get socklen_t + + * kdc/kerberos5.c (get_pa_etype_info): sort ETYPE-INFOs by + requested KDC-REQ etypes + + * kdc/hpropd.c: constify + + * kdc/hprop.c: constify + + * kdc/string2key.c: constify + + * kdc/kdc_locl.h: make port_str const + + * kdc/config.c: constify + + * lib/krb5/config_file.c: constify + + * kdc/kstash.c: constify + + * lib/krb5/verify_user.c: remove unnecessary cast + + * lib/krb5/recvauth.c: constify + + * lib/krb5/principal.c (krb5_parse_name): const qualify + + * lib/krb5/mcache.c (mcc_get_name): constify return type + + * lib/krb5/context.c (krb5_free_context): don't try to free the + ccache prefix + + * lib/krb5/cache.c (krb5_cc_register): don't make a copy of the + prefix + + * lib/krb5/krb5.h: constify some struct members + + * lib/krb5/log.c: constify + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): const + qualify + + * lib/krb5/get_in_tkt.c (krb5_init_etype): constify + + * lib/krb5/crypto.c: constify some + + * lib/krb5/config_file.c: constify + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): + constify local variable + + * lib/krb5/addr_families.c (ipv4_sockaddr2port): constify + +2002-04-17 Johan Danielsson + + * lib/krb5/verify_krb5_conf.c: add some log checking + + * lib/krb5/log.c (krb5_addlog_dest): reorganise syslog parsing + +2002-04-16 Johan Danielsson + + * lib/krb5/crypto.c (krb5_crypto_init): check that the key size + matches the expected length + +2002-03-27 Johan Danielsson + + * lib/krb5/send_to_kdc.c: rename send parameter to send_data + + * lib/krb5/mk_error.c: rename ctime parameter to client_time + +2002-03-22 Johan Danielsson + + * kdc/kerberos5.c (find_etype): unsigned -> krb5_enctype (from + Reinoud Zandijk) + +2002-03-18 Johan Danielsson + + * lib/asn1/k5.asn1: add the GSS-API checksum type here + +2002-03-11 Assar Westerlund + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to + 18:3:1 + * lib/hdb/Makefile.am (libhdb_la_LDFLAGS): bump version to 7:5:0 + * lib/asn1/Makefile.am (libasn1_la_LDFLAGS): bump version to 6:0:0 + +2002-03-10 Assar Westerlund + + * lib/krb5/rd_cred.c: handle addresses with port numbers + + * lib/krb5/keytab_file.c, lib/krb5/keytab.c: + store the kvno % 256 as the byte and the complete 32 bit kvno after + the end of the current keytab entry + + * lib/krb5/init_creds_pw.c: + handle LR_PW_EXPTIME and LR_ACCT_EXPTIME in the same way + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + handle ports giving for the remote address + + * lib/krb5/get_cred.c: + get a ticket with no addresses if no-addresses is set + + * lib/krb5/crypto.c: + rename functions DES_* to krb5_* to avoid colliding with modern + openssl + + * lib/krb5/addr_families.c: + make all functions taking 'struct sockaddr' actually take a socklen_t + instead of int and that acts as an in-out parameter (indicating the + maximum length of the sockaddr to be written) + + * kdc/kerberos4.c: + make the kvno's in the krb4 universe by the real one % 256, since they + cannot only be 8 bit, and the v5 ones are actually 32 bits + +2002-02-15 Johan Danielsson + + * lib/krb5/keytab_keyfile.c (akf_add_entry): don't create the file + before we need to write to it + (from Åke Sandgren) + +2002-02-14 Johan Danielsson + + * configure.in: rk_RETSIGTYPE and rk_BROKEN_REALLOC are called via + rk_ROKEN (from Gombas Gabor); find inttypes by CHECK_TYPES + directly + + * lib/krb5/rd_safe.c: actually use the correct key (from Daniel + Kouril) + +2002-02-12 Johan Danielsson + + * lib/krb5/context.c (krb5_get_err_text): protect against NULL + context + +2002-02-11 Johan Danielsson + + * admin/ktutil.c: no need to use the "modify" keytab anymore + + * lib/krb5/keytab_any.c: implement add and remove + + * lib/krb5/keytab_krb4.c: implement add and remove + + * lib/krb5/store_emem.c (emem_free): clear memory before freeing + (this should perhaps be selectable with a flag) + +2002-02-04 Johan Danielsson + + * kdc/config.c (get_dbinfo): if there are database specifications + in the config file, don't automatically try to use the default + values (from Gombas Gabor) + + * lib/krb5/log.c (krb5_closelog): don't pass pointer to pointer + (from Gombas Gabor) + +2002-01-30 Johan Danielsson + + * admin/list.c: get the default keytab from krb5.conf, and list + all parts of an ANY type keytab + + * lib/krb5/context.c: default default_keytab_modify to NULL + + * lib/krb5/keytab.c (krb5_kt_default_modify_name): if no modify + name is specified take it from the first component of the default + keytab name + +2002-01-29 Johan Danielsson + + * lib/krb5/keytab.c: compare keytab types case insensitively + +2002-01-07 Assar Westerlund + + * lib/krb5/crypto.c (create_checksum): make usage `unsigned' (it's + not really a krb5_key_usage). From Ben Harris + * lib/krb5/get_in_tkt.c: use krb5_enctype consistently. From Ben + Harris + * lib/krb5/crypto.c: use krb5_enctype consistently. From Ben + Harris + * kdc/kerberos5.c: use krb5_enctype consistently. From Ben Harris + diff --git a/third_party/heimdal/ChangeLog.2003 b/third_party/heimdal/ChangeLog.2003 new file mode 100644 index 0000000..1ffd9de --- /dev/null +++ b/third_party/heimdal/ChangeLog.2003 @@ -0,0 +1,1795 @@ +2003-12-19 Love Hörnquist Åstrand + + * lib/krb5/error_string.c: protect error_string with mutex + + * lib/krb5/context.c: allocate and destroy mutex in krb5_context + + * lib/krb5/krb5.h (krb5_context_data): add mutex for error_string + +2003-12-18 Love Hörnquist Åstrand + + * kuser/kinit.c: make -9 work again + +2003-12-17 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: try handle ts preauth better, still + not good, but at least it work with older heimdal releases that + doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was + sent + +2003-12-16 Love Hörnquist Åstrand + + * lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer + used + +2003-12-11 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as + parameters, required by CMS + +2003-12-07 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab): + avoid memory leak that snuck in when krb5_keytab_key_proc was + exported, pointed out by Panases Inc + + * lib/krb5/keytab_file.c: do locking, found to be a problem for + Panasas Inc + + * lib/krb5/fcache.c: internally export x{,un}lock and thus prefix + them with _krb5_ + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use + KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded + krb-cred + + * lib/krb5/krb5_auth_context.3: some text about + krb5_auth_con_{add,remove}flags + + * lib/krb5/auth_context.c: add krb5_auth_con_addflags and + krb5_auth_con_removeflags + +2003-12-03 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to + avoid memory leak + +2003-12-02 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: require cipher-text to be padded to padsize + + * lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is + deprecated in RFC3493 + + * lib/krb5/verify_krb5_conf.c (check_host): don't check for + EAI_NODATA, because its depricated in RFC3493 Pointed out by + Hajimu UMEMOTO on heimdal-discuss + +2003-12-01 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS + + * lib/krb5/test_crypto.c: add --version,--help + + * kuser/kinit.c (main): return the return value from simple_execvp + +2003-11-26 Love Hörnquist Åstrand + + * kuser/kinit.c: don't use PKINIT DH per default since its too + slow + + * lib/krb5/pkinit.c: tweek to make pkinit work with the fact the + asn1_compile can't generate code for context tagless optionals + + * kdc/pkinit.c: add support for KDC side of DH PKINIT + + * lib/krb5/pkinit.c: clean up error handling, make enc-type work + again + +2003-11-25 Love Hörnquist Åstrand + + * kuser/kinit.c: add flag to make it work with pkinit dh + + * lib/krb5/pkinit.c: make PKINIT DH support work + +2003-11-24 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am (LDADD): link with LIB_dlopen + + * kdc/pkinit.c: clean up + + * lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field + + * lib/krb5/pkinit.c: remove most compile depencies clean up + + * kdc/pkinit.c: print an error and turn of pkinit if openssl + failed to load + + * kdc/config.c: read pkinit (pki-mumble) configuration options + + * kdc/kerberos5.c: add pkinit support + + * kdc/kdc_locl.h: add prototypes for pkinit + + * kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I + removed the dependency on valicert asn1 parser, remove smartcard + and globus support (for now). Work to be done on this: DH support, + Globus support, Smartcard support, windows support (MS implements + -09 of the draft), make it conform to the new draft + + * lib/krb5/pkinit.c: fix bugs, improve error reporting + +2003-11-23 Love Hörnquist Åstrand + + * kuser/kinit.c: add some "struct foo;" glue for pkinit + structures that isn't used + + * lib/krb5/pkinit.c: clean up, make remove depenency on openssl's + api + + * lib/krb5/krb5_locl.h: add some glue for pkinit add reference + counter to _krb5_get_init_creds_opt_private + + * lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt + private component to avoid copy all the data in it + + * lib/krb5/crypto.c (AES_string_to_key): fix memory leak + + * lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak + + * lib/krb5/heim_threads.h: include pthread.h in the pthread case + +2003-11-18 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.c (main): parse kdc.conf + From: Jeffrey Hutzelman + +2003-11-15 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am (TESTS): add test_crypto + + * lib/krb5/test_crypto.c: time crypto operations + +2003-11-14 Love Hörnquist Åstrand + + * doc/init-creds: spelling, Bruno Rohee + +2003-11-09 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free + the ticket now, rewrite error handling to handle that + + * kpasswd/kpasswdd.c (process): don't free ticket, + krb5_free_ticket does that now + + * kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket + does that now + + * lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to + match mit behavior, pointed out by Derrick Brashear + + * lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket + +2003-11-08 Love Hörnquist Åstrand + + * lib/krb5/padata.c: add krb5_padata_add + + * lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible + + * lib/krb5/Makefile.am: add pkinit.c + + * kuser/kinit.c: add pkinit support + + * lib/krb5/init_creds_pw.c: add support for pkinit + + * lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to + _krb5_get_init_creds_opt_private + + * lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to + krb5_pk_init_ctx fix win2k error handling + + * lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr + Holub, I removed the dependency on valicert asn1 parser, remove + smartcard and globus support (for now). Work to be done on this: + DH support, Globus support, Smartcard support, windows support (MS + implements -09 of the draft), verify that it conforms the new + draft + +2003-11-07 Love Hörnquist Åstrand + + * lib/asn1/der_copy.c (copy_oid): copy all components + +2003-10-27 Johan Danielsson + + * lib/krb5/krb5.conf.5: document capaths section + +2003-10-22 Johan Danielsson + + * kdc/kerberos5.c: make sure that the server realm and the krbtgt + second component are identical; get rpath from the capaths section + + * kdc/kerberos5.c: change logic for when to check transited policy + to a tri-state model involving per principal flags (to be + implemented) + + * kdc/kdc_locl.h: change enforce_transited_policy to a tri-state + variable + + * kdc/config.c: change enforce_transited_policy to a tri-state + variable + +2003-10-22 Love Hörnquist Åstrand + + * lib/krb5/transited.c (krb5_domain_x500_encode): always zero out + encoding to make sure it have a defined value on failure + + * lib/krb5/transited.c (krb5_domain_x500_encode): + if num_realms ==0, set encoding and return (avoids malloc(0)), + check return value for malloc + +2003-10-21 Johan Danielsson + + * kdc/kerberos5.c (fix_transited_encoding): always print + cross-realm information + +2003-10-21 Love Hörnquist Åstrand + + * doc/setup.texi: spelling, From: Tracy Di Marco White + + * kdc/kerberos5.c (fix_transited_encoding): set transited type + +2003-10-21 Johan Danielsson + + * kdc/kdc.8: document enforce-transited-policy + + * kdc/kerberos5.c: always check transited policy if flag set + either globally or on principal + + * kdc/config.c: add flag to always check transited policy + + * lib/hdb/hdb.asn1: add flag to enforce transited policy + +2003-10-21 Love Hörnquist Åstrand + + * lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms + to zero not num_realms + + * kuser/kgetcred.1: add --no-transit-check + + * kuser/kgetcred.c: add --no-transit-check + + * doc/setup.texi: describe Transit policy + +2003-10-20 Johan Danielsson + + * kdc/kerberos5.c (fix_transited_encoding): also verify with + policy, unless asked not to + + * lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited + realms, unless the transited-policy-checked flag is set + + * lib/krb5/transited.c (krb5_domain_x500_decode): handle zero + length tr data; + (krb5_check_transited): new function that does more useful stuff + + * lib/krb5/get_cred.c: get capath info from [capaths] section + +2003-10-16 Johan Danielsson + + * lib/krb5/fcache.c: Sleep forever waiting for lock. Previous + method doesn't work well with a large number of clients accessing + the cache at the same time, and there is no simple way to add a + timeout to the lock. + +2003-10-13 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: print the error value + krb5_init_context failed with + + * lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if + there is binding before a section declaration. Bug found by + Arkadiusz Miskiewicz + +2003-10-13 Johan Danielsson + + * lib/krb5/fcache.c (erase_file): revert a change in previous; if + the ccache is a symlink, kdestroy should remove it + + * lib/krb5/fcache.c: implement locking + +2003-10-12 Johan Danielsson + + * kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred + returns error other than KRB5_CC_END + +2003-10-07 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: add some help function that is common + between ENC_TS and SAM2, free the etype{,2}-infos on failure, move + the pa counter into krb5_get_init_creds_ctx + +2003-10-06 Love Hörnquist Åstrand + + * kdc/kaserver.c (do_getticket): if times data is shorter then 8 + byte, request is malformed. + + * kdc/kaserver.c (do_authenticate): if request length is less then + 8 byte, its a bad request and fail. Pointed out by Marco Foglia + + + * lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that + warns for mit syntax is used and just ignore the mit syntax when + its used + + * lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi] + +2003-10-04 Love Hörnquist Åstrand + + * lib/asn1/lex.l: add BOOLEAN + + * lib/asn1/parse.y: add BOOLEAN + +2003-10-03 Love Hörnquist Åstrand + + * kuser/kinit.c: When running kinit in "fork mode" do pagsh + independent of krb4, also always do krb4 setup of cc. Always try + to destroy the v4 cc. + - add boolean --{,no-}request-pac that will request pac or not + + * kuser/klist.c (check_for_tgt): set client as part of the + pattern/match cred + + * lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token + (get_krb4_cc_name): move out from _krb5_krb_tf_setup + (_krb5_krb_tf_setup): adapt to allocated filename instead of + static filename + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT + + * lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user + have requested either use PAC or not use PAC, if the option not + set from the user, leave it up to the kdc to decide. + (init_creds_loop): clear error string on success + + * lib/krb5/init_creds.c: add + krb5_get_init_creds_opt_set_paq_request break out common part of + extended opt functions to require_ext_opt + + * lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and + use it in struct _krb5_get_init_creds_opt_private + + * tools/kdc-log-analyze.pl: handle some more failure lines + + * doc/programming.texi: some diffrences between Heimdal and MIT + Kerberos in the API + + * doc/setup.texi: add Setting up DNS + + * lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its + alway used + + * lib/asn1/Makefile.am: add SAM types and PAC_REQUEST + + * lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST + + * lib/asn1: add boolean support + +2003-10-02 Love Hörnquist Åstrand + + * lib/krb5/changepw.c (setpw_send_request): free ap_req_data on + failure + +2003-09-30 Love Hörnquist Åstrand + + * appl/test/http_client.c (do_connect): use ai_protocol 0 + + * lib/krb5/init_creds_pw.c (init_cred_loop): handle + KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting + LARGE_MSG from send to kdc, and if this is the second time bail + out; try to free memory + + * lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function, + and then implement the order krb5_sendto_kdc* function with this + function. + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it + and adapt callers + (krbhst_get_default_proto): new function, returns udp, or in case + large_msg was requested for the krb5_krbhst_data, use tcp. + (*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid + using udp, use krbhst_get_default_proto + + * lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and + krb5_send_to_kdc_flags) + +2003-09-23 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth + context, use that + + * appl/test/uu_client.c: print authorization data if there are any + + * lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String + +2003-09-21 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy + * lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy + + * lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen + + * kuser/kinit.c: don't get v4 tickets by default + +2003-09-20 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.c (process): remove a abort() + + * doc/win2k.texi: add some text about netdom.exe and trusts + + * TODO-1.0: gssapi rc4 done + + * kpasswd/kpasswdd.c: add support for Set password protocol as + defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change + Password and Set Password Protocols + +2003-09-19 Love Hörnquist Åstrand + + * lib/hdb/db3.c: improve readability of ->open ifdef, check if + version >= 4.1 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add + + * lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key + in the auth_context, they way processes that doesn't use the + keytab can still pass in the key of the service (matches behavior + of MIT Kerberos). + +2003-09-18 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: collect all init_creds context into a + structure so it can easier be passed around, also, while here, + change nonce for every request + + * lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before + the loop, add_padata() will handle that itself + + * lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len + until in contains interesting data, use right iteration counter + when clearing the addresses + + * lib/krb5/log.c (log_realloc): increase len after realloc returns + sucessfully + +2003-09-12 Love Hörnquist Åstrand + + * lib/krb5/config_file.c: fix prototypes + From: Fredrik Ljungberg + +2003-09-10 Love Hörnquist Åstrand + + * appl/test/http_client.c: close socket when we are done, don't + allow the server to restart gssapi negotiation + + * lib/hdb/hdb_locl.h: include for ULONG_MAX noted by + Wissler Magnus on heimdal-discuss + + * appl/test/gssapi_client.c (proto): use select_mech + + * appl/test/http_client.c: use getarg + + * appl/test/gss_common.h: prototype for select_mech + + * appl/test/gss_common.c (select_mech): return the gss_OID from a + mech name + + * appl/test/http_client.c: print both source and target + + * appl/test/Makefile.am: build http_client + +2003-09-09 Love Hörnquist Åstrand + + * lib/asn1/asn1_print.c: add support for printing Enumerated + + * appl/test/gssapi_client.c: allow user to select mech; krb5, + spnego, and no-oid + + * appl/test/test_locl.h: add mech + + * appl/test/common.c: add --mech,-m argument + + * appl/test/gssapi_server.c: print the mech that was used + + * kdc/kerberos5.c (only_older_enctype_p): check request if the + client only supports old enctypes, before it used the database + +2003-09-08 Love Hörnquist Åstrand + + * **/*.c: add context argument to krb5_get_init_creds_opt_alloc + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add + context argument + + * lib/krb5/krb5_get_init_creds.3: spelling + +2003-09-04 Love Hörnquist Åstrand + + * lib/krb5/context.c (add_file): make len argument an pointer to + an integer + + * lib/asn1/k5.asn1: add SAM types + + * lib/krb5/init_creds_pw.c: break out the encrypt timestamp + preauth to its function break out the pa_data_to_key_plain to its + own function make more variables const + +2003-09-04 Johan Danielsson + + * lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt} + +2003-09-03 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: Add key usage for encryption of the + SAM-NONCE-OR-SAD field. + + * include/make_crypto.c: include in the openssl + case + + * kdc/hprop.h: use new DES_ api + + * lib/krb5/krb5-v4compat.h: assume session key is a char array of + length 8 + + * lib/krb5/prompter_posix.c: + s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * lib/krb5/crypto.c: switch from the des_ to the DES_ api + + * kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block) + + * kuser/kverify.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kpasswd/kpasswd-generator.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * kdc/hprop.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare + a uint32_t with 0xffffffff instead of -1 + + * lib/krb5/krb5_425_conv_principal.3: fix [Gt] + + * kuser/kinit.c: use + krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle + password passed in though context + + * lib/krb5/Makefile.am (TESTS): += test_config + + * lib/krb5/aes-test.c: move variable thats used within a #ifdef to + be defined within that #ifdef + + * lib/krb5/data.c (krb5_data_free): reset whole krb5_data when + freeing it + + * lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros + out a keyblock + + * lib/krb5/init_creds_pw.c: rewrite/implement + krb5_get_init_creds_password with new preauth handing, still it + can only work with krb5-pa-enc-timestamp for preauth, but now it + can handle etype-info2 + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate + a opt structure + (krb5_get_init_creds_opt_free): free a opt structure + (krb5_get_init_creds_opt_set_pa_password): set preauth info for + enc-timestamp + + * lib/krb5/krb5_locl.h: add struct + _krb5_get_init_creds_opt_private + +2003-09-02 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef, + add a pointer to a private part of krb5_get_init_creds_opt + + * kdc/string2key.c (main): avoid const warning by using a extra + variable + +2003-08-31 Love Hörnquist Åstrand + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + reindent + + * lib/krb5/ticket.c (krb5_copy_ticket): free all data when + failing, copy data to right memory, the later pointed out by Luke + Howard. + +2003-08-30 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: cfx-01 use diffrent usage numbers + +2003-08-29 Love Hörnquist Åstrand + + * lib/hdb/db3.c: try to include more db headers + + * lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss + From: Luke Howard + +2003-08-28 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56 + + * appl/test/gssapi_client.c: send both INT and CONF wrapped token + + * appl/test/gssapi_server.c: recv both INT and CONF wrapped token + + * lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE + +2003-08-27 Love Hörnquist Åstrand + + * appl/test/uu_client.c (proto): fill in client in the match cred + +2003-08-26 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers + + * lib/krb5/crypto.c (usage2arcfour): simplify, only include + special cases From: Luke Howard + +2003-08-25 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: code rewrite from Luke Howard + + + * lib/krb5/crypto.c (arcfour_checksum_p): return true when is + arcfour, not when its not pointed out by Luke Howard + + * doc/ack.texi: update Luke Howard email address + +2003-08-24 Love Hörnquist Åstrand + + * lib/krb5/krb5_encrypt.3: document: + krb5_crypto_getconfoundersize, krb5_crypto_getblocksize + krb5_crypto_getenctype, krb5_crypto_getpadsize + + * lib/krb5/crypto.c (krb5_crypto_getpadsize, + krb5_crypto_getconfoundersize): added From: Luke Howard + + +2003-08-23 Love Hörnquist Åstrand + + * kdc/connect.c (handle_tcp): handle recvfrom returning 0 + (connection closed) + + * kdc/connect.c (grow_descr): increment the size after we succeed + to allocate the space + + * lib/krb5/krb5_create_checksum.3: text about when + krb5_crypto_get_checksum_type is useful + + * lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format + string + + * lib/krb5/krb5_create_checksum.3: document + krb5_crypto_get_checksum_type + + * lib/krb5/crypto.c: add krb5_crypto_get_checksum_type + From: Luke Howard + + * lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code + From: Luke Howard + +2003-08-21 Love Hörnquist Åstrand + + * include/make_crypto.c: include aes.h inc in the local libdes + case too + +2003-08-20 Johan Danielsson + + * lib/asn1/der_free.c: set free'd poiners to NULL + + * lib/asn1/gen_free.c: set free'd poiners to NULL + +2003-08-20 Love Hörnquist Åstrand + + * lib/krb5/heim_threads.h: XXX don't use "plain" pthread support + on netbsd + + * lib/krb5/crypto.c: Do the arcfour checksum mapping for + krb5_create_checksum and krb5_verify_checksum, From: Luke Howard + + +2003-08-18 Love Hörnquist Åstrand + + * lib/krb5/test_config.c: check krb5_prepend_config_files_default + and krb5_prepend_config_files + + * lib/krb5/context.c: add krb5_prepend_config_files and + krb5_prepend_config_files_default + +2003-08-17 Love Hörnquist Åstrand + + * lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t + as argument + + * lib/krb5/parse-name-test.c: please lint (and me) + + * kdc/config.c (configure): remove only set variable 'e' + + * kdc/connect.c (init_socket): sockaddr size argument to + krb5_addr2sockaddr is a krb5_addr2sockaddr * + + * kdc/kerberos5.c (as_rep): remove usused variable + (tgs_rep2): don't use a temporary ret-variable, ret is reset later + + * lib/krb5/krb5_get_in_cred.3: these function will be deprecated + + * lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3 + + * lib/krb5/krb5_get_init_creds.3: begining of documentation of + krb5_get_init_creds + + * lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with + with the mit implemtation, don't free `creds' argument when done, + its up the the caller to do that, also allow a NULL ccache. + +2003-08-16 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: document tgs_require_subkey + + * lib/asn1/Makefile.am: remove trance of generate tests files, its + not really for consumption yet + + * lib/hdb/Makefile.am: split generated source from non generated + source we make-proto.pl can generate prototypes for non + generate-source only (make-proto.pl dies on asn1compile's .c + files) + + * lib/krb5/get_cred.c (init_tgs_req): make generation of subkey + optional on configuration parameter + [realms]realm={tgs_require_subkey=bool} + defaults to off. The RFC1510 weakly defines the correct behavior, + so old DCE secd apparently required the subkey to be there, and MS + will use it when its there. But the request isn't encrypted in the + subkey, so you get to choose if you want to talk to a MS mdc or a + old DCE secd. + + * kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero + +2003-08-15 Love Hörnquist Åstrand + + * lib/krb5/principal.c (unparse_name): len can't be zero, so, + don't check for that + +2003-08-13 Love Hörnquist Åstrand + + * lib/krb5/principal.c (unparse_name): make sure there are space + for a NUL, set *name to NULL when there is a failure (so caller + can't get hold of a freed pointer) + +2003-07-26 Love Hörnquist Åstrand + + * lib/krb5/kerberos.8: remove duplicate manual, from + cjep@netbsd.org + +2003-07-25 Love Hörnquist Åstrand + + * lib/krb5/cache.c: indent + + * lib/krb5/cache.c (krb5_cc_set_default_name): only read + KRB5CCNAME when not suid + +2003-07-24 Love Hörnquist Åstrand + + * lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes, + use a char array instead of des_cblock + +2003-07-23 Love Hörnquist Åstrand + + * kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2 + + * lib/krb5/crypto.c (hmac): make it return an error when out of + memory, update callsites to either return error or use krb5_abortx + (krb5_hmac): expose hmac + +2003-07-22 Love Hörnquist Åstrand + + * lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype + of keyblock + + * lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3 + + * lib/krb5/krb5_keyblock.3: some information about krb5_keyblock + and related functions + + * lib/krb5/heim_threads.h: make the non-debug version of the mutex + macros "use" the "mutex" integer so the compile wont complain + about defined unused variables + + * lib/krb5/heim_threads.h: make thread local storage macros take a + "return" argument so no functions need to be created for the + no-pthread case + + * lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific + + * configure.in: use KRB_PTHREADS + + * lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and + sort + + * lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString + + * lib/krb5/krb5.3: add ticket access functions + * lib/krb5/krb5_ticket.3: ditto + * lib/krb5/ticket.c: ditto + * lib/krb5/Makefile.am: ditto + + * lib/krb5/mit_glue.c: add some more krb5_c functions + + * lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions + + * lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type + is a valid one + + * lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented + error string when there is a context + (krb5_checksum_is_collision_proof): ditto + +2003-07-21 Love Hörnquist Åstrand + + * lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data + argument optional + (krb5_c_{encrypt,decrypt}): return "better" error codes for + invalid ivec length + + * lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum + usage + + * lib/krb5/crypto.c (krb5_crypto_getenctype): new function + + * include/make_crypto.c: avoid redefining + OPENSSL_DES_LIBDES_COMPATIBILITY + + * lib/krb5/krb5.h: add krb5_enc_data + +2003-07-19 Love Hörnquist Åstrand + + * lib/krb5/krb5.3: add krb5_c_ functions + + * lib/krb5/mit_glue.c: support passing in NULL as the + cipher_state/ivec + + * lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and + krb5_c_decrypt + + * lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue + + * lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when + calculating the length of the encrypted data, use the keyed + checksum length if the enctype supports a keyed checksum. This + only matter for aes, for all other enctypes the key and unkeyed + checksum have the same length. + +2003-07-18 Love Hörnquist Åstrand + + * lib/krb5/mit_glue.c: first version of krb5_c encryption glue + + * doc/install.texi: update pointer to luke ldap documentation + + * lib/hdb/hdb.c (hdb_create): check for dynamic backend after + static to avoid warning from dynamic backend when using a known + static backend + +2003-07-16 Love Hörnquist Åstrand + + * lib/krb5/cache.c: don't return value in void function + +2003-07-15 Love Hörnquist Åstrand + + * lib/krb5/creds.c (krb5_compare_creds): if client is specified in + the mcreds, check that too + + * lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}: + prefix libasn1 types with heim_ + + * lib/asn1: prefix typedefs and structs with heim_ + +2003-07-13 Love Hörnquist Åstrand + + * lib/hdb/hdb.c: avoid unnecessary setting of variable + +2003-07-07 Love Hörnquist Åstrand + + * kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred + + * appl/test/uu_client.c (proto): use krb5_cc_clear_mcred + + * lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free + in the req_body addresses since they where pass in by caller + (find_cred): use krb5_cc_clear_mcred + + * lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred + + * lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a + krb5_creds to use with krb5_cc_retrieve_cred + +2003-06-30 Love Hörnquist Åstrand + + * lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix, + don't load anything + +2003-06-29 Love Hörnquist Åstrand + + * lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke + Howard + + * lib/hdb/hdb.h: add struct hdb_so_method and + HDB_INTERFACE_VERSION + +2003-06-28 Love Hörnquist Åstrand + + * lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using + arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since + Microsoft calculates the keyed checksum with the subkey of the + authenticator. + + * kuser/kinit.c: write out v4 credential caches with + _krb5_krb_tf_setup + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup + + * lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4 + credential to a new krb4 ticket file + +2003-06-27 Johan Danielsson + + * lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since + it contains more than 9 words; from wiz + +2003-06-25 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from + stefan sokoll + +2003-06-24 Love Hörnquist Åstrand + + * lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text + + * lib/krb5/time.c: improve comment for krb5_set_real_time + +2003-06-23 Johan Danielsson + + * kuser/kinit.1: document -A + + * kuser/kinit.c: add -A as an alias for --no-addresses + +2003-06-22 Love Hörnquist Åstrand + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a + krb5_timestamp to krb5_us_timeofday + + * lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to + krb5_us_timeofday + + * lib/krb5/time.c (krb5_set_real_time): fix comment and make it + work + + * lib/krb5/time.c, lib/krb5/krb5_timeofday.3, + lib/krb5/Makefile.am lib/krb5/test_time.c: + + implement krb5_set_real_time, used by SAMBA, requested by Luke + Howard + + * lib/asn1/k5.asn1: make the aes and sha1 checksum types match + draft-ietf-krb-wg-crypto-05 + +2003-06-21 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data + + * lib/krb5/crypto.c: clean up AES code to use a structure instead + of a key array + (_krb5_AES_string_to_default_iterator): set to 4096 as described in + aes draft -04 + (derive_key): always remove the key->schedule since its + will contain the wrong (parent key) info + +2003-06-18 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: add aes256 test vectors from Ken Raeburn + * doc/setup.texi: add more kdc's to the example + +2003-06-17 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: use int2HDBFlags/HDBFlags2int From: Alberto + Patino , Luke Howard + Pointed out by Andrew Bartlett of Samba + + * lib/krb5/heim_threads.h: remove freebsd comment, don't use debug + pthread stubs by default + + * lib/krb5/Makefile.am (man_MANS): drop krb5_free_addresses.3 + + * lib/krb5/krb5_free_addresses.3: removed file, functions are + documented in krb5_address.3 + + * lib/krb5/codec.c: add krb5_{de,en}code_ETYPE_INFO2 + + * lib/krb5/crypto.c: add _krb5_AES_string_to_default_iterator add + krb5_string_to_key_salt_opaque() fix keylengh for keytype_aes256 + +2003-06-06 Love Hörnquist Åstrand + + * doc/setup.texi: Point out that slave needs /var/heimdal + directory and masterkey From: Mans Nilsson , + Fix spelling while here + +2003-06-02 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am, krb5_get_in_cred.3, krb5.3: + add manpage for: krb5_get_in_cred, krb5_get_in_tkt, + krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_password, + krb5_get_in_tkt_with_skey + +2003-05-28 Assar Westerlund + + * lib/krb5/heim_threads.h: Fix unlock/destroy macros for the + non-threaded cases to work. Fix typo. + +2003-05-27 Johan Danielsson + + * lib/asn1/{der_put.c,der_length.c,check-der.c}: Fix encoding of + "unsigned" integers. If MSB is set, we need to pad with a zero + byte. + +2003-05-27 Love Hörnquist Åstrand + + * lib/krb5/krb5_c_make_checksum.3: some more mdoc fixes + + * lib/hdb/hdb-ldap.c (LDAP__connect): bind sasl "EXTERNAL" to ldap + connection + (LDAP_store): remove superfluous argument to asprintf + + From Alberto Patino + +2003-05-26 Love Hörnquist Åstrand + + * lib/krb5/*.[0-9]: pacify mdoclink + + * lib/krb5/krb5_ccache.3: document diffrences between mit and + heimdal krb5_cc_gen_new ccache -> credential cache s/[\t ]+$// + +2003-05-21 Love Hörnquist Åstrand + + * appl/test/gssapi_server.c (proto): start to use + gss_krb5_copy_ccache + + * appl/test/nt_gss_server.c (proto): comment out gss_ctx_id_t + groveling for now + +2003-05-20 Love Hörnquist Åstrand + + * lib/asn1: + - add parser/generate glue for UTF8String and NULL + (DER primitive encode/decode functions missing) + - handle parsing of DEFAULT and, ... + +2003-05-16 Love Hörnquist Åstrand + + * lib/krb5/heim_threads.h: add missing argument to mutex_init + + * lib/krb5/crypto.c: protect the random initiator with a mutex + + * lib/krb5/mcache.c: protect the mcc_head with a mutex + + * lib/krb5/krb5_locl.h: include heim_threads.h + + * lib/krb5/heim_threads.h: wrapper macros for thread + synchronization primitives + +2003-05-15 Love Hörnquist Åstrand + + * lib/krb5/krb5_principal.3 + lib/krb5/Makefile.am: + Add all Kerberos principal function to one manpage, add a few more + principal function to it, remove old now dup manpages + + * lib/krb5/krb5_build_principal.3: remove file + * lib/krb5/krb5_free_principal.3: remove file + * lib/krb5/krb5_sname_to_principal.3: remove file + * lib/krb5/krb5_principal_get_realm.3: remove file + +2003-05-14 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.8: sort sections, from netbsd + + * lib/krb5/krb5_verify_user.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_openlog.3: .Sh EXAMPLE -> .Sh EXAMPLES, sort + sections, from netbsd + + * lib/krb5/krb5_keytab.3: .Sh EXAMPLE -> .Sh EXAMPLES, mdoc fixes, + from netbsd + + * lib/krb5/krb5_get_krbhst.3: .Sh EXAMPLE -> .Sh EXAMPLES, from + netbsd + + * lib/krb5/krb5_get_all_client_addrs.3: add .Os, from NetBSD + + * lib/krb5/krb5_build_principal.3: sort sections, from NetBSD + + * lib/krb5/krb5.conf.5: .Sh EXAMPLE -> .Sh EXAMPLES, from netbsd + + * lib/krb5/get_default_realm.c: compatability -> compatibility, + from netbsd + + * lib/krb5/krb5_warn.3: add copyright/license + + * lib/krb5/krb5_context.3: add SYNOPSIS and LIBRARY + + * lib/krb5/krb5.3: add RCSID + + * kdc/hprop.8: fix mdoc problem, from netbsd + + * lib/krb5/krb5_krbhst_init.3: uppercase url, from Thomas Klausner + + + * kuser/kinit.1: setup -> set up, new sentence, new line from + Thomas Klausner + +2003-05-13 Love Hörnquist Åstrand + + * kpasswd/kpasswd.1: handle setting passwords for multiple + principals at the same time + + * kpasswd/kpasswd.c: handle setting passwords for multiple + principals at the same time + + * lib/krb5/changepw.c: draft-ietf-cat-kerb-chg-password-02 and + rfc3244 share the response packet sure more constants now that + they exists + +2003-05-12 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: some define for rfc3244 + + * lib/krb5/krb5.3: add krb5_change_password and krb5_set_password + + * kpasswd/kpasswd.1: document --admin-principal + + * kpasswd/kpasswd.c: use krb5_set_password + + * lib/krb5/krb5_set_password.3: document krb5_change_password and + krb5_set_password + + * lib/krb5/changepw.c: implement rfc3244, partly from + shadow@dementia.org + + * lib/asn1/Makefile.am (gen_files): asn1_ChangePasswdDataMS.x for + RFC3244 + + * lib/asn1/k5.asn1: add ChangePasswdDataMS, for + RFC3244 + +2003-05-08 Love Hörnquist Åstrand + + * kuser/kdestroy.c: destroy tokens even if there isn't v4 support + + * kuser/kinit.c: get token even if there isn't v4 support + + * kuser/klist.c: print tokens even if there isn't v4 support + +2003-05-06 Johan Danielsson + + * lib/krb5/name-45-test.c: need to use empty krb5.conf for some + tests + + * lib/asn1/check-gen.c: there is no \e escape sequence; replace + everything with hex-codes, and cast to unsigned char* to make some + compilers happy + +2003-05-06 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first + argument to krb5_us_timeofday have correct type + +2003-05-05 Assar Westerlund + + * include/make_crypto.c (main): include aes.h if ENABLE_AES + +2003-05-05 Love Hörnquist Åstrand + + * make-release: when fixing a valid cvs tag from release name + replace all number. to number- for all non-overlapping matches + +2003-05-04 Love Hörnquist Åstrand + + * lib/asn1/Makefile.am: gen_files += asn1_ETYPE_INFO2.x and + asn1_ETYPE_INFO2_ENTRY.x + (libasn1_la_LDFLAGS): set version to 6:1:1 + + * doc/Makefile.am: add apps.texi + + * doc/setup.texi: add move forward link to applications + + * doc/heimdal.texi: add applications + + * doc/misc.texi: move afs stuff to applications add link to + applications + + * doc/apps.texi: text about applications using kerberos + move afs text here + +2003-05-03 Love Hörnquist Åstrand + + * doc/setup.texi: add cross realm text + +2003-04-29 Love Hörnquist Åstrand + + * lib/krb5/krb5_crypto_init.3: document krb5_enctype_to_string and + krb5_string_to_enctype + +2003-04-28 Love Hörnquist Åstrand + + * kdc/v4_dump.c (v4_prop_dump): limit strings length, from openbsd + +2003-04-26 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: use _krb5_PKCS5_PBKDF2 + * lib/krb5/crypto.c: unexport krb5_PKCS5_PBKDF2 + +2003-04-25 Johan Danielsson + + * lib/krb5/build_auth.c (krb5_build_authenticator): if the local + sequence number is non-zero, don't generate a new one + + * lib/krb5/mk_rep.c (krb5_mk_rep): if the local sequence number is + non-zero, don't generate a new one + + * lib/krb5/time.c (krb5_us_timeofday): make the sec parameter a + krb5_timestamp + + * lib/krb5/mk_priv.c lib/krb5/mk_safe.c lib/krb5/rd_priv.c + lib/krb5/rd_safe.c lib/krb5/rd_cred.c: implement RET_SEQUENCE and + RET_TIME + + * lib/krb5/krb5.h (krb5_replay_data): make usec signed (matching + asn1) + +2003-04-24 Love Hörnquist Åstrand + + * doc/programming.texi: s/managment/management/, from jmc + + +2003-04-23 Love Hörnquist Åstrand + + * lib/krb5/context.c (default_etypes): also advertise that we + handle aes encryption types + + * lib/krb5/Makefile.am: add krb5_c_ checksum related functions + + * lib/krb5/krb5_c_make_checksum.3: document krb5_c_ checksum + related functions + + * lib/krb5/mit_glue.c: add compat mit krb5_c checksum related + functions + + * lib/asn1/k5.asn1: add ETYPE-INFO2 and ETYPE-INFO2-ENTRY + +2003-04-22 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c: copy NUL too, from janj@wenf.org via openbsd + +2003-04-17 Love Hörnquist Åstrand + + * lib/asn1/der_copy.c (copy_general_string): use strdup + * lib/asn1/der_put.c: remove sprintf + * lib/asn1/gen.c: remove strcpy/sprintf + + * lib/krb5/name-45-test.c: use a more unique name then ratatosk so + that other (me) have such hosts in the local domain and the tests + fails, to take hokkigai.pdc.kth.se instead + + * lib/krb5/test_alname.c: add --version and --help + +2003-04-16 Love Hörnquist Åstrand + + * lib/krb5/krb5_warn.3: add krb5_get_err_text + + * lib/krb5/transited.c: use strlcat/strlcpy, from openbsd + * lib/krb5/krbhst.c (srv_find_realm): use strlcpy, from openbsd + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): use + strlcpy, from openbsd + * kdc/hpropd.c: s/strcat/strlcat/, inspired from openbsd + * appl/kf/kfd.c: use strlcpy, from openbsd + +2003-04-16 Johan Danielsson + + * configure.in: fix for large file support in AIX, _LARGE_FILES + needs to be defined on the command line, since lex likes to + include stdio.h before we get to config.h + +2003-04-16 Love Hörnquist Åstrand + + * lib/krb5/*.3: Change .Fd #include to .In header.h, + from Thomas Klausner + + * lib/krb5/krb5.conf.5: spelling, from Thomas Klausner + + +2003-04-15 Love Hörnquist Åstrand + + * kdc/kerberos5.c: fix some more memory leaks + +2003-04-11 Love Hörnquist Åstrand + + * appl/kf/kf.1: spelling, from jmc + +2003-04-08 Love Hörnquist Åstrand + + * admin/ktutil.8: typos, from jmc + +2003-04-06 Love Hörnquist Åstrand + + * lib/krb5/krb5.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_data.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_address.3: s/kerberos/Kerberos/ + * lib/krb5/krb5_ccache.3: s/kerberos/Kerberos/ + * lib/krb5/krb5.conf.5: s/kerberos/Kerberos/ + * kuser/kinit.1: s/kerberos/Kerberos/ + * kdc/kdc.8: s/kerberos/Kerberos/ + +2003-04-01 Love Hörnquist Åstrand + + * lib/krb5/test_alname.c: more krb5_aname_to_localname tests + + * lib/krb5/aname_to_localname.c (krb5_aname_to_localname): when + converting too root, make sure user is ok according to + krb5_kuserok before allowing it. + + * lib/krb5/Makefile.am (noinst_PROGRAMS): += test_alname + + * lib/krb5/test_alname.c: add test for krb5_aname_to_localname + + * lib/krb5/crypto.c (krb5_DES_AFS3_CMU_string_to_key): used p1 + instead of the "illegal" salt #~, same change as kth-krb did + 1999. Problems occur with crypt() that behaves like AT&T crypt + (openssl does this). Pointed out by Marcus Watts. + + * admin/change.c (kt_change): collect all principals we are going + to change, and pick the highest kvno and use that to guess what + kvno the resulting kvno is going to be. Now two ktutil change in a + row works. XXX fix the protocol to pass the kvno back. + +2003-03-31 Love Hörnquist Åstrand + + * appl/kf/kf.1: afs->AFS, from jmc + +2003-03-30 Love Hörnquist Åstrand + + * doc/setup.texi: add description on how to turn on v4, 524 and + kaserver support + +2003-03-29 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c (appdefaults_entries): add afslog + and afs-use-524 + +2003-03-28 Love Hörnquist Åstrand + + * kdc/kerberos5.c (as_rep): when the second enctype_to_string + failes, remember to free memory from the first enctype_to_string + + * lib/krb5/crypto.c (usage2arcfour): map KRB5_KU_TICKET to 2, + from Harald Joerg + (enctype_arcfour_hmac_md5): disable checksum_hmac_md5_enc + + * lib/hdb/mkey.c (hdb_unseal_keys_mkey): truncate key to the key + length when key is longer then expected length, its probably + longer since the encrypted data was padded, reported by Aidan + Cully + + * lib/krb5/crypto.c (krb5_enctype_keysize): return key size of + encyption type, inspired by Aidan Cully + +2003-03-27 Love Hörnquist Åstrand + + * lib/krb5/keytab.c (krb5_kt_get_entry): avoid printing 0 + (wildcard kvno) after principal when the keytab entry isn't found, + reported by Chris Chiappa + +2003-03-26 Love Hörnquist Åstrand + + * doc/misc.texi: update 2b example to match reality (from + mattiasa@e.kth.se) + + * doc/misc.texi: spelling and add `Configuring AFS clients' + subsection + +2003-03-25 Love Hörnquist Åstrand + + * lib/krb5/krb5.3: add krb5_free_data_contents.3 + + * lib/krb5/data.c: add krb5_free_data_contents for compat with MIT + API + + * lib/krb5/krb5_data.3: add krb5_free_data_contents for compat + with MIT API + + * lib/krb5/krb5_verify_user.3: write more about how the ccache + argument should be inited when used + +2003-03-25 Johan Danielsson + + * lib/krb5/addr_families.c (krb5_print_address): make sure + print_addr is defined for the given address type; make addrports + printable + + * kdc/string2key.c: print the used enctype for kerberos 5 keys + +2003-03-25 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: add another arcfour test + +2003-03-22 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: sneek in a test for arcfour-hmac-md5 + +2003-03-20 Love Hörnquist Åstrand + + * lib/krb5/krb5_ccache.3: update .Dd + + * lib/krb5/krb5.3: sort in krb5_data functions + + * lib/krb5/Makefile.am (man_MANS): += krb5_data.3 + + * lib/krb5/krb5_data.3: document krb5_data + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): if + prompter is NULL, don't try to ask for a password to + change. reported by Iain Moffat @ ufl.edu via Howard Chu + + +2003-03-19 Love Hörnquist Åstrand + + * lib/krb5/krb5_keytab.3: spelling, from + + + * lib/krb5/krb5.conf.5: . means new line + + * lib/krb5/krb5.conf.5: spelling, from + + + * lib/krb5/krb5_auth_context.3: spelling, from + + +2003-03-18 Love Hörnquist Åstrand + + * kuser/Makefile.am: INCLUDES: -I$(srcdir)/../lib/krb5 + + * lib/krb5/convert_creds.c: add _krb5_krb_life_to_time + + * lib/krb5/krb5-v4compat.h: add _krb5_krb_life_to_time + + * kdc/kdc_locl.h: 524 is independent of kerberos 4, so move out + #ifdef KRB4 from enable_v4_cross_realm since 524 needs it + + * kdc/config.c: 524 is independent of kerberos 4, so move out + enable_v4_cross_realm from #ifdef KRB4 since 524 needs it + +2003-03-17 Assar Westerlund + + * kdc/kdc.8: document --kerberos4-cross-realm + * kdc/kerberos4.c: pay attention to enable_v4_cross_realm + * kdc/kdc_locl.h (enable_v4_cross_realm): add + * kdc/524.c (encode_524_response): check the enable_v4_cross_realm + flag before giving out v4 tickets for foreign v5 principals + * kdc/config.c: add --enable-kerberos4-cross-realm option (default + to off) + +2003-03-17 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am (man_MANS) += krb5_aname_to_localname.3 + + * lib/krb5/krb5_aname_to_localname.3: manpage for + krb5_aname_to_localname + + * lib/krb5/krb5_kuserok.3: s/KRB5_USEROK/KRB5_KUSEROK/ + +2003-03-16 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am (man_MANS): add krb5_set_default_realm.3 + + * lib/krb5/krb5.3: add manpages from krb5_set_default_realm.3 + + * lib/krb5/krb5_set_default_realm.3: Manpage for + krb5_free_host_realm, krb5_get_default_realm, + krb5_get_default_realms, krb5_get_host_realm, and + krb5_set_default_realm. + + * admin/ktutil.8: s/entype/enctype/, from Igor Sobrado + via NetBSD + + * lib/krb5/krb5_keytab.3: add documention for krb5_kt_get_type + + * lib/krb5/keytab.c (krb5_kt_get_type): get prefix/type of keytab + + * lib/krb5/krb5.h (KRB5_KT_PREFIX_MAX_LEN): max length of prefix + + * lib/krb5/krb5_ccache.3: document krb5_cc_get_ops, add more + types, add krb5_fcc_ops and krb5_mcc_ops + + * lib/krb5/cache.c (krb5_cc_get_ops): new function, return ops for + a id + +2003-03-15 Love Hörnquist Åstrand + + * doc/intro.texi: add reference to source code, binaries and the + manual + + * lib/krb5/krb5.3: krb5.h isn't in krb5 directory in heimdal + +2003-03-14 Love Hörnquist Åstrand + + * kdc/kdc.8: better/difrent english + + * kdc/kdc.8: . -> .\n, copyright/license + + * kdc/kdc.8: changed configuration file -> restart kdc + + * kdc/kerberos4.c: add krb4 into the most error messages written + to the logfile + + * lib/krb5/krb5_ccache.3: add missing name of argument + (krb5_context) to most functions + +2003-03-13 Love Hörnquist Åstrand + + * lib/krb5/kuserok.c (krb5_kuserok): preserve old behviour of + function and return FALSE when there isn't a local account for + `luser'. + + * lib/krb5/krb5_kuserok.3: fix prototype, spelling and more text + describing the function + +2003-03-12 Love Hörnquist Åstrand + + * lib/krb5/cache.c (krb5_cc_default): if krb5_cc_default_name + returned memory, don't return ENOMEM + +2003-03-11 Love Hörnquist Åstrand + + * lib/krb5/krb5.3: add krb5_address stuff and sort + + * lib/krb5/krb5_address.3: fix krb5_addr2sockaddr description + + * lib/krb5/Makefile.am (man_MANS): += krb5_address.3 + + * lib/krb5/krb5_address.3: document types krb5_address and + krb5_addresses and their helper functions + +2003-03-10 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am (man_MANS): += krb5_kuserok.3 + + * lib/krb5/krb5_kuserok.3: spelling, from cizzi@it.su.se + + * lib/krb5/Makefile.am (man_MANS): += krb5_ccache.3 + + * lib/krb5/krb5_ccache.3: spelling, from cizzi@it.su.se + + * lib/krb5/krb5.3: add more functions + + * lib/krb5/krb5_ccache.3: document krb5_ccache and krb5_cc + functions + + * lib/krb5/krb5_kuserok.3: document krb5_kuserok + + * lib/krb5/krb5_verify_user.3: document + krb5_verify_opt_set_flags(opt, KRB5_VERIFY_LREALMS) behavior + + * lib/krb5/krb5_verify_user.3: document krb5_verify_opt* and + krb5_verify_user_opt + + * lib/krb5/*.[0-9]: add copyright/licenses on more manpages + + * kuser/kdestroy.c (main): handle that krb5_cc_default_name can + return NULL + + * lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump minor + (TESTS): add test_cc + + * lib/krb5/test_cc.c: test some + krb5_cc_default_name/krb5_cc_set_default_name combinations + + * lib/krb5/context.c (init_context_from_config_file): set + default_cc_name to NULL + (krb5_free_context): free default_cc_name if set + + * lib/krb5/cache.c (krb5_cc_set_default_name): new function + (krb5_cc_default_name): use krb5_cc_set_default_name + + * lib/krb5/krb5.h (krb5_context_data): add default_cc_name + +2003-02-25 Love Hörnquist Åstrand + + * appl/kf/kf.1: s/securly/securely/ from NetBSD + +2003-02-18 Love Hörnquist Åstrand + + * kdc/connect.c: s/intialize/initialize, from + + +2003-02-17 Love Hörnquist Åstrand + + * configure.in: add AM_MAINTAINER_MODE + +2003-02-16 Love Hörnquist Åstrand + + * **/*.[0-9]: add copyright/licenses on all manpages + +2003-14-16 Jacques Vidrine + + * lib/krb5/get_in_tkt.c (init_as_req): Send only a single + PA-ENC-TIMESTAMP in the AS-REQ, using the first encryption + type specified by the KDC. + +2003-02-15 Love Hörnquist Åstrand + + * fix-export: some autoconf put their version number in + autom4te.cache, so remove autom4te*.cache + + * fix-export: make sure $1 is a directory + +2003-02-04 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.8: spelling, from jmc + + * kdc/kdc.8: spelling, from jmc + +2003-01-31 Love Hörnquist Åstrand + + * kdc/hpropd.8: s/databases/a database/ s/Not/not/ + + * kdc/hprop.8: add missing . + +2003-01-30 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: documentation for of boolean, etypes, + address, write out encryption type in sentences, s/Host/host + +2003-01-26 Love Hörnquist Åstrand + + * lib/asn1/check-gen.c: add checks for Authenticator too + +2003-01-25 Love Hörnquist Åstrand + + * doc/setup.texi: in the hprop example, use hprop and the first + component, not host + + * lib/krb5/get_addrs.c (find_all_addresses): address-less + point-to-point might not have an address, just ignore + those. Reported by Harald Barth. + +2003-01-23 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c (check_section): when key isn't + found, don't print out all known keys + + * lib/krb5/verify_krb5_conf.c (syslogvals): mark up where severity + and facility start resp + (check_log): find_value() returns -1 when key isn't found + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): make key argument a + 'const void *' to avoid AES_KEY being exposed in krb5-private.h + + * lib/krb5/krb5.conf.5: add [kdc]use_2b + + * kdc/524.c (encode_524_response): its 2b not b2 + + * doc/misc.texi: quote @ where missing + + * lib/asn1/Makefile.am: add check-gen + + * lib/asn1/check-gen.c: add Principal check + + * lib/asn1/check-common.h: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-common.c: move generic asn1/der functions from + check-der.c to here + + * lib/asn1/check-der.c: move out the generic asn1/der functions to + a common file + +2003-01-22 Love Hörnquist Åstrand + + * doc/misc.texi: more text about afs, how to get get your KeyFile, + and how to start use 2b tokens + + * lib/krb5/krb5.conf.5: spelling, from Jason McIntyre + + +2003-01-21 Jacques Vidrine + + * kuser/kuser_locl.h: include crypto-headers.h for + des_read_pw_string prototype + +2003-01-16 Love Hörnquist Åstrand + + * admin/ktutil.8: document -v, --verbose + + * admin/get.c (kt_get): make getarg usage consistent with other + other parts of ktutil + + * admin/copy.c (kt_copy): remove adding verbose_flag to args + struct, since it will overrun the args array (from Sumit Bose) + +2003-01-15 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: write more about [realms] REALM = { kdc = + ... } + + * lib/krb5/aes-test.c: test vectors in aes-draft + + * lib/krb5/Makefile.am: add aes-test.c + + * lib/krb5/crypto.c: Add support for AES + (draft-raeburn-krb-rijndael-krb-02), not enabled by default. + (HMAC_SHA1_DES3_checksum): rename to SP_HMAC_SHA1_checksum and modify + to support checksumtype that are have a shorter wireformat then + their output block size. + + * lib/krb5/crypto.c (struct encryption_type): split the blocksize + into blocksize and padsize, padsize is the minimum padding + size. they are the same for now + (enctype_*): add padsize + (encrypt_internal): use padsize + (encrypt_internal_derived): use padsize + (wrapped_length): use padsize + (wrapped_length_dervied): use padsize + + * lib/krb5/crypto.c: add extra `opaque' argument to string_to_key + function for each enctype in preparation enctypes that uses + `Encryption and Checksum Specifications for Kerberos 5' draft + + * lib/asn1/k5.asn1: add checksum and enctype for AES from + draft-raeburn-krb-rijndael-krb-02.txt + + * lib/krb5/krb5.h (krb5_keytype): add KEYTYPE_AES128, + KEYTYPE_AES256 + +2003-01-14 Love Hörnquist Åstrand + + * lib/hdb/common.c (_hdb_fetch): handle error code from + hdb_value2entry + + * kdc/Makefile.am: always include kerberos4.c and 524.c in + kdc_SOURCES to support 524 + + * kdc/524.c: always compile in support for 524 + + * kdc/kdc_locl.h: move out krb/524 protos from under #ifdef KRB4 + + * kdc/config.c: always compile in support for 524 + + * kdc/connect.c: always compile in support for 524 + + * kdc/kerberos4.c: export encode_v4_ticket() and get_des_key() + even when we build without kerberos 4, 524 needs them + + * lib/krb5/convert_creds.c, lib/krb5/krb5-v4compat.h: Split out + Kerberos 4 help functions/structures so other parts of the source + tree can use it (like the KDC) + diff --git a/third_party/heimdal/ChangeLog.2004 b/third_party/heimdal/ChangeLog.2004 new file mode 100644 index 0000000..47cd799 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2004 @@ -0,0 +1,1485 @@ +2004-12-30 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am (CHECK_SYMBOLS): add heim_ and pkcs7_ for + now (used in pkinit) + +2004-12-29 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: add CHECK_SYMBOLS + + * lib/hdb/keys.c: make all_etypes static + + * lib/krb5/Makefile.am: add CHECK_SYMBOLS, approve of: -com_err + -version krb5_ _krb5_ __heimdal krb524_ krb4_fkt_ops + + * kdc/kerberos5.c: use private version of principalname + + * kdc/kerberos4.c: use private version of principalname + + * kdc/hpropd.c: use private version of principalname + + * kdc/524.c: use private version of principalname + + * lib/krb5/rd_req.c: use private version of principalname + + * lib/krb5/rd_cred.c: use private version of principalname + + * lib/krb5/init_creds_pw.c: use private version of principalname + + * lib/krb5/get_in_tkt.c: use private version of principalname + + * lib/krb5/asn1_glue.c: make principalname functions private + + * lib/krb5/krb5.h: add key usage for server referrals + +2004-12-29 Love Hörnquist Åstrand + + * lib/krb5/principal.c: make default_v4_name_convert static + + * lib/krb5/crypto.c: make lots of crypto related variables static + + * lib/krb5/acache.c: make default_acc_name static + +2004-12-28 Love Hörnquist Åstrand + + * doc/setup.texi: add some text about samba, use example.com + + * lib/hdb/hdb-ldap.c: Add account expiration for samba from James + F. Hranicky . + Add LDAP_addmod_integer and use it. + +2004-12-27 Love Hörnquist Åstrand + + * doc/{Makefile.am,setup.texi,win2k.texi}: spelling and text + fixes, from Dave Love + +2004-12-18 Love Hörnquist Åstrand + + * lib/krb5/heim_threads.h: NetBSD 2.99.11 (any maybe 2.1) just + needs pthread.h, threadlib is dead + +2004-12-17 Love Hörnquist Åstrand + + * kdc/config.c (configure): check for deprecated + enforce-transited-policy is set and fail if it is + + * lib/asn1/asn1_print.c: don't print garabage for octet strings + +2004-12-13 Love Hörnquist Åstrand + + * kdc/main.c (main): catch sigpipe, we don't bother select()ing + for errors + + * kdc/connect.c (handle_http_tcp): handle error from write(2) + + * doc/setup.texi: clarify credentials refreshing stuff + + * doc/setup.texi: add new node: Providing Kerberos credentials to + servers and programs + + * doc/whatis.texi: fix spurious cross-reference makeinfo warning + + * lib/hdb/hdb-ldap.c (pos): uppercase in character + +2004-12-12 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP__bytes2hex,LDAP__hex2bytes): encode + nibbels in the other order + + * lib/hdb/hdb-ldap.c: s/objectclass/objectClass/ check if + attribute exists before we try to delete it LDAP__bytes2hex + encodes in strange byte order, is this really right ? + +2004-12-11 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP_firstkey): When iterating over all + entries, search for samba accounts too, From: "James F. Hranicky" + + + * lib/hdb/hdb-ldap.c (krb5kdcentry_attrs): ask for attribute uid + too + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): if the entry is missing + both krb5PrincipalName and uid, it must be broken, ignore it and + return it doesn't exists. + +2004-12-10 Love Hörnquist Åstrand + + * kdc/hpropd.8: spelling, from OpenBSD + + * kdc/kdc.8: use keeps for options, From OpenBSD k + +2004-12-09 Love Hörnquist Åstrand + + * doc/setup.texi: document --random-key and the need to do backup + of the master key + + * kdc/kstash.8: add --random-key + + * kdc/kstash.c: add --random-key + +2004-12-08 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.8: spelling, from openbsd + + * lib/krb5/krb5_init_context.3: spelling, from openbsd + + * lib/krb5/krb5.conf.5: spelling, from openbsd + + * kuser/kdestroy.1: use keeps around options, spelling, from + openbsd + + * kpasswd/kpasswdd.8: use ., use keeps around options, from OpenBSD + + * kdc/hpropd.8: use keeps around options, from OpenBSD + + * kdc/hprop.8: use keeps around options, from OpenBSD + +2004-11-30 Love Hörnquist Åstrand + + * lib/krb5/context.c (krb5_free_context): clear error string + before destroying mutex + (krb5_init_context): don't call krb5_free_context before there is a + mutex initialized + +2004-11-18 Love Hörnquist Åstrand + + * kuser/kinit.c (get_new_tickets): only complain about ticket + renewable lifetime when the user asked for a specific renewable + lifetime + +2004-11-15 Love Hörnquist Åstrand + + * kdc/kerberos5.c (find_keys): log what principal is missing + enctypes + +2004-11-13 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear pointer after + freeing data + + * lib/krb5/init_creds_pw.c (change_password): handle old_options + being NULL From Guenther Deschner on samba-technical. + +2004-11-12 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_init_creds.3: add more text describing the + krb5_get_init_creds functions + +2004-11-11 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: make krb5_get_init_creds_keytab work + again + +2004-11-10 Love Hörnquist Åstrand + + * lib/hdb/hdb.asn1: use constrained integers + +2004-11-09 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_init_creds.3: add description for opt_init, + opt_alloc, opt_free + + * lib/krb5/pkinit.c: unexport krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds.c: unexport + krb5_get_init_creds_opt_free_pkinit + + * lib/krb5/init_creds_pw.c: fold init_init_creds_ctx into + get_init_creds_common + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if the in + options NULL, just make a clean copy + +2004-11-01 Love Hörnquist Åstrand + + * lib/krb5/sendauth.c (krb5_rd_rep): free ap_rep message earlier + so we don't leak it on error + +2004-10-31 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: unbreak 2b entry + + * lib/krb5/acache.c (make_cred_from_ccred): the address isn't a + sockaddr but rather a kerberos address, deal with that. Based on + bug report from Jakob Schlyter . + +2004-10-30 Love Hörnquist Åstrand + + * kdc/connect.c: Make sure argument passed to ctype isn't signed + char + +2004-10-14 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: match new error names + + * lib/krb5/krb5_err.et: make error messages sane again + +2004-10-13 Love Hörnquist Åstrand + + * lib/krb5/keytab.c: use KRB5_KT_BADNAME + + * lib/krb5/krb5_err.et: sync with mit krb5_err.et (require major + version bump) add KRB5_DELTAT_BADFORMAT + + * lib/krb5/krb5.conf.5: time defaults to "s" + + * lib/krb5/time.c (krb5_string_to_deltat): default to "s" again, + MIT's behavior was actually that it failed to parse the number + (and thus used the default). Even better, ticket_lifetime (that + was a consumer supposed a of the interface) was documented but + never implemented, when it was implemented, people configuraiton + files started to fail. Also, use KRB5_DELTAT_BADFORMAT as a + failure code. + + * lib/asn1/k5.asn1: sync enctypes with pkinit branch + + * lib/asn1/parse.y (readd) support negative numbers + + * lib/asn1/lex.l: support hex numbers + +2004-10-12 Love Hörnquist Åstrand + + * kdc/pkinit.c: use ETYPE_DES3_CBC_NONE_CMS + + * lib/krb5/crypto.c: add enctype_des3_cbc_none_cms add cms padding + for rc2 don't to padding for blocksize 1 + + * lib/hdb/{keys.c,Makefile.am},lib/kadm5/{keys,set_keys}.c: + Move keyset parsing and password based keyset generation into hdb. + Requested by Andrew Bartlett for hdb-ldb + backend. + +2004-10-07 Love Hörnquist Åstrand + + * kuser/kinit.c: adapt to new signature of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: free openssl engine deal with + RecipientIdentifier -> CMSIdentifier and heim_any -> name change + improve error messages + + * kdc/pkinit.c: free openssl engine deal with RecipientIdentifier + -> CMSIdentifier and heim_any -> name change + +2004-10-04 Johan Danielsson + + * kuser/klist.c: use rtbl_set_separator + +2004-10-03 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: filter out dup openssl engine keys, parse + user options first + + * lib/krb5/pkinit.c: stop using AlgorithmIdentifierNonOpt, add + openssl engine support for private key + + * lib/krb5/crypto.c: support padding as its done in CMS + + * kdc/pkinit.c: improve error logging + + * kdc/pkinit.c: stop using AlgorithmIdentifierNonOpt + +2004-09-30 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: assume minutes for time + + * lib/krb5/config_file.c (krb5_config_vget_time_default): use + krb5_string_to_deltat + + * lib/krb5/appdefault.c (krb5_appdefault_time): use + krb5_string_to_deltat + + * lib/krb5/time.c (krb5_string_to_deltat): set default unit to + minute for compatibility with MIT Kerberos. + + +2004-09-28 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c (get_cred_kdc_usage): retry using "large + message safe" transport if we get back + KRB5KRB_ERR_RESPONSE_TOO_BIG error. Idea from Guenther Deschner + + +2004-09-23 Johan Danielsson + + * admin/list.c: use rtbl + + * admin/ktutil-commands.in: slc source file + + * lib/krb5/constants.c: check + /Library/Preferences/edu.mit.Kerberos on OSX + +2004-09-21 Johan Danielsson + + * lib/krb5/time.c (krb5_format_time): check return value from + localtime and strftime + +2004-09-14 Johan Danielsson + + * kuser/kinit.c: make sure we don't always get renewable creds + +2004-09-11 Love Hörnquist Åstrand + + * lib/krb5/acache.c: use krb5_ccapi.h + + * lib/krb5/krb5_ccapi.h: break out krb5 api definitions to + separate (not installed) file + + * lib/krb5/Makefile.am: add AM_CPPFLAGS to libkrb5_la_CPPFLAGS + since AM_CPPFLAGS overridden by target specific _CPPFLAGS + +2004-09-08 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: make variable shorter, make error messages + from pkinit, make freeing easier + +2004-09-06 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: link libkrb5 with LIB_dlopen + + * lib/krb5/crypto.c (seed_something): avoid poking at memory that + is uninitialized, make valgrind unhappy. Pointd out by + abartlet@samba.org. While where, plug the fd leak. + +2004-09-05 Love Hörnquist Åstrand + + * lib/asn1/der_get.c (decode_*): name all tag-length variables the + same + (decode_enumerated): check that the tag-length is not longer the length + + * lib/asn1/der_get.c (decode_boolean): fail if length of tag is + larger then len + +2004-08-31 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds): kdc_reply can be + set in case of failure too, free unconditionally on exit to avoid + memory leak + +2004-08-23 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c (set_auth_data): set pointer to NULL after + free + +2004-08-20 Love Hörnquist Åstrand + + * lib/krb5/context.c (krb5_get_err_text): if neither of com_right + nor strerror finds the error-code, return Unknown error. + +2004-08-19 Johan Danielsson + + * lib/krb5/krb5_kuserok.3: update to reality + + * lib/krb5/kuserok.c: if a .k5login file exist, don't give + implicit rights to anyone; also check owner/mode of .k5login + +2004-08-15 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: man_MANS = krb5_getportbyname.3 + + * lib/krb5/krb5_getportbyname.3: manpage for krb5_getportbyname + + * lib/krb5/krb5.3: add krb5_getportbyname + + * lib/krb5/krb5.3: krb5_free_salt and krb5_enctype_valid + + * lib/krb5/krb5_encrypt.3: document krb5_enctype_valid + +2004-08-13 Love Hörnquist Åstrand + + * kdc/kerberos5.c (get_pa_etype_info{,2}): check for dup enctypes + from the client and filter them out. + + * lib/krb5/krb5_string_to_key.3: document krb5_free_salt + +2004-08-12 Love Hörnquist Åstrand + + * lib/krb5/krb5_ticket.3: data needs to be freed when using + krb5_ticket_get_authorization_data_type + +2004-08-11 Love Hörnquist Åstrand + + * lib/krb5/test_cc.c: test variables in default_cc_name + + * lib/krb5/krb5.conf.5: explain support for varibles in + [libdefaults]default_cc_name + + * lib/krb5/cache.c: drop ${time}, its not very useful + + * lib/krb5/cache.c: Add _krb5_expand_default_cc_name that expand + variables in the default cc name. Supported variables now are: + ${time},${uid} and ${null} + + * lib/krb5/krb5.conf.5: document default_cc_name + + * lib/krb5/cache.c (krb5_cc_set_default_name): + s/libdefault/libdefaults/ + +2004-08-06 Love Hörnquist Åstrand + + * lib/krb5/acache.c: replace magic 3 with ccapi_version_3 + + * lib/krb5/Makefile.am: libkrb5_la_SOURCES += acache.c + + * lib/krb5/krb5.h: add krb5_acc_ops + + * lib/krb5/acache.c: CCAPI v3 implementation, the read only + support was from Magnus Ahltorp and then extended by me to support + all other operations. Tested with MIT kerberos cc cache + implementation on MacOS 10.3.3 + + * lib/krb5/cache.c (krb5_cc_set_default_name): allow setting the + default cc name, this is not very useful for general purpose glue + since its not possible to glue in user information (like uid), but + for CCAPI it works just fine + +2004-08-05 Love Hörnquist Åstrand + + * kuser/kgetcred.1: document --cache/-c + + * kuser/kgetcred.c: allow to specify what credential cache to use + +2004-08-03 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: add krb5_eai_to_heim_errno.3 + + * lib/krb5/krb5_eai_to_heim_errno.3: document + krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno + + * lib/krb5/krb5.3: add krb5_eai_to_heim_errno, + krb5_h_errno_to_heim_errno + +2004-07-26 Love Hörnquist Åstrand + + * lib/krb5/krb5_expand_hostname.3: krb5_expand_hostname_realms + result should be free with krb5_free_host_realm drop + krb5_get_host_realm text + + * lib/krb5/krb5_set_default_realm.3: krb5_get_host_realm result + should be free with krb5_free_host_realm + + * lib/krb5/krb5_get_in_cred.3: document krb5_free_kdc_rep + + * lib/krb5/krb5_get_init_creds.3: remove dup krb5_get_init_creds + + * lib/krb5/krb5_auth_context.3: sort, add krb5_free_authenticator + + * lib/krb5/Makefile.am: man_MANS += krb5_rd_error + + * lib/krb5/krb5_rd_error.3: krb5_rd_error and friends + + * lib/krb5/krb5_warn.3: clarify on what string + krb5_free_error_string should operate on + + * lib/krb5/krb5_get_credentials.3: add krb5_get_kdc_cred + + * lib/krb5/Makefile.am: krb5_get_credentials, + krb5_get_forwarded_creds and friends + + * lib/krb5/krb5_get_forwarded_creds.3: krb5_get_forwarded_creds + and friends + + * lib/krb5/krb5_get_credentials.3: krb5_get_credentials and + friends + +2004-07-23 Love Hörnquist Åstrand + + * kuser/klist.c (print_cred_verbose): keytypes are no longer, use + enctype + +2004-07-22 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): allow for pre-c99 + compilers, From metze at samba.org + +2004-07-20 Love Hörnquist Åstrand + + * lib/krb5/test_cc.c: more cc tests + + * lib/krb5/krb5_check_transited.3: document krb5_check_transited + +2004-07-19 Love Hörnquist Åstrand + + * kdc/pkinit.c (pk_principal_from_X509): reverse test, makes + principal in cert work From: Mayur Patel + +2004-07-18 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: add krb5_verify_init_creds.3 + + * lib/krb5/krb5_verify_init_creds.3: add krb5_verify_init_creds + +2004-07-15 Love Hörnquist Åstrand + + * lib/krb5/krb5_set_password.3: spelling from wiz@netbsd.org + description for krb5_passwd_result_to_string + +2004-07-14 Love Hörnquist Åstrand + + * lib/krb5/krb5_set_password.3: Remove superfluous comma; grammar + fixes; split sentence in two for better understanding. From + wiz@NetBSD.org. Describe krb5_set_password_using_ccache while here. + + * lib/krb5/krb5_set_password.3: nroff and spelling, from Jonathan + Stone + + * lib/krb5/changepw.c (process_reply): cast ssize_t to long and + print that From NetBSD via Havard Eidnes. + +2004-07-09 Love Hörnquist Åstrand + + * configure.in: fix helpstring for hdb-openldap-module + + * lib/krb5/test_cc.c: don't use krb5_err on error code 0 + +2004-07-08 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP_seq): try handling errors better + +2004-07-02 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt.c (set_ptypes): make ptypes const + +2004-07-01 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP__connect): call ldap_initialize with + right argument + +2004-06-27 Johan Danielsson + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if the + krbtgt is without addresses, default to not sending our own + addrport + + * lib/asn1/lex.l: add support for /* */ and partial line -- + comments + + * kuser/Makefile.am: don't install copy_cred_cache manpage + +2004-06-24 Johan Danielsson + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): if + copying a static opt, make sure to allocate the "private" field + +2004-06-24 Love + + * kdc/config.c: add enable_pkinit_princ_in_cert + + * kdc/kdc_locl.h: enable_pkinit_princ_in_cert + + * kdc/pkinit.c: Check certificate for Kerberos Principal in + OtherName of subjectAltName Based on patch from Mayur Patel + + +2004-06-21 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c (init_tgs_req): if subkey not avaible, use + session key for authorization-data + +2004-06-15 Love Hörnquist Åstrand + + * kdc/connect.c (handle_tcp): note who is what that closed the + connection on us + +2004-06-09 Love Hörnquist Åstrand + + * admin/get.c (kt_get): catch errors from krb5_parse_name + +2004-06-05 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: if its the entry just contains the + structural object (no samba nor heimdal object), add an aux + heimdal object on to it. + +2004-06-02 Love Hörnquist Åstrand + + * kpasswd/kpasswd.c: use krb5_set_password_using_ccache + + * lib/krb5/krb5_set_password.3: add krb5_set_password_using_ccache + + * lib/krb5/changepw.c: implement krb5_set_password_using_ccache + + * lib/hdb/hdb-ldap.c: Allow the objectClass to be + "sambaSamAccount" or structural_object when searching for uid + entries. + + * lib/krb5/krb5.conf.5: document [kdc]hdb-ldap-create-base + + * lib/hdb/hdb-ldap.c: add creation base that defaults to the + search base + + * lib/hdb/hdb-ldap.c: indent like the rest of the code + +2004-06-01 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: check return values from ldap operations and + close it we get back LDAP_SERVER_DOWN. stupid ldap client lib, you + should retry by yourself. + + * lib/hdb/hdb-ldap.c: require search base to be configured, create + local context structure + +2004-05-31 Love Hörnquist Åstrand + + * doc/setup.texi: more ldap text, partly from Tarjei Huse + + +2004-05-28 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: clean, indent + + * lib/hdb/hdb-ldap.c (LDAP_entry2mods): make sure + krb5KeyVersionNumber is added on new entires + +2004-05-27 Love Hörnquist Åstrand + + * doc/setup.texi: minor fixes, partly from Tarjei Huse + + + * lib/krb5/krb5.conf.5: some text about dbname and realm + + * lib/krb5/krb5.conf.5: default value for + hdb-ldap-structural-object is account + +2004-05-26 Love Hörnquist Åstrand + + * tools/Makefile.am: use ! instead of , as sed delimiter + +2004-05-25 Love Hörnquist Åstrand + + * lib/krb5/*.c: add KRB5_LIB_FUNCTION to all exported functions + +2004-05-23 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: make samba_forwardable a krb5_boolean + + * lib/hdb/hdb-ldap.c: make samba forwarding a runtime configure + option + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): fix [] test From: + Andrew Bartlett + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): remove bogus length + check From: Andrew Bartlett + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): in the sambaNTPassword + case, make sure ent->etypes are allocated, From: Andrew Bartlett + + +2004-05-14 Love Hörnquist Åstrand + + * kuser/kinit.c: move "setpag if (argc < 1)" to common path + +2004-05-12 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: pacify pre c99 compilers + + * fix-export: use right argument for -E + +2004-05-06 Johan Danielsson + + * kuser/kinit.c: print some diagnostics if the exec fails + +2004-04-29 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): use krb5_random_to_key + From: Luke Howard + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): clear the whole ticket, + not just a pointer size of it From: Luke Howard + +2004-04-28 Love Hörnquist Åstrand + + * fix-export: add -E flag where needed to make-proto + +2004-04-26 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: add set_param for RC2 + + * lib/krb5/pkinit.c: use krb5_oid_to_enctype and remove all oids + that are no longer needed + + * kdc/pkinit.c: use krb5_enctype_to_oid + + * lib/krb5/crypto.c (krb5_oid_to_enctype): make sure oid exists + before we compare with it + + * lib/krb5/crypto.c (krb5_crypto_get_params): check ivec length + before returning it add aes-oids + + * lib/krb5/crypto.c: add krb5_enctype_to_oid and + krb5_oid_to_enctype + + * kdc/pkinit.c: use krb5_crypto_set_params + + * lib/krb5/crypto.c: add krb5_crypto_set_params, add aes-NNN-cbc-none + + * lib/krb5/krb5.h: add KEYTYPE_AES192 + + * lib/krb5/pkinit.c: use krb5_crypto_get_params to implement + kcrypto RC2 support + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc XXX RC2CBCParameter is wrong because the compiler is + broken + + * lib/krb5/krb5.h: add KEYTYPE_RC2 + + * lib/krb5/crypto.c: add partial CMS parameter handling, this is + needed for RC2 + + * lib/asn1/der_cmp.c: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/Makefile.am (libasn1_la_SOURCES) += der_cmp.c + + * lib/asn1/der.h: add heim_oid_cmp and heim_octet_string_cmp + + * lib/asn1/k5.asn1: add ETYPE_AESNNN_CBC_NONE + + * lib/asn1/k5.asn1: add CMS symmetrical parameters here, enctype + rc2-cbc, XXX RC2CBCParameter is wrong because the compiler is broken + +2004-04-26 Johan Danielsson + + * lib/krb5/config_file.c: allow parsing directly from strings with + krb5_config_parse_string_multi + + * lib/krb5/verify_krb5_conf.c: try to resolve hostnames + +2004-04-25 Johan Danielsson + + * lib/krb5/store_fd.c (krb5_storage_from_fd): dup the file + descriptor so we don't have to keep track of it in two places + + * kuser/copy_cred_cache.c: krb5_cc_copy_cache_match now lives in + libkrb5 + + * lib/krb5/krb5_{,compare_}creds.3: move krb5_compare_creds to its + own manpage + + * replace krb5_free_creds_contents by krb5_free_cred_contents + + * lib/krb5/cache.c: add krb5_cc_next_cred_match() and + krb5_cc_copy_cred_match() + + * lib/krb5/creds.c (krb5_compare_creds): add more matching options + + * lib/krb5/krb5.h: add more creds match flags + + * kuser/copy_cred_cache: add --valid-for option + + * lib/krb5/store.c (krb5_store_creds): set is_skey flag if length + of second ticket is > 0 + +2004-04-25 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: use the right oid for pkauthdata + + * lib/krb5/pkinit.c: always send both win2k compat version and the + ietf draft one, this is possible since microsoft use + wrong/diffrent PA number. Make the configuration flag boolean + configuring if NOT to send the win2k compat glue. + + * lib/krb5/krb5_encrypt.3: document krb5_{de,en}crypt_ivec + + * kuser/copy_cred_cache.1: pacify mdoclint + + * kdc/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard , tweeked by me. + + * lib/krb5/krb5_storage.3: document + KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER + + * lib/krb5/krb5_data.3: document that krb5_data_free cleans the + structure too + + * lib/krb5/pkinit.c: use IV for envelopeddata encryption, patch + originally from Luke Howard , tweeked by me. + +2004-04-24 Johan Danielsson + + * kuser/copy_cred_cache.{c,1}: add cred cache copy tool + + * configure.in: use rk_SYS_LARGEFILE + + * lib/krb5/{krb5.h,store.c,fcache.c}: Fix the cache flags bitorder + issue with a storage flag instead of a separate function. + +2004-04-24 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: move out the oid check from get_reply_key + + * lib/krb5/pkinit.c: uniquify error messages + + * lib/krb5/init_creds_pw.c: make the pkinit nonce same os the + plain nonce for now + + * lib/krb5/pkinit.c: more w2k compat from Luke Howard + add RC2 support, clean up error messages + + * lib/krb5/pkinit.c: remove more dependency on + krb5_config->pkinit_flags + + * lib/krb5/pkinit.c (_krb5_pk_convert_rep): convert microsoft + style answer to IETF, From Luke Howard + (_krb5_pk_create_sign): ms handles NULL in param, so always send it + (_krb5_pk_mk_padata): look for [realms]REALM = { win2k_pkinit = bool } + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): always set the + digestAlgorithm to sha1 (both for SignerInfo and SignedData, add + new function _set_digest_alg to set it + +2004-04-23 Love Hörnquist Åstrand + + * include/make_crypto.c: include rc2.h, and when I'm here, make + aes mandatory + + * lib/krb5/krb5.h: add ENCTYPE_ARCFOUR_HMAC as compat glue for MIT + kerberos + + * lib/krb5/crypto.c (krb5_crypto_init): clear return pointer on + failure + + * lib/krb5/crypto.c (DES3_random_to_key): make it produce the + right result + (DES3_postproc): use DES3_random_to_key + (krb5_random_to_key): check the required number of bits (not the size + of the key) + + * lib/krb5/aes-test.c: test random to key function + + * lib/krb5/string-to-key-test.c: comment out the "@"/"" test for + now + +2004-04-22 Love Hörnquist Åstrand + + * lib/krb5/krb5_string_to_key.3: document that + krb5_string_to_key_derived is broken for non 3des enctypes and + thus deprecated + + * kdc/pkinit.c (generate_dh_keyblock): use the new function + krb5_random_to_key + + * lib/krb5/crypto.c: add des and DES3 random_to_key hooks, they + need special processing + + * lib/krb5/crypto.c (krb5_random_to_key): new function + + * lib/krb5/krb5_keyblock.3: document krb5_random_to_key + +2004-04-21 Love Hörnquist Åstrand + + * kdc/pkinit.c: use the first proposed enable enctype + + * lib/krb5/context.c (krb5_set_default_in_tkt_etypes): use the + return from krb5_enctype_valid + + * kdc/pkinit.c: at least try to handle diffrent enveloped enctypes + +2004-04-21 Love Hörnquist Åstrand + + * lib/asn1/der_get.c: 1.28.2.16: (der_get_oid): handle all oid + components being smaller then 127 and allocate one extra element + since first byte is split to to elements. + +2004-04-20 Love Hörnquist Åstrand + + * lib/asn1/k5.asn1: ETYPE_DIGEST_MD5_NONE, ETYPE_CRAM_MD5_NONE: + private use, lukeh@padl.com + +2004-04-19 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (build_auth_pack): use heim_integer to encode + DH public key + +2004-04-18 Love Hörnquist Åstrand + + * lib/krb5/krb5_init_context.3: add krb5_context to so its added + as manpage-link too + +2004-04-17 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (fcc_remove_cred): simplistic implementation, + XXX add locking + + * kuser/kdestroy.c: add --credential argument that just remove one + credential entry out of the cache specified + + * kdc/pkinit.c: replace the krb5.conf configuration option that + describes the mapping between principals and subject names with a + file, default /var/heimdal/pki-mapping. XXX this should be pushed + into HDB. XXX should add issuer too + + * kdc/config.c: merge certificate/private_key to a user_id + +2004-04-16 Love Hörnquist Åstrand + + * kdc/kdc_locl.h: update prototype for pk_initialize + + * kuser/kinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes + + * lib/krb5/pkinit.c: merge certificate/private_key to a user_id + + * kdc/pkinit.c: adapt to heim_integer changes, + merge certificate/private_key to a user_id + +2004-04-15 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_WIN free X509_STORE + +2004-04-13 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: define BUILD_KRB5_LIB when building + libkrb5.la, add KRB5_LIB_FUNCTION proto + + * lib/krb5/add_et_list.c: add KRB5_LIB_FUNCTION + + * configure.in: export KRB5_LIB_FUNCTION when building with + BUILD_KRB5_LIB + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): add + error strings + + * lib/krb5/prompter_posix.c (krb5_prompter_posix): if some thing + is printed on stderr, fflush it + + * lib/krb5/krb5_keyblock.3: free functions also zeros out the key + + * lib/krb5/krb5_get_init_creds.3: some text about + krb5_prompter_posix + + * lib/krb5/krb5.conf.5: document hdb-ldap-structural-object + + * lib/krb5/cache.c: add krb5_cc_get_prefix_ops + + * lib/krb5/krb5_ccache.3: add krb5_cc_get_prefix_ops + +2004-04-05 Love Hörnquist Åstrand + + * appl/test/http_client.c: support GSS_C_DELEG_FLAG and + GSS_C_MUTUAL_FLAG + + * appl/test/http_client.c: verbose logging + +2004-04-02 Love Hörnquist Åstrand + + * kdc/connect.c: case size_t to unsigned long for LP64 platforms + +2004-04-01 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (hdb_ldap_create): allow configuration of + default structural object + + * tools/Makefile.am: handle sed expression breaking + +2004-03-31 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c: also lookup _kpasswd._tcp SRV-rr + + * lib/krb5/changepw.c: add tcp support to the set protocol, should + be cleaned up to enable sharing code with krb5_sendto + + * kpasswd/kpasswd.c (change_password): remove extra free + + * lib/krb5/krb5_acl_match_file.3: try to pacify mdoc macros on + osf/1 + +2004-03-30 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (pa_data_add_pac_request): don't + increase md->len, krb5_padata_add already does that + + * lib/krb5/init_creds.c: its PAC not PAQ + + * kuser/kinit.c: its PAC not PAQ + + * kdc/kerberos4.c: stop the client from renewing tickets into the + future From: Jeffrey Hutzelman + +2004-03-29 Love Hörnquist Åstrand + + * configure.in: try to handle sys/strtty.h needing sys/stream.h + +2004-03-23 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc.c: remove function krb5_sendto_kdc2, its no + longer used + + * kdc/kerberos5.c: s/krb5_get_host_realm_int/_&/ + + * lib/krb5/get_host_realm.c: unexport krb5_get_host_realm_int to + external users by prefixing it with _ + + * lib/krb5/get_cred.c: s/krb5_mk_req_internal/_&/ + + * lib/krb5/mk_req_ext.c: unexport krb5_mk_req_internal to external + users by prefixing it with _ + +2004-03-22 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: add missing } + +2004-03-21 Love Hörnquist Åstrand + + * kdc/pkinit.c: adapt to change of signature of + _krb5_pk_load_openssl_id + + * lib/krb5/pkinit.c: (krb5_get_init_creds_opt_set_pkinit): add + prompter argument and use it + + * kuser/kinit.c: adapt to signature change of + krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/krb5.3: add more stuff, 105 functions to go + + * lib/krb5/krb5_rcache.3: add krb5_get_server_rcache + + * lib/krb5/krb5_rcache.3: framework for replay cache manpage + + * lib/krb5/krb5_string_to_key.3: document string to key functions + + * lib/krb5/Makefile.am: man_MANS += krb5_expand_hostname.3 + krb5_find_padata.3 krb5_generate_random_block.3 + + * lib/krb5/krb5_encrypt.3: document krb5_get_wrapped_length + + * lib/krb5/krb5.3: add some more, 137 to go + + * lib/krb5/krb5_principal.3: document krb5_get_default_principal + + * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey + + * lib/krb5/krb5_generate_random_block.3: document + krb5_generate_random_block + + * lib/krb5/krb5_find_padata.3: document padata functions + + * lib/krb5/krb5.3: add some more, 142 to go + + * lib/krb5/krb5_creds.3: drop .Pp before .Sh + + * lib/krb5/krb5_set_default_realm.3: document krb5_copy_host_realm + + * lib/krb5/krb5_expand_hostname.3: document krb5_expand_hostname + and krb5_expand_hostname_realms + + * lib/krb5/krb5.3: add more functions, 147 to go + + * lib/krb5/krb5_creds.3: document krb5_creds + + * lib/krb5/krb5_get_init_creds.3: add more functions, some more + text + + * lib/krb5/krb5_ticket.3: document + krb5_ticket_get_authorization_data_type + +2004-03-20 Love Hörnquist Åstrand + + * lib/krb5/aes-test.c: remove #if 0'ed code + + * lib/krb5/krb5.3: add keyblock functions, 177 functions to go + + * lib/krb5/krb5_verify_user.3: add krb5_verify_opt_set_ccache + + * lib/krb5/krb5_encrypt.3: document krb5_decrypt_ticket + + * lib/krb5/krb5_config.3: document krb5_config_free_strings and + krb5_config_file_free + + * lib/krb5/krb5_create_checksum.3: add krb5_hmac + + * lib/krb5/krb5.3: add keyblock functions, 190 functions to go + + * lib/krb5/krb5_keyblock.3: update .Dd + + * lib/krb5/krb5_keyblock.3: document krb5_copy_keyblock and + krb5_generate_random_keyblock + + * lib/krb5/krb5_init_context.3: add krb5_init_ets + + * lib/krb5/krb5_config.3: add more krb5_config_ functions and + prototypes + + * lib/krb5/krb5_init_context.3: document context modifcation + functions: address list, config file, use admin kdc, fcc version + + * lib/krb5/krb5_storage.3: document krb5_storage and related + functions + + * lib/krb5/Makefile.am: add acl and krb524_convert_creds_kdc + manpages and test_acl test program + + * lib/krb5/krb5.3: add error string functions and sort + + * lib/krb5/krb5_warn.3: document krb5_abort and error string + functions + + * lib/krb5/krb5.3: add missing functions, only 285 left to + document + + * lib/krb5/krb5_crypto_init.3: remove various enctype related + function + + * lib/krb5/krb5_encrypt.3: add various enctype related function + here + + * lib/krb5/krb5_create_checksum.3: add krb5_cksumtype_valid + krb5_cksumtype_valid + + * lib/krb5/crypto.c: real return values for + krb5_{enctype,cksumtype}_valid + + * lib/krb5/krb5_create_checksum.3: add some functions and + descriptions + + * lib/krb5/krb5_c_make_checksum.3: move out non krb5_c functions + + * lib/krb5/krb5_auth_context.3: document + krb5_auth_con_generatelocalsubkey + + * lib/krb5/krb5_krbhst_init.3: document krb5_krbhst_init_flags + + * lib/krb5/krb5_keytab.3: document krb5_kt_default_modify_name + + * lib/krb5/krb5_init_context.3: document krb5_add_et_list + + * lib/krb5/krb524_convert_creds_kdc.3: document + krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache + + * lib/krb5/krb5_acl_match_file.3: document krb5_acl_match_* + + * lib/krb5/test_acl.c: test for generic acl code + + * lib/krb5/acl.c: plug memory leak on file matching, + make it not fall over when no non matching acl, + make fnmatch matching useful by switching arguments + +2004-03-19 Love Hörnquist Åstrand + + * kdc/config.c: add --builtin-hdb command + + * lib/hdb/hdb.c (hdb_list_builtin): return a list of builtin + backends + + * doc/setup.texi: include Luke Howard of PADL.COM ldap hdb + documentation + + * doc/win2k.texi: fix bugs in examples, add more restrictions, use + example.com as an example. From: Pavel Ferdan + + +2004-03-18 Johan Danielsson + + * lib/krb5/krb5.conf.5: add a bunch of Li and document [kadmin] + password_lifetime; from Henry B. Hotz + +2004-03-14 Love Hörnquist Åstrand + + * lib/krb5/mk_rep.c (krb5_mk_rep): if KRB5_AUTH_CONTEXT_USE_SUBKEY + is set send subkey + (generate if needed) + + * lib/krb5/krb5.h: add KRB5_AUTH_CONTEXT_USE_SUBKEY + +2004-03-14 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: clean up error handling, plug memory leaks, + and free memory in error path, assume realloc(NULL, ...) works, + factor out common code, indent + +2004-03-12 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: understand [password_quality] + spelling + + * kuser/kgetcred.1: document --canonicalize + + * kuser/kgetcred.c: add --canonicalize + +2004-03-10 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (fcc_store_cred): NULL terminate + krb5_config_get_bool_default' arglist + +2004-03-09 Love Hörnquist Åstrand + + * kdc/kerberos5.c: add missing req argument to pk_mk_pa_reply + + * kdc/pkinit.c (pk_mk_pa_reply): add hdb_entry + + * kdc/pkinit.c: pass client hdb_entry to pk_check_client + + * kdc/kdc_locl.h: pass client hdb_entry to pk_check_client + + * kuser/kinit.c: rename ca_dir to pkinit/x509_anchors since its + more like that language in RFC3280 + + * lib/krb5/pkinit.c: rename ca_dir to pkinit/x509_anchors since + its more like that language in RFC3280 + + * lib/krb5/krb5.conf.5: document + [libdefaults]fcc-mit-ticketflags=boolean + + * lib/krb5/fcache.c (fcc_store_cred): use + [libdefaults]fcc-mit-ticketflags=boolean to decide what format to + write the fcc in. Default to mit version (aka heimdal 0.7) + + * lib/krb5/store.c: add _krb5_store_creds_heimdal_0_7 and + _krb5_store_creds_heimdal_pre_0_7 that store the creds in just + that format make krb5_store_creds default to mit format + + * lib/krb5/store.c (krb5_ret_creds): Runtime detect the what is + the higher bits of the bitfield + +2004-03-08 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_store_creds): add disabled code that + store the ticket flags in reverse order + (bitswap32): new function + + * lib/krb5/store.c (krb5_ret_creds): if the higher ticket flags + are set, its a mit cache, reverse the bits, bug pointed out by + Sergio Gelato + +2004-03-07 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: use macro for HDB * -> LDAP * + + * kuser/kinit.c: when running kinit with a subprocess, fetch new + tickets after half the tickets lifetime + + * lib/hdb/hdb.c: spelling + + * lib/hdb/hdb-ldap.c: Intergrate Heimdal's hdb-ldap and the Samba + password database. From: Andrew Bartlett + + * kdc/config.c: add --disable-DES + + * kdc/kdc.8: document --detach and --disable-DES + + * kdc/kerberos5.c: check if enctype is disabled before using it + + * lib/krb5/crypto.c: add support for disabling checksum/encryption + types + + * tools/kdc-log-analyze.pl: add more cases + + * kdc/connect.c: on strange tcp error; log local port number and + socket type + + * lib/asn1/der.h: fix prototype of encode_utf8string + + * lib/asn1/gen.c: catch CHOICE and generate dummy placeholder + + * lib/asn1/lex.l: added dummy parsing of CHOICE + + * lib/asn1/parse.y: added dummy parsing of CHOICE + + * lib/asn1/k5.asn1: drop SMTP_NAME + +2004-03-06 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: support building ldap backend as module + sort asn1 hdb files + + * lib/hdb/hdb.c: when building ldap as a shared module, don't + include it in the list + + * configure.in: add --enable-hdb-openldap-module + + * lib/hdb/hdb-ldap.c: make ldap possible to build as a shared + module + + * lib/hdb/mkey.c: add hdb_{,un}seal_key{,_mkey} from Andrew + Bartlett + + * lib/krb5/crypto.c (decrypt_internal_special): do not not modify + the original data test case from Ronnie Sahlberg + + +2004-03-03 Love Hörnquist Åstrand + + * lib/krb5/test_cc.c: more cc tests, mostly related to mcc + behavior + + * lib/krb5/mcache.c (mcc_get_principal): also check for + primary_principal == NULL now that that isn't used as dead flag + + * lib/krb5/mcache.c: don't overload the primary_principal == NULL + as dead since that doesn't always work. Based on patch from + Jeffrey Hutzelman , tweeked by me + +2004-02-22 Love Hörnquist Åstrand + + * kdc/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/krb5/pkinit.c: adapt to rename of oid_cmp to heim_oid_cmp + + * lib/hdb/db3.c: fix all db >= 4.1 cases + + * doc/setup.texi: add text about hostname to realm mapping using + DNS + +2004-02-20 Love Hörnquist Åstrand + + * kdc/pkinit.c: update error codes + + * lib/krb5/krb5_err.et: prefix pkinit error codes with KRB5_ + + * lib/krb5/pkinit.c: update error codes + +2004-02-19 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: indent, use krb5_abortx() instead of abort() + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): spelling + + * lib/krb5/store.c: handle memory allocate errors + + * lib/krb5/fcache.c (_krb5_xlock): handle that everything was ok, + and don't put an error in the error strings then + +2004-02-13 Love Hörnquist Åstrand + + * kdc/pkinit.c: s/heim_big_integer/heim_integer/ + + * lib/krb5/pkinit.c: s/heim_big_integer/heim_integer/ + + * kdc/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT errors + + * lib/krb5/pkinit.c: adapt to asn1 bignum code, use HEIM_PKINIT + errors + + * lib/krb5/heim_err.et: add HEIM_PKINIT specific errors + +2004-02-12 Love Hörnquist Åstrand + + * configure.in: rename AC_WFLAGS to rk_WFLAGS + + * acinclude.m4: use m4_define, over-quote string + +2004-02-11 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (change_password): handle that + printf("%.*s", 0, (void*)NULL); doesn't work on solaris + +2004-02-10 Love Hörnquist Åstrand + + * kpasswd/kpasswd.c (change_password): handle that printf("%.*s", + 0, (void*)NULL); doesn't work on solaris + + * lib/krb5/krb5.conf.5: don't use path's in first .Nm, it confuses + some locate.updatedb, use FILES section to describe where the file + is instead. + +2004-02-07 Love Hörnquist Åstrand + + * lib/asn1/check-der.c: test for "der_length.c: Fix len_unsigned + for certain negative integers, it got the length wrong" , from + Panasas, Inc. + + * lib/asn1/der_length.c: Fix len_unsigned for certain negative + integers, it got the length wrong, fix from Panasas, Inc. + + rename len_int and len_unsigned to _heim_\& + + * lib/asn1/der_locl.h: add _heim_len_unsigned, _heim_len_int + +2004-02-06 Dave Love + + * configure.in: Check for sys/socket.h, net/if.h. Modify term.h, + security/pam_appl.h tests. + +2004-02-03 Love Hörnquist Åstrand + + * lib/asn1/check-gen.c: test for: (length_type): TSequenceOf: add + up the size of all the elements, don't use just the size of the + last element. + + * lib/krb5/aes-test.c: add "next iv" test for aes128, check + decryption case too + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block, fix decryption case too + + * lib/krb5/aes-test.c: add "next iv" test for aes128 + + * lib/krb5/crypto.c (_krb5_aes_cts_encrypt): out iv is the iv of + the next to last block + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/mk_rep.c (krb5_mk_rep): abort on internal asn1 encode + error + + * lib/krb5/get_in_tkt.c (krb5_get_in_cred): abort on internal asn1 + encode error + + * lib/krb5/mk_priv.c (krb5_mk_priv): abort on internal asn1 encode + error + + * lib/krb5/get_cred.c (make_pa_tgs_req): abort on internal asn1 + encode error + + * lib/krb5/build_auth.c (krb5_build_authenticator): abort on + internal asn1 encode error + + * lib/krb5/build_ap_req.c (krb5_build_ap_req): abort on internal + asn1 encode error + +2004-01-30 Love Hörnquist Åstrand + + * doc/setup.texi: some text about order of [capaths] realms + +2004-01-25 Love Hörnquist Åstrand + + * lib/krb5/context.c: register WRFILE ops + + * lib/krb5/keytab_file.c: add krb5_wrfkt_ops/WRFILE (same as FILE) + + * lib/krb5/krb5.h: add krb5_wrfkt_ops + + * kpasswd/kpasswdd.c (change): use the right password when + changing the password + +2004-01-21 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (_krb5_xlock): catch EINVAL and assume that it + means that the filesystem doesn't support locking + + * lib/krb5/keytab.c: remove #if 0 out file locking code + +2004-01-19 Love Hörnquist Åstrand + + * lib/asn1/gen_length.c (length_type): TSequenceOf: add up the + size of all the elements, don't use just the size of the last + element. + +2004-01-13 Love Hörnquist Åstrand + + * kuser/kinit.c (renew_validate): if renewable_flag and not time + specifed, use "1 month" + +2004-01-08 Love Hörnquist Åstrand + + * lib/krb5/krb5_keyblock.3: add prototypes, describe + krb5_keyblock_zero + +2004-01-05 Love Hörnquist Åstrand + + * lib/krb5/get_for_creds.c (add_addrs): don't add same address + multiple times + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): try to + handle errors better for previous commit + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): If tickets + are address-less, forward address-less tickets. + + * lib/krb5/get_cred.c: rename get_krbtgt to _krb5_get_krbtgt and + export it + diff --git a/third_party/heimdal/ChangeLog.2005 b/third_party/heimdal/ChangeLog.2005 new file mode 100644 index 0000000..a594d09 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2005 @@ -0,0 +1,2004 @@ +2005-12-15 Love Hörnquist Åstrand + + * kdc/kerberos5.c (tgs_make_reply): less const on hdb_entry_ex to + make samba happy + + * fix-export: Build kdc-private.h. + +2005-12-14 Love Hörnquist Åstrand + + * kdc/kerberos5.c (tgs_rep2): also print the principal for which + the enctype was missing + +2005-12-13 Love Hörnquist Åstrand + + * kdc/kaserver.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/kerberos4.c: Finish up transition from hdb_entry to + hdb_entry_ex. + + * kdc/524.c: Finish up transition from hdb_entry to hdb_entry_ex. + + * kdc/kerberos5.c: Finish up transition from hdb_entry with + hdb_entry_ex. + + * lib/krb5/cache.c (krb5_cc_set_default_name): use + KRB5_DEFAULT_CCNAME. + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME, pointer to + default credential cache. + + * lib/hdb/ndbm.c: memset hdb_entry_ex before use + + * lib/hdb/db3.c: memset hdb_entry_ex before use + + * lib/hdb/db.c: memset hdb_entry_ex before use + +2005-12-12 Love Hörnquist Åstrand + + * lib/krb5/krb5.3: Add some more entrypoints. + + * lib/krb5/changepw.c: If there is a target principal, use the + realm of the realm to change the password with, + + * kuser/kinit.c: Default to use DH when fetching keys. + + * lib/hdb, kdc, kadmin/load.c: Wrap hdb_entry with hdb_entry_ex, patch + originally from Andrew Bartlet + + * lib/hdb/hdb-ldap.c: Wrap hdb_entry with hdb_entry_ex, add url + support, add ldapi support. + + * kdc/kerberos5.c (tgs_make_reply): there are no such things a + keytypes any more, just use enctypes. + + * kdc/kdc_locl.h: Remove private prototypes and instead include + . + + * kdc/Makefile.am: Build kdc-private.h and depend on it. + + * kdc/config.c (configure): wrap line + + * doc/kerberos4.texi: KDC 4 support is always compiled in. + + * TODO: Remove some stuff that have been done. + + * Makefile.am: Split long line + + * doc/apps.texi: Spelling, From Måns Nilsson. + + * doc/install.texi: spelling, From Måns Nilsson + +2005-12-11 Love Hörnquist Åstrand + + * lib/krb5/krb5_principal.3: Constify principal argument to on + krb5_principal_get_ functions. + + * lib/krb5/principal.c: Constify principal argument to on + krb5_principal_get_ functions. + +2005-12-08 Love Hörnquist Åstrand + + * lib/hdb: drop convert_db, 0.0 to 0.1 transition was a long long + time ago + +2005-12-05 Love Hörnquist Åstrand + + * lib/krb5/test_keytab.c: more tests, From Andrew Bartlet + + * lib/krb5/keytab_memory.c (mkt_remove_entry): realloc can return + NULL on success in the case 0 entries are allocated, From Andrew + Bartlet + +2005-12-02 Love Hörnquist Åstrand + + * lib/krb5/acl.c (acl_parse_format): tmp needs to be freed too on + failure to parse format specifier. + + * lib/krb5/store-test.c: Free more of the allocated memory. + + * lib/krb5/crypto.c (krb5_derive_key): Free more of the allocated + memory, this function is only used by the test program. + + * lib/krb5/parse-name-test.c: Free more of the allocated memory. + + * lib/krb5/derived-key-test.c: Free more of the allocated memory. + +2005-12-01 Love Hörnquist Åstrand + + * doc/setup.texi: spelling, From Måns Nilsson + + * lib/krb5/krb5_keytab.3: Memory keytab are now named and + refcounted. + + * lib/krb5/test_keytab.c: Test that memory keytab are refcounted. + + * lib/krb5/keytab_memory.c: Index by name and start reference + counting on entries. + +2005-11-30 Love Hörnquist Åstrand + + * lib/krb5/krb5.h (krb5_address_type): add + KRB5_ADDRESS_NETBIOS (20) + + * lib/hdb/hdb.c (find_method): accept relative paths as old db + format too. + + * lib/krb5/aes-test.c: Remove usage of krb5_enctype_to_keytype. + +2005-11-29 Dave Love + + * kcm/connect.c (kcm_loop): Use HAVE_DOOR_CREATE, not HAVE_DOORS. + +2005-11-29 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c (libdefaults_entries): add + default_cc_name + + * lib/hdb/hdb.c: Only match db databases on filename starting with + '/'. + + * lib/krb5/rd_req.c (krb5_verify_ap_re2): check timestamp in + authenticator + + * lib/krb5/rd_req.c (check_transited): explain the TR-type 0 + better and why it matters. + + * lib/krb5/test_cc.c: test krb5_cc_get_prefix_ops + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): change the behavior + to return NULL when its not found, and fcc when the name starts + with a '/'. Almost matches behavior in other parts of the code, + but can't really do that since the name passed in to this function + may only contain the prefix itself without the colon. + + * lib/krb5/cache.c (krb5_cc_get_prefix_ops): if there are not + colon (:) in the name, its a file credential cache + + * lib/hdb/db3.c (hdb_db_create): use calloc to callocate memory + + * lib/hdb/ndbm.c (hdb_ndbm_create): use calloc to allocate memory + + * lib/hdb/db.c (hdb_db_create): use calloc to allocate memory + +2005-11-28 Love Hörnquist Åstrand + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use session + key for delegated credentials + + * kdc/kerberos5.c (_kdc_as_rep): add comment when we send + ETYPE-INFO and ETYPE-INFO2, from Andrew Bartlett + +2005-11-25 Love Hörnquist Åstrand + + * lib/krb5/keytab.c (krb5_kt_get_full_name): new function + +2005-11-24 Love Hörnquist Åstrand + + * lib/krb5/test_crypto.c: Split encryption and s2k iterations to + diffrent counters, 38seconds of aes256 s2k is way too long. + + * lib/krb5/test_crypto.c: Add timing code for s2k function. + +2005-11-07 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Print the time the principal expired, based on + patch from Andrew Bartlett. + +2005-11-01 Love Hörnquist Åstrand + + * lib/krb5/cache.c (krb5_cc_get_full_name): Add + +2005-11-01 Love Hörnquist Åstrand + + * configure.in: Spelling, From Michael Banck + +2005-10-30 Love Hörnquist Åstrand + + * kcm/headers.h: Maybe include . + +2005-10-27 Love Hörnquist Åstrand + + * lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type): + understand KRB5_AUTHDATA_IF_RELEVANT and KRB5_AUTHDATA_AND_OR (but + have KRB5_AUTHDATA_KDC_ISSUED commented out for now) + +2005-10-26 Love Hörnquist Åstrand + + * kuser/klist.c: In the list caches view, rename the Status field + to Expires. + + * lib/krb5/krb5_encrypt.3: Fix mdoc for + krb5_encrypt_EncryptedData, Johnny Lam + +2005-10-25 Love Hörnquist Åstrand + + * appl/test/gssapi_client.c: Check return value from asprintf + instead of string != NULL since it undefined behavior on + Linux. From Björn Sandell + +2005-10-21 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if not enough bits are + generated from the DH groups, fail. + + * kdc/pkinit.c (get_dh_param): Pass down config so this function + can check pkinit_dh_min_bits + + * kdc/config.c: Fill in pkinit_dh_min_bits from configuration + file. + + * kdc/kdc.h: Add pkinit_dh_min_bits to krb5_kdc_configuration. + +2005-10-20 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Add option to require binding between reply + and response for the win2k version of the protocol. + +2005-10-19 Love Hörnquist Åstrand + + * doc/programming.texi: Text about Kerberos errors. + + * lib/krb5/pkinit.c: Try both ReplyKey and ReplyKey-Win2k for the + Windows case to support the updated -09 protocol (using + asChecksum). Tell KDC we support this by sending + KRB5-PADATA-PK-AS-09-BINDING in the pa-data. + + * lib/krb5/test_cc.c: Test copy FILE -> FILE, and MEMORY -> MEMORY + too. + + * lib/krb5/test_cc.c: Test krb5_cc_copy_cache and + krb5_cc_cache_match. + + * lib/krb5/cache.c (krb5_cc_cache_match): add function that + iterates over all credential caches for a user and returns a + match. + + * lib/krb5/krb5_ccache.3: Add krb5_cc_start_seq_get and an + example. + +2005-10-18 Love Hörnquist Åstrand + + * doc/programming.texi: Try to explain krb5_ccache, krb5_principal + and errors. + +2005-10-13 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_credentials.3: Add example how to use + krb5_get_credentials. + +2005-10-12 Love Hörnquist Åstrand + + * lib/krb5/init_creds.c: Rename private to opt_private. + + * lib/krb5/init_creds_pw.c: Rename private to opt_private. + + * lib/krb5/pkinit.c: rename element private to opt_private to make + c++ picky compilers less upset. + + * lib/krb5/krb5.h (krb5_get_init_creds_opt): rename element + private to opt_private to make c++ picky compilers less upset. + +2005-10-08 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c (_krb5_krbhost_info_move): new function + (_krb5_free_krbhst_info): expose to internal use + + * lib/krb5/init_creds_pw.c: Prepare to pass down a + krb5_krbhst_info into the pre-auth mechs + + * lib/krb5/pkinit.c: Inline short functions, share more code, + rename COMPAT_27 to COMPAT_IETF, pass down a krb5_krbhst_info for + verification of KDC info, and general cleaning up. + +2005-10-07 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: Install krb5.moduli in sysconfdir. + + * lib/krb5/krb5_locl.h: rename moduli file to SYSCONFDIR + "/krb5.moduli" + + * lib/krb5/krb5_locl.h: Add forward declaration for + krb5_dh_moduli. Add define for MODULI_FILE. + + * kdc/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c: Removing PK-INIT-19 support. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): return DH group name on + success. + (krb5_get_init_creds_opt_set_pkinit): use moduli file if it exists + + * kdc/pkinit.c: Save DH group name and print it on success. + + * lib/krb5/pkinit.c (_krb5_dh_group_ok): if q is zero, ignore it. + + * kdc/pkinit.c: Check dh group parameters from client. + + * lib/krb5/krb5_err.et: Match error code with pk-init-27. + + * lib/krb5/pkinit.c: Update error codes. Add name to group. Change + return value of _krb5_dh_group_ok. + + * lib/krb5/pkinit.c: Add support for reading a moduli-file for DH + parameters. + +2005-10-06 Love Hörnquist Åstrand + + * kuser/klist.1: Document --list-caches + + * kuser/klist.c: Change short flag of --list-caches to -l (-v is + already used). + +2005-10-03 Love Hörnquist Åstrand + + * lib/krb5/kerberos.8: RFC 1510 was obsoleted by 4120. + + * lib/krb5/acache.c (init_ccapi): return kerberos errors, callers + expect it + (acc_get_cache_first): don't leak memory or abort on malloc + failure + +2005-10-02 Love Hörnquist Åstrand + + * lib/krb5/kerberos.8: Update text about Kerberos RFC's. + +2005-10-01 Love Hörnquist Åstrand + + * kuser/klist.c: Add option --list-caches that lists the avaible + caches and their status. + + $ klist --list-caches + Principal Cache name Status + lha@E.KTH.SE 2 Valid + lha@SU.SE 1 Expired + lha/root@SU.SE 0 Expired + lha@N.L.NXS.SE Initial default ccache Expired + +2005-09-30 Love Hörnquist Åstrand + + * lib/krb5/keytab_keyfile.c: Use all DES keys, not just + des-cbc-md5, verify that they all are the same. + + * lib/krb5/mcache.c Implement the cache iteration functions. + + * lib/krb5/acache.c: Implement the cache iteration functions. + + * lib/krb5/test_cc.c: Test the new cache iteration functions. + + * lib/krb5/cache.c: Add cache iteration funcations. Add internal + allocation function for the memory of a krb5_ccache, and use it. + + * lib/krb5/krb5.h (krb5_cc_ops): add cache iteration functions + +2005-09-25 Love Hörnquist Åstrand + + * lib/krb5/krb5_mk_req.3: Remove leftovers, remove extra space. + + * kdc/kerberos5.c: More verbose PK-INIT logging. + + * kdc/pkinit.c: The public DH key is encoded as an INTEGER in + subjectPublicKey. Don't verify OID's for now. + + * lib/krb5/pkinit.c: Support cached DH variable (still need to + store it though), don't check the oid of the DH signedData for + now. + +2005-09-22 Love Hörnquist Åstrand + + * lib/krb5/rd_cred.c (krb5_rd_cred): try both the session key and + the sender subkey. Both RFC1510 and RFC4120 say that you have to + use the session key, Heimdal uses subkey. + +2005-09-21 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Don't check oid's too closely, they change in + Windows Vista. + +2005-09-20 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Disable sending -19, fix parsing -27 of the + protocol. + + * kdc/pkinit.c: Support PK-INIT-27 DH (and remove -19) + + * lib/krb5/pkinit.c (pk_verify_chain_standard): set cert to NULL + to make sure its not freed. + +2005-09-19 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (krb5_DES_string_to_key): If the opaque length + it set to 1, and content is 0x01, use the afs3 string-to-key. + + * kdc/kerberos5.c (make_etype_info2_entry): When its a afs3-salted + key, use send the opaque, length 1 (with content set to 0x01) in + ETYPE-INFO2-ENTRY. + + * lib/krb5/kcm.c: Remove signedness warnings. + +2005-09-15 Love Hörnquist Åstrand + + * configure.in: Use libtool's default values for building + shared/static libaries, ie remove AC_ENABLE_SHARED(no), solves + building problems users have on Mac OS X. + +2005-09-08 Love Hörnquist Åstrand + + * lib/krb5/changepw.c: Constify password. + +2005-09-05 Love Hörnquist Åstrand + + * lib/krb5/krb5_mk_req.3: Document krb5_rd_req. + + * lib/krb5/Makefile.am: MAN_mans+= krb5_mk_req.3 + + * lib/krb5/krb5_mk_req.3: Document krb5_mk_req, krb5_mk_req_exact, + krb5_mk_req_extended, krb5_rd_req, krb5_rd_req_with_keyblock, + krb5_mk_rep, krb5_mk_rep_exact, krb5_mk_rep_extended, krb5_rd_rep, + krb5_build_ap_req, krb5_verify_ap_req. + +2005-09-01 Love Hörnquist Åstrand + + * kdc/kerberos5.c (make_etype_info_entry): Dont send salttype at + all, use KRB5-PADATA-AFS3-SALT + +2005-08-31 Love Hörnquist Åstrand + + * kdc/kerberos5.c (log_timestamp): endtime, not endtype + +2005-08-30 Love Hörnquist Åstrand + + * configure.in: Check for . + + * kcm/connect.c (update_client_creds): in case there is no + UCRED_VERSION, skip LOCAL_PEERCRED + + * kcm/headers.h: include + +2005-08-27 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c (check_transited): Allow empty content of type + 0 because that is was Microsoft generates in their TGT. + + * kdc/kerberos5.c (fix_transited_encoding): Allow empty content of + type 0 because that is was Microsoft enerates in their TGT. + +2005-08-26 Love Hörnquist Åstrand + + * doc/intro.texi: RFC 4120 replaces RFC 1510 + +2005-08-25 Love Hörnquist Åstrand + + * configure.in: Add --disable-afs-support. + +2005-08-23 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: Add test_hostname to check_PROGRAMS but + not TESTS, I have no same dns to use. + + * lib/krb5/test_hostname.c: Testprogram for krb5_expand_hostname() + and krb5_expand_hostname_realms(). + + * configure.in: Build KCM if we have doors or unix sockets. + + * lib/krb5/principal.c (krb5_425_conv_principal_ex2): Remove + shadowing variable. + + * lib/krb5/get_host_realm.c (dns_find_realm): Fix const warnings, + plug memory leak. From: Stefan Metzmacher + + * lib/krb5/krb5_config.3: Document what happens with NULL to + krb5_config_free_strings + (nothing). Mdoc nit. + +2005-08-22 Love Hörnquist Åstrand + + * kuser/klist.c (check_for_tgt): Re-order code so it only free the + credential if one was returned. + + * lib/krb5/test_crypto_wrapping.c: Fix printing of size_t. + +2005-08-19 Love Hörnquist Åstrand + + * lib/hdb/dbinfo.c: provide interface to find databases + + * lib/hdb/mkey.c: hdb_seal_key_mkey): dont double encrypt keys + +2005-08-15 Love Hörnquist Åstrand + + * kdc/kdc_locl.h: Update prototype for _kdc_pk_mk_pa_reply. + +2005-08-13 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: Save the request buffer so that + pre-auth mechanism that needs it can verify the reply. + +2005-08-12 Love Hörnquist Åstrand + + * lib/krb5/test_mem.c: Rename logf to avoid shadowing. + + * lib/krb5/krb5_keytab.3: Fix the version number for + fcc-mit-ticketflags. + + * lib/krb5/fcache.c: Revert previous, I was confused. + + * lib/krb5/krb5_keytab.3: Document fcc-mit-ticketflags in + COMPATIBILITY section. + + * lib/krb5/fcache.c (fcc_store_cred): default to MIT style ticket + flags. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break; + + * lib/krb5/krb5_create_checksum.3: Update prototype for + krb5_create_checksum. + + * kdc/pkinit.c: Make compile. + + * lib/krb5/pkinit.c: Implement verification of asChecksum, now + client side code is using -27 of the pk-init draft. + + * kdc/kdc_locl.h: update prototype for _kdc_as_rep + + * kdc/pkinit.c: Fill in asChecksum, we now implements -27 in the KDC. + + * kdc/process.c: Pass down the request buffer to _kdc_as_rep(). + + * kdc/kerberos5.c (_kdc_as_rep): Pass down the request buffer to + _kdc_pk_mk_pa_reply. + +2005-08-11 Love Hörnquist Åstrand + + * lib/hdb/ext.c: HDB extensions access glue. + + * kcm/acquire.c: Use krb5_set_password instead of + krb5_change_password. + + * configure.in: Add tests/Makefile and tests/db/Makefile. + + * NEWS: New ASN.1 compiler + + * lib/hdb/Makefile.am: Build extensions. + + * lib/hdb/print.c: Print extensions. + + * lib/hdb/hdb_err.et: Add error "Entry contains unknown mandatory + extension". + + * lib/hdb/hdb.h: Update interface version (and indent). + + * lib/hdb/hdb.asn1: Add support for HDB-extension. + +2005-08-10 Love Hörnquist Åstrand + + * lib/krb5/test_pkinit_dh2key.c: add tests vectors from + "Liqiang(Larry) Zhu" + + * lib/hdb/mkey.c: Expose the crypto operations on the master key. + + * lib/krb5/test_pkinit_dh2key.c: even more bits, not done yet + +2005-08-09 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_as_rep): preserve the error code in the + ENC-TS case. From: Andrew Bartlett + + * kdc/kerberos5.c (tgs_rep2): only needs to log "Failed to verify + authenticator" once, its already done by + tgs_check_authenticator(). + + * kdc/kerberos5.c: Indent strings. + + * kdc/kerberos5.c (log_timestamp): avoid shadow warnings From: + Andrew Bartlett + + * lib/krb5/verify_user.c: Add krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/krb5/krb5_verify_user.3: Document krb5_verify_opt_alloc and + krb5_verify_opt_free. + + * lib/hdb/db3.c (DB_open): catch errors from the d->open calls + instead of letting them slip though to d->cursor. Bug repport from + Andrew Bartlett + +2005-07-29 Love Hörnquist Åstrand + + * kdc/Makefile.am (kdc_LDADD): add LDADD + +2005-07-28 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_as_rep): log what enctypes was using in + ENC-TS preauth, both for failure and success. + + * kdc/hprop.c: Use the _krb5_krb_life_to_time function from + libkrb5 instead of including our own here too. + + * kdc/kerberos5.c: indent printf strings + + * lib/hdb/mkey.c (hdb_unseal_key_mkey): try to unseal key with + keyusage 0 in case the key was encrypted with MIT Kerberos (old + patch from Johan) + +2005-07-26 Love Hörnquist Åstrand + + * kdc/pkinit.c: update to pkinit-27 + +2005-07-23 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Adapt to IMPLICIT changes in CMS module. + +2005-07-20 Love Hörnquist Åstrand + + * lib/krb5/test_pkinit_dh2key.c: framework for testing + _krb5_pk_octetstring2key + + * kpasswd/kpasswdd.c (doit): krb5_addr2sockaddr takes a + krb5_socklen_t + + * kdc/connect.c (de_http): sscanf takes a char *, not unsigned + ditto, cast approriately + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): make sha1 output + unsigned char to match openssl + +2005-07-14 Love Hörnquist Åstrand + + * lib/hdb/common.c: Check encoder lengths from ASN1_MALLOC_ENCODE. + +2005-07-13 Love Hörnquist Åstrand + + * lib/krb5/rd_cred.c (krb5_rd_cred): don't leak memory + + * lib/krb5/get_cred.c (krb5_get_credentials_with_flags): only call + krb5_cc_retrieve_cred once, and plug memory leak. + +2005-07-13 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: the new asn.1 compiler includes the modules + name in the depend file + + * lib/krb5/keytab_file.c (fkt_start_seq_get_int): check return + value from krb5_storage_from_fd + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): client do not contribute + to the DH when the server doesn't support the cached DH request. + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): fix arguments + +2005-07-12 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: clean up pk-init DH support, not finished + yet; improve error reporting + + * lib/krb5/crypto.c (_krb5_pk_octetstring2key): string2key + function used in pk-init-25 + + * configure.in: Use a configure switch to turn on PK-INIT, not by + detecting existence of the new ASN.1 library. + + * lib/asn1: Much improved ASN.1 compiler from joda-choice-branch. + + Highlighs for the compiler is support for CHOICE and in general better + support for tags. This compiler support most of what is needed for + PK-INIT, LDAP, X.509, PKCS-12 and many other protocols. + +2005-07-10 Love Hörnquist Åstrand + + * lib/asn1: make scope variables unique to avoid shadow warnings + +2005-07-09 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: comment out paramenter name in typedef + functions to avoid shadow warnings + + * lib/krb5/crypto.c: make input data to krb5_encrypt{,_ivec} const + + * kuser/klist.c: If there are no addresses, print addressless + instead of nothing. + + * lib/krb5/Makefile.am (TESTS): add test_crypto_wrapping + + * lib/krb5/crypto.c (wrapped_length): the underived encrypted + types checksum are all unkeyed (matches the code in + encrypt_internal() and encrypt_internal_special()) + + * lib/krb5/test_crypto_wrapping.c: ETYPE_ARCFOUR_HMAC_MD5_56 isn't + not supported + + * lib/krb5/test_crypto_wrapping.c: test encryption wrapping + + * lib/krb5/test_crypto.c (time_encryption): free cleartext buffer + +2005-07-08 Love Hörnquist Åstrand + + * configure.in: run AM_INIT_AUTOMAKE before AM_PROG_CC_C_O + otherwise am_aux_dir will be expanded using ac_aux_dir before the + later is set. + + * configure.in: check for strings.h explicitly instead of + depending on AC_HEADER_STDC to check it for us + +2005-07-07 Assar Westerlund + + * configure.in: add AM_PROG_CC_C_O for automake 1.9 + +2005-07-06 Love Hörnquist Åstrand + + * lib/krb5/keytab.c (krb5_kt_get_entry): clear error string when + returning a new error + + * lib/krb5/keytab.c: krb5_kt_close frees all resources, even on + error. + + * lib/krb5/verify_init.c (krb5_verify_init_creds): `entry' unused, + remove From: "Henry B. Hotz" + +2005-07-05 Love Hörnquist Åstrand + + * doc/win2k.texi: arcfour-hmac-md5 support for windows cross was + added in w2k3-sp1 From David Love + + * doc/setup.texi: document kadmin command password-quality instead + of the not installed test_pw_quality + + * lib/krb5/krb5_get_init_creds.3: Spelling, from David Love + + * fix-export: build kdc-protos.h + +2005-07-01 Love Hörnquist Åstrand + + * kdc: prefix pkinit symbols with _kdc + + * kuser/kinit.c: avoid shadowing variables + + * kuser: s/optind/optidx/ + + * kdc: adapt pkinit code to libkdc split + +2005-06-30 Love Hörnquist Åstrand + + * tools/Makefile.am: add depency on LIB_dlopen and LIB_door_create + + * tools/krb5-config.in: add depency on LIB_dlopen and LIB_door_create + + * kdc/kdc_locl.h: indent, remove dup prototypes + + * kdc/libkdc: don't pollute namespace, generate public headerfile + + * lib/krb5/principal.c: add krb5_425_conv_principal_ext2 that work + just like krb5_425_conv_principal_ext but takes a context variable + for the verification function + + * kdc/Makefile.am: there is no export script, not pretend there is + + * kdc: Merge in the libkdc/kdc configuration split from Andrew + Bartlet + + * lib/krb5/crypto.c: optionally compile in support for afs string2key + + * configure.in: add --disable-afs-string-to-key to allow removal + of support for afs string2key (and dependency on crypt) + +2005-06-29 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Add logging of all timestamps in AS-REQ and + TGS-REQ, for auditing + + * kdc/kerberos5.c (as_req): print the supported encryption types + so its possible to know what clients to update. + (find_rpath): return const char * and update callers. + +2005-06-28 Luke Howard + + * kcm/connect.c: fix arguments to kcm_log() when reporting + sendmsg() error + + * kcm/connect.c: don't send socket address in msghdr, it + returns an already connected error on Linux + +2005-06-24 Love Hörnquist Åstrand + + * kdc/524.c: Always include . + +2005-06-23 Love Hörnquist Åstrand + + * doc/intro.texi: no more libdes, gssapi lib is complete + + * lib/krb5/krb5.conf.5: Documentation for password quality + control. From: "James F. Hranicky" + + * lib/krb5/verify_krb5_conf.c (password_quality_entries): add + min_length and min_classes + + * kdc/kaserver.c: log the kaserver requests, avoid shadowing + variables + + * lib/hdb/db3.c (DB_open): in case of error, close database + + * lib/hdb/ndbm.c (NDBM_open): in case of error, close database + + * lib/hdb/db.c (DB_open): in case of error, close database + +2005-06-20 Love Hörnquist Åstrand + + * kcm/kcm.8: fix example + +2005-06-17 Love Hörnquist Åstrand + + * lib/krb5/rd_rep.c: indent + + * lib/krb5/rd_rep.c (krb5_rd_rep): check if + KRB5_AUTH_CONTEXT_DO_TIME set and use that as a que that timestamp + should be checked, DCE-STYLE gssapi needs to be able to tweek this + + * kdc/string2key.c: rename optind to optidx + + * lib/hdb/convert_db.c: rename optind to optidx + + * lib/hdb/keytab.c: const poison, add a unconst where needed + + * lib/krb5/crypto.c (krb5_string_to_key): unconst password + + * lib/asn1/k5.asn1: rename pvno to krb5-pvno + + * lib/krb5/get_in_tkt_with_keytab.c (krb5_keytab_key_proc): + unconst argument + + * lib/krb5/verify_krb5_conf.c: rename optind to optidx + + * lib/krb5/transited.c: rename the temporary string variable to + `str' + + * lib/krb5/test_crypto.c: rename optind to optidx + + * lib/krb5/test_alname.c: rename optind to optidx + + * lib/krb5/store.c: unconst argument to krb5_store (XXX this + should be fixed, krb5_store doesn't need to modify its argument) + + * lib/krb5/send_to_kdc.c (krb5_sendto): remove shadowing + unnessecery variable ret + + * lib/krb5/rd_cred.c (krb5_rd_cred): remove shadowing unnessecery + variable len + + * lib/krb5/prog_setup.c: rename optind to optidx + + * lib/krb5/padata.c: rename variable index to idx + + * lib/krb5/log.c: rename variable time to timestr to avoid + shadowing + + * lib/krb5/krbhst.c (krb5_krbhst_init_flags): rename variable to + avoid shadowing + + * lib/krb5/krbhst-test.c: rename optind to optidx + + * lib/krb5/kcm.c: unconst argumen to connect, unconst argument to + krb5_store (XXX this should be fixed, krb5_store doesn't need to + modify its argument) + + * lib/krb5/init_creds_pw.c (default_s2k_func): unconst password + + * lib/krb5/crypto.c: rename `encrypt' to avoid shadow warning + +2005-06-16 Love Hörnquist Åstrand + + * lib/krb5/principal.c: rename index to idx + + * lib/krb5/mk_error.c: use rk_UNCONST + + * lib/krb5/fcache.c: rename to avoid shadowing + + * lib/krb5/config_file.c: rename to avoid shadowing + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): just copy the + string instead of losing const + + * lib/krb5/addr_families.c: use rk_UNCONST to silence const + warning + + * lib/krb5/addr_families.c: rename sin to sin4 + + * lib/asn1/asn1_print.c: rename optind to optidx, remove shadowed + variables + + * lib/asn1/main.c: rename optind to optidx + + * lib/asn1/gen_copy.c: rename to avoid shadowing + + * lib/asn1/gen_locl.h: rename function filename to get_filename + + * lib/asn1/lex.l: use get_filename + + * lib/asn1/gen.c: rename function filename to get_filename + + * lib/krb5/acache.c: use HAVE_DLOPEN around cc_handle + + * configure.in: add headers and prototypes to logwtmp, logout and + openpty checks + + * configure.in: include headerfiles and set prototype for tgetent + + * kdc/kerberos5.c (make_etype_info2_entry): NUL terminate the + string + + * kdc/kerberos5.c: replace strndup with inline copy, free data on + failure + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): replace strndup + with inline copy + + * lib/krb5/log.c: rename close and log to avoid shadow warnings + + * lib/krb5/get_in_tkt.c: rename index to i to avoid shadowing + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): rename two + of the local `realm' to srealm to avoid shadowing + + * kdc/kerberos5.c (tgs_rep2): rename one of the tkey to uukey to + avoid shadow warning + + * kdc/kerberos5.c (tgs_rep2): rename loop to nloop to avoid shadow + warning + +2005-06-15 Love Hörnquist Åstrand + + * Release 0.7, see branch + +2005-06-14 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: TESTS += test_mem libkrb5_la_SOURCES += + kcm.h + + * kuser/kinit.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * kdc/main.c (main): catch KRB5_CONFIG_BADFORMAT from + krb5_init_context + + * lib/krb5/verify_krb5_conf.c (main): catch KRB5_CONFIG_BADFORMAT + from krb5_init_context From: Mathias Feiler + + + * lib/krb5/verify_krb5_conf.c: Add more missig entires, from + Mathias Feiler + +2005-06-11 Love Hörnquist Åstrand + + * kdc/pkinit.c (pk_principal_from_X509): remember to free + KRB5PrincipalName + + * lib/krb5/log.c (krb5_closelog): free all content in + krb5_log_facility + +2005-06-08 Love Hörnquist Åstrand + + * kdc/524.c: init kvno to please gcc + + * kdc/kaserver.c (do_authenticate): check return value from + unparse_auth_args + +2005-06-07 Dave Love + + * doc/setup.texi: Spelling. + + * doc/programming.texi: Spelling. + +2005-06-02 Dave Love + + * kcm/connect.c (kcm_door_server): Make static. + + * kcm/kcm_locl.h (disallow_getting_krbtgt): Declare. + +2005-06-02 Love Hörnquist Åstrand + + * kdc/mit_dump.c (mit_prop_dump): cast argument to + krb5_parse_principal to avoid warning + + * kdc/mit_dump.c: rename KRB5_TL_MOD_PRINC to + mit_KRB5_TL_MOD_PRINC to hint its a constant originating from mit + codebase + +2005-06-01 Love Hörnquist Åstrand + + * lib/krb5/store.c: If we are allocating 0 entires, avoid failing + if ALLOC returns NULL + + * lib/krb5/verify_krb5_conf.c: Check for [kdc]v4-realm + + * lib/krb5/cache.c: When returning a new error code, set error + string. + +2005-05-31 Love Hörnquist Åstrand + + * lib/krb5/keytab_file.c: Adapt to changed signature of + _krb5_xunlock, clear more error string where needed. + + * lib/krb5/fcache.c (_krb5_xunlock): catch the error and turn it + into something sensable + +2005-05-30 Love Hörnquist Åstrand + + * kdc/kerberos5.c (tgs_make_reply): copy ok-as-delegate flag from + server entry to encrypted ticket flags + +2005-05-30 Johan Danielsson + + * kdc/connect.c: rename sendlength to prependlength (which + hopefully better represents its purpose), and change type to + krb5_boolean + + * kdc/connect.c: log signal causing exit + + * kdc/main.c (sigterm): set exit_flag to signal causing exit; + (main): trap SIGXCPU + +2005-05-30 Love Hörnquist Åstrand + + * kcm/kcm.8: document --disallow-getting-krbtgt and --door-path + + * kcm/protocol.c (kcm_op_retrieve): check server for krbtgt, not + client + + * kcm/main.c: ignore SIGPIPE + + * kcm/protocol.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + + * kcm/config.c: Add option to disallow getting krbtgt out from + from KCM. KCM will do the fetching part itself. + +2005-05-30 Luke Howard + + * kcm/events.c: if credentials have expired when attempting + to renew, attempt to reacquire them using initial creds + +2005-05-29 Love Hörnquist Åstrand + + * lib/krb5/krb5_principal.3: Spelling, from Björn Sandell + + * doc/setup.texi: spelling, from Björn Sandell + + * lib/krb5/name-45-test.c: XXX don't run the test unless the + machine is in kth.se or su.se because it depends on local resolver + configuration. + + * lib/hdb/hdb.c: provde RTLD_NOW and RTLD_GLOBAL if they don't + exists + + * kcm/connect.c: fix doors support, fix signedness warnings + + * kcm/config.c: add --door-path= + + * configure.in: comment what the "detect doors on solaris" + fragment tries to do + + * kcm/acquire.c (generate_random_pw): fix signed-ness warnings + + * kcm/connect.c (update_client_creds): fix compile error in the + getpeerucred case + + * lib/krb5/test_cc.c: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * kcm/headers.h: Maybe include . + + * kcm/kcm_locl.h: add extern door_path; + + * configure.in: detect doors using door_create + + * kcm/Makefile.am: add dependcy on kcm_protos.h add lib depency on + LIB_door_create + + * lib/krb5/kcm.h: add _PATH_KCM_DOOR, default path to kcm door + + * lib/krb5/kcm.c: use [libdefaults]kcm_door to find the door to + kcm + + * lib/krb5/Makefile.am: libkrb5_la_LIBADD += LIB_door_create + + * lib/krb5/krb5_locl.h: Maybe include , maybe include + . + + * lib/krb5/kcm.c (kcm_send_request): add support for doing a door + call to kcm + + * lib/asn1: prefix Der_class with ASN1_C_ to avoid problems with + system headerfiles that pollute the name space + + * kcm/kcm.8: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/krb5.conf.5: change format for expantion variables in + default_cc_name to %{variable} to not confuse them with shell + ditto + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): change format + for expantion variables to %{variable} to not confuse them with + shell ditto + + * kcm/connect.c: add LOCAL_PEERCRED and experimental doors support + +2005-05-27 Love Hörnquist Åstrand + + * appl/kf/kfd.c: case uid_t to unsigned long in printf format + +2005-05-25 Love Hörnquist Åstrand + + * lib/krb5/krb5_auth_context.3: remove trailing space + +2005-05-24 Love Hörnquist Åstrand + + * kcm/connect.c (do_request): use sendmsg to send the reply + + * fix-export: add make_proto for kcm/kcm_protos.h + + * kcm/kcm_locl.h: remove prototypes and add + + * kcm/Makefile.am (kcm_SOURCES): add headerfiles + (kcm_protos.h): generate prototypes + + * kcm/protocol.c: fix error in last commit, use right function + + * kcm/headers.h: include if we have getpeerucred + + * configure.in: check for functions getpeerucred and getpeereid + + * kcm/connect.c (update_client_creds): add support for + getpeerucred and getpeereid + + * lib/krb5/kcm.c (kcm_alloc): allow kcm socket to be configured by + [libdefaults]kcm_socket=/path + +2005-05-24 David Love + + * kcm/kcm.8: KRB5CCNAME needs an literal uid, not ${uid}, spelling + +2005-05-23 Love Hörnquist Åstrand + + * kcm/protocol.c: Merge the description and function jumptables + into one structure. Use the length of the array when checking if + opcode is value, not a constant. + + * kcm/kcm_locl.h: struct kcm_op: jumptable structure + + * kcm/main.c: move declaration of detach_from_console away from + here to kcm_locl.h, Don't test HAVE_DAEMON since roken supplies it. + + * kcm/kcm_locl.h: move declaration of detach_from_console here + + * kdc/config.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Dave Love + + * kcm/config.c: Don't test HAVE_DAEMON since roken supplies it. + + * kdc/main.c: Don't test HAVE_DAEMON since roken supplies it. + +2005-05-23 Love Hörnquist Åstrand + + * lib/krb5/krb5_keytab.3: document WRFILE and JAVA14 + +2005-05-20 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c (srv_get_hosts): if srv_get_hosts failes, + return and ignore the error + + * lib/krb5/krbhst.c (srv_find_realm): make sure `res' and `count' + have good values + + * lib/krb5/test_keytab.c: tests all keytab format + +2005-05-19 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): non non asn1 decoding + errors, fail. Make sure we free memory on error. + (pk_verify_chain_standard): make sure we provide good errors. + + * lib/krb5/verify_krb5_conf.c: add missing options, prompted by + James F. Hranicky mail to heimdal-discuss + + * lib/krb5/verify_krb5_conf.c: add pkinit and password quailty + check options + + * lib/krb5/pkinit.c (pk_verify_chain_standard): store better error + message in the context for certificate errors. + + * lib/krb5/keytab.c (krb5_kt_free_entry): zero out content of all + krb5_free_x_content like functions to make sure data doesnt get + reused, idea from Wynn Wilkes + + * configure.in: depend on automake 1.8, we don't test anything + older + + * lib/krb5/init_creds_pw.c (process_pa_data_to_md): add comment + that the caller always free out_md; remove comment about memory, + it doesn't happen. + (init_cred_loop): free ctx->as_req.padata when its reset (From Wynn + Wilkes ), move a comment close the the code + + * lib/krb5/keytab_krb4.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each krb5_kt_next_entry. + + * lib/krb5/keytab_file.c (fkt_remove_entry): need to call + krb5_kt_free_entry after each fkt_next_entry_int. From: Wynn + Wilkes + +2005-05-18 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: TESTS += test_keytab + + * lib/krb5/keytab_krb4.c (krb4_kt_remove_entry): plug memory leaks, + avoid crashing on empty keytab + + * lib/krb5/krb5_keytab.3: document behavior of + krb5_kt_remove_entry + + * lib/krb5/keytab_memory.c (mkt_remove_entry): check if there + isn't any entries in the keytab before removing any since that + leads to bad pointer arithmetic and crashing. From: Wynn Wilkes + . Make the function return KRB5_KT_NOTFOUND + if the entry wasn't in the keytab (just like the filebased + keytab). + + * lib/krb5/test_keytab.c: test memory corruption in MEMORY keytab + + * lib/krb5{addr_families,context,creds,free,keyblock, + mit_glue,rd_error}.c:zero out content of all krb5_free_x_content + like functions to make sure data doesnt get reused, idea from + Wynn Wilkes + + * lib/krb5/krb5_get_credentials.3: document KRB5_GC_EXPIRED_OK + + * lib/krb5/krb5.3: add krb5_cc_new_unique + +2005-05-17 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (fcc_get_first): check return value from + malloc, memset the structure, make sure cursor doesn't point to + freed memory on failure. From: Wynn Wilkes + + * lib/krb5/krb5_auth_context.3: document + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED + + * lib/krb5/get_cred.c: Remove expired credentials, based on + patches and comments from Anders Magnusson and Wynn + Wilkes + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): honor + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED and create unencrypted + (ENCTYPE_NULL) credentials. for use with old mit server and java based + ones as they can't handle encrypted KRB-CRED. Note that the option + needs to turned on because if the consumer sends the KRB-CRED in + clear bad things will happen. + + * lib/krb5/context.c (krb5_init_context): register krb5_javakt_ops + + * lib/krb5/krb5.h: KRB5_GC_EXPIRED_OK: expired credentials is ok + to return from krb5_get_credentials. + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED: make forward credentials + be unencrypted, for compatibility with mit kerberos and java + kerberos. krb5_javakt_ops: export + +2005-05-16 Love Hörnquist Åstrand + + * lib/krb5/keytab_file.c: Add new keytab file format JAVA14 that + doesn't the use extended kvnos, as hinted, this is needed for + Java's Kerberos implementation. + +2005-05-10 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 + enckey, still no DH + + * kdc/pkinit.c: handle pkinit-9, pkinit-19, and pkinit-25 enckey, + still no DH + + * kdc/kerberos5.c (as_rep): search for pkinit-9, pkinit-19, and + pkinit-25 pa-data, return empty pkinit pa-data in the + PREAUTH_REQUIRED krb-error + + * doc/ack.texi: add pkinit people + + * lib/krb5/krb5_storage.3: document krb5_storage_is_flags + + * lib/krb5/{krb5_compare_creds.3,krb5_get_init_creds.3, + krb5_krbhst_init.3,krb5_storage.3}: + make more pretty, from Björn Sandell + +2005-05-09 Dave Love + + * doc/setup.texi: Fix and clarify password quality check examples. + +2005-05-09 Love Hörnquist Åstrand + + * lib/krb5/kuserok.c (krb5_kuserok): use POSIX_GETPWNAM_R instead + of HAVE_GETPWNAM_R From: Dave Love + +2005-05-07 Love Hörnquist Åstrand + + * lib/krb5/addr_families.c (krb5_print_address): catch when the + unknown adress don't fit. From Björn Sandell + +2005-05-05 Dave Love + + * configure.in: fix type right test, include for + sys/strtty.h, not sys/ptyvar.h + +2005-05-05 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: spelling + +2005-05-04 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: expand on what "trailing component" means + +2005-05-04 Johan Danielsson + + * lib/krb5/rd_cred.c: put address comparison in separate function + + * lib/krb5/krb5_kuserok.3: check the user's ~/.k5login.d directory + for access files, all of which is handled like the regular + ~/.k5login + + * lib/krb5/kuserok.c: check the user's ~/.k5login.d directory for + access files, all of which is handled like the regular ~/.k5login + +2005-05-03 Love Hörnquist Åstrand + + * doc/ack.texi: Clearify what version of libdes we are using and + who's code in it we are using. + + * kcm/kcm.8: more text about usage + + * kcm/Makefile.am: man_MANS += kcm.8 + + * kcm/kcm.8: initial manpage + + * configure.in: if we have a $srcdir/lib/asn1/pkcs12.asn1, define + PKINIT + +2005-05-02 Dave Love + + * configure.in: sys/tty.h (for sys/ptyvar.h) might need termios.h. + +2005-05-02 Love Hörnquist Åstrand + + * tools/krb5-config.in: add com_err to required libs + + * lib/krb5/pkinit.c (krb5_ui_method_read_string): use the fill in + length + + * lib/krb5/init_creds_pw.c: Now that we fixed the signed-ness of + nonce for windows, remove the code that removed the signed + bit. Instead add comment that they still need to be the same + (Kerberos protocol nonce and pk-init nonce) for Windows. + +2005-05-02 David Love + + * lib/krb5/crypto.c: Don't declare des_salt &c as static with + incomplete type (invalid in c89, at least). + +2005-05-02 Love Hörnquist Åstrand + + * lib/krb5/krb5_locl.h: include + +2005-05-02 David Love + + * kcm/connect.c (init_socket): rename variable sun to un to avoid + namespace collision. + (handle_stream): Cast arg of krb5_warnx. + +2005-04-30 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c: if we are using PKINIT, strip of the + highest bit to make windows PK-INIT happy. Also make the nonces + the same, again for windows, they are using pk-init-9. + + XXX check if it isn't the that nonce is an unsigned variable so + its just a asn1 mismatch. + + * kdc/pkinit.c: pass a NULL prompter data to _krb5_pk_load_openssl_id + + * kuser/kinit.c: krb5_get_init_creds_opt_set_pkinit + + * lib/krb5/pkinit.c: Pass prompter data to the prompter function, + implement a UI prompter function wrapping the kerberos prompter + function so that the the OpenSSL ENGINE can ask for a password + when loading the private key. From: Douglas E. Engert + + * lib/krb5: add in test programs + + * configure.in: sys/ptyvar.h might need + + * lib/krb5/Makefile.am: use LIB_com_err for libkrb5.la + +2005-04-29 Love Hörnquist Åstrand + + * lib/asn1/Makefile.am: use $(LIB_com_err) + +2005-04-28 Love Hörnquist Åstrand + + * lib/krb5/context.c (krb5_set_config_files): ignore permission + denied on configuration files, user might not be allowed to read + /var/heimdal/kdc.conf + +2005-04-26 Dave Love + + * lib/krb5/krb5_locl.h: define _POSIX_PTHREAD_SEMANTICS so we get + posix getpwnam_r + +2005-04-25 Love Hörnquist Åstrand + + * lib/asn1/gen_glue.c: switch the units variable to a + function. gcc-4.1 needs the size of the structure if its defined + as extern struct units foo_units[] an we don't want to include + in the generate headerfile + +2005-04-25 Love Hörnquist Åstrand + + * lib/hdb/hdb.schema: add EQUALITY rule for krb5ValidStart, + krb5ValidEnd, krb5PasswordEnd From Howard Chu + +2005-04-24 Love Hörnquist Åstrand + + * doc/whatis.texi: comment out docbook stuff for now + + * kuser/klist.c: use strlcpy + + * doc/ack.texi: we no longer use eay libdes, make acknowledgment + still be there, but claim that we no longer use it. Mark editline + to be a modified version as required by the license. + + * lib/krb5/pkinit.c: use the unexported oid_to_enctype function + + * lib/krb5/crypto.c: unexport the oid_to_enctype function, not for + external consumers + + * kdc/Makefile.am: always add kaserver + + * lib/krb5/krb5_ccache.3: document krb5_cc_new_unique + + * lib/krb5/cache.c (krb5_cc_new_unique): new function to create a + new credential cache + + * kdc/headers.h: don't include kerberos 4 headers here + + * kdc/hpropd.c: include kerberos 4 headers here + + * kdc/connect.c: add kaserver support independ of having krb4 + support + + * kdc/config.c: add kaserver support unconditionally, make kdc + only fail to start when there are no v4 realm configured and + krb4/kaserver is turned on + + * kdc/kaserver.c: Use the new Kerberos 4 functions in libkrb5 and + so kaserver support is always compiled in (still default disabled) + + * lib/krb5/v4_glue.c: simplify error handling + + * doc/whatis.texi: add docbook version macro of @sub + + * doc/heimdal.texi: change the wrapping around the Top node to + ifnottex, make html generation work + + * lib/krb5/krb5_krbhst_init.3: spelling, from Björn Sandell + + + * lib/krb5/krb5_get_krbhst.3: spelling, from Björn Sandell + + + * lib/krb5/krb5_data.3: spelling, from Björn Sandell + + + * lib/krb5/krb5_aname_to_localname.3: spelling, from Björn Sandell + + + * lib/krb5/krb5_address.3: spelling, from Björn Sandell + + +2005-04-23 Love Hörnquist Åstrand + + * kdc/config.c: Use the new Kerberos 4 functions in libkrb5 and so + kerberos 4 is always compiled in (still default disabled) + + * kdc/kerberos4.c: Use the new Kerberos 4 functions in libkrb5 and + so kerberos 4 is always compiled in (still default disabled) + + * lib/krb5/krb5_locl.h: forward declaration of _krb5_krb_auth_data + + * lib/krb5/convert_creds.c: Move the kerberos v4 replacement + functions to v4_glue.c + + * lib/krb5/v4_glue.c: Implement enough of kerberos 4 protocol to + be a KDC, move the v4 bits over here + + * lib/krb5/krb5-v4compat.h: add more v4 defines + +2005-04-22 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.c: Support multi-realms databases, requires + that all the realms are configured on the KDC in krb5.conf with + [libdefaults]default_realm stanzas. + +2005-04-21 Love Hörnquist Åstrand + + * kdc/kerberos5.c: spell succeeded correctly, From Sean Chittenden + + * lib/krb5/addr_families.c: catch two more snprintf problems + +2005-04-20 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: this lib include com_err, add -com_err to + CHECK_SYMBOLS + + * appl/test/http_client.c: cast ssize_t to unsigned long, fix + printf format + +2005-04-19 Love Hörnquist Åstrand + + * lib/krb5/kuserok.c: use asprintf to avoid truncating pathnames + + * lib/krb5/get_host_realm.c: check return value of snprintf + + * lib/krb5/test_addr.c: check address truncation + + * lib/krb5/addr_families.c: check return values from snprintf and + clean up semantics of ret_len + + * lib/krb5/krb5_address.3: clarify what ret_len is in + krb5_print_address + + * lib/krb5/test_kuserok.c: add --version and --help + + * lib/krb5/kuserok.c: use getpwnamn_r if it exists + + * lib/krb5/Makefile.am: noinst_PROGRAMS += test_kuserok + + * lib/krb5/test_kuserok.c: test program for krb5_kuserok + +2005-04-18 Love Hörnquist Åstrand + + * lib/krb5/acache.c (acc_resolve): if open_default_ccache failed + with ccErrCCacheNotFound try again with create_default_ccache, + this fixes the problem where the security server apperenly haven't + started yet on Mac OS X + + * lib/krb5/get_default_principal.c + (_krb5_get_default_principal_local): add, for use of functions + that in ccache layer to avoid recursive calls. + + * lib/hdb/hdb-ldap.c: drop , no longer use any of the is* + macros in this file + + * include/make_crypto.c: cast to unsigned char to make sure its + not negative when passing it to is* functions + +2005-04-15 Love Hörnquist Åstrand + + * doc/programming.texi: remove manpage macro, add some more + references to manpages + + * doc/heimdal.texi: define manpage macro + + * doc/setup.texi: document new password policy code + + * kpasswd/kpasswdd.c: add verifier libraries with + kadm5_add_passwd_quality_verifier + + * lib/krb5/krb5_keyblock.3: document krb5_keyblock_init + +2005-04-14 Love Hörnquist Åstrand + + * kdc/kaserver.c: AUTHENTICATE and AUTHENTICATE_V2 is almost the + same, and clients + (klog) can deal with that the kaserver returns the same thing for + both + + * lib/krb5/keyblock.c: Add krb5_keyblock_init to allocate an fill + in a keyblock from key data. + +2005-04-12 Love Hörnquist Åstrand + + * configure.in: rk_WIN32_EXPORT for roken + +2005-04-10 Love Hörnquist Åstrand + + * appl/test/gssapi_server.c: print out client principla of + delegated credential + +2005-04-07 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (process_pa_data_to_key): also check + for KRB5_PADATA_PK_AS_REP_19, From: Douglas Engert + +2005-04-07 Love Hörnquist Åstrand + + * .cvsignore: ignore more generate files + +2005-04-04 Love Hörnquist Åstrand + + * lib/asn1/check-der.c: use size_t, print size_t by casting to + unsigned long + + * lib/krb5/test_crypto.c: print size_t by casting to unsigned long + + * lib/krb5/acache.c: Argument to create_new_ccache is a principal, + not a credential cache name. Clean up lossage related to this + problem. + + * lib/hdb/Makefile.am: CHECK_SYMBOLS += HDBFlags2int + + * lib/krb5/addr_families.c + (krb5_address_prefixlen_boundary,krb5_free_address): + use find_atype when we are dealing with a kerberos address type + + * lib/krb5/aes-test.c: size_t vs int + fix printf + + * lib/krb5/pkinit.c: Since the decode can't make out the diffrence + between PA-PK-AS-REP-19 and PA-PK-AS-REQ-Win2k, try harder to + verify both cases + +2005-04-03 Love Hörnquist Åstrand + + * appl/test/uu_client.c: print size_t by casting to unsigned long + +2005-04-01 Johan Danielsson + + * kdc/kerberos4.c (do_version4): check client and server max_life + + * kdc/kaserver.c (do_getticket): check client max_life + +2005-03-31 Love + + * lib/krb5/verify_krb5_conf.c: const poison + + * lib/krb5/test_alname.c: const poison + + * lib/asn1/main.c: const poison + + * lib/krb5/test_addr.c: test parse IPv6 RANGE addresses + + * lib/krb5/addr_families.c: implement mask boundary for IPv6 + + * lib/asn1/gen.c: avoid const string warnings steming from + writeable-string + +2005-03-28 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: TESTS += test_addr + + * lib/krb5/test_addr.c: simple test for addresses + + * lib/krb5/addr_families.c: make RANGE parse prefixlen style + addresses too, fix printing of RANGE addresses, add + krb5_address_prefixlen_boundary + + * lib/krb5/krb5_keytab.3: stop memory leak in example, expand on + wildcards + +2005-03-26 Love Hörnquist Åstrand + + * lib/krb5/krb5_principal.3: spelling, from Tomas Olsson + + * lib/krb5/krb5_warn.3: spelling, from Tomas Olsson + +2005-03-19 Love Hörnquist Åstrand + + * lib/krb5/acache.c: add mutex for global variables, clean up + returned error codes, implement storing addresses into the ccapi + + * appl/test/gssapi_server.c: free memory, make error strings match + + * appl/test/gssapi_server.c: use print_gss_name, print server name + too + + * appl/test/gss_common.h (print_gss_name): common code for + printing gss name + + * appl/test/gss_common.c (print_gss_name): common code for + printing gss name + + * appl/test/http_client.c: Make constent with rest of the gssapi + test programs + +2005-03-17 Love Hörnquist Åstrand + + * lib/hdb/keys.c: AES is enabled by default, remove ifdefs + + * lib/krb5/crypto.c: AES is enabled by default, remove ifdefs + + * lib/krb5/aes-test.c: use hex encoder from roken AES is enabled + by default, remove ifdefs + + * kdc/kerberos5.c: AES is enabled by default, remove ifdefs + +2005-03-16 Love Hörnquist Åstrand + + * doc/setup.texi: Add some text about modifying the database + +2005-03-15 Love Hörnquist Åstrand + + * kuser/kinit.c: widen lifetime/renewal warning text field, also + make use of unparse_time_approx, no need to be specific to the + second when ticket needs to be renewed or their lifetime. + + * doc/heimdal.texi: copyright maintenance, drop eay, use updated + UCB license + + * lib/krb5/crypto.c: more static and unsigned issues + + * lib/krb5/crypto.c: fix signedness issues, prompted by report of + Magnus Ahltorp + +2005-03-13 Love Hörnquist Åstrand + + * lib/krb5/krb5_keytab.3: more text about how to free returned + resources + +2005-03-10 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: handle the -25 generation path + + * lib/krb5/pkinit.c: use KRB5_PADATA_PK_AS_REQ_19 + + * lib/krb5/pkinit.c: fold in pk-init-25 asn1 changes + +2005-03-09 Love Hörnquist Åstrand + + * kdc/pkinit.c: use generated oid's + + * lib/krb5/pkinit.c: use generated oid's + +2005-03-08 Love Hörnquist Åstrand + + * kdc/pkinit.c: update to the asn1 structures used in -25's + + * lib/krb5/pkinit.c: update to the asn1 structures used in -25's + +2005-03-04 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: use the newly written hex function from + roken and remove the old implementation + +2005-03-01 Love Hörnquist Åstrand + + * appl/test/http_client.c: allow specifing port to connect to + +2005-02-24 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: bump version to 21:0:4 + + * lib/hdb/Makefile.am: bump version to 8:0:1 + + * lib/asn1/Makefile.am: bump version to 7:0:1 + +2005-02-23 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (DES_string_to_key_int): must check for weak + keys after doing the DES_cbc_cksum + +2005-02-19 Luke Howard + + * lib/krb5/krbhst.c: set KD_CONFIG after calling + config_get_hosts() in kpasswd_get_next() + From: Wynn Wilkes + +2005-02-15 Love Hörnquist Åstrand + + * lib/hdb/db3.c (DB_open): correct the check for O_RDONLY + From: Chaskiel M Grundman + +2005-02-09 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (krb5_random_to_key): cast size_t to int to + make %d work + +2005-02-08 Love Hörnquist Åstrand + + * lib/krb5/keytab.c (krb5_kt_get_entry): tell what enctype the + caller requested to provide the user with a glue what the caller + was asking for. + +2005-02-05 Luke Howard + + * lib/krb5/kcm.c: add _krb5_kcm_is_running, _krb5_kcm_noop + + * kcm/acquire.c: don't leak salt if keyproc called multiple + times + + * kcm/config.c: allow KCM system ccache to be configured from + krb5.conf, in the system_ccache stanza of [kcm] + +2005-02-03 Love Hörnquist Åstrand + + * kcm/protocol.c: use -1 as the invalid pid number + + * kcm/connect.c: support SCM_CREDS (for NetBSD) + + * kcm/Makefile.am: LDADD += LIB_pidfile + + * kcm/connect.c: make it possible to build on systems without + SO_PEERCRED (still doesn't work) + + * kcm/config.c: cast argument to isdigit to unsigned char + + * lib/krb5/krb5.conf.5: document large_msg_size + + * lib/krb5/context.c (init_context_from_config_file): init + large_msg_size to 6000 + + * lib/krb5/krb5.h (krb5_context_data): add large_msg_size, + threshold where we start to use transport protocols without tiny + max data transport sizes. + + * lib/krb5/kcm.h: drop prototypes, they all live in krb5-private.h + by now + +2005-02-02 Luke Howard + + * configure.in: generate kcm/Makefile + + * Makefile.am: recurse into kcm/ if KCM defined + + * kcm: add KCM daemon + +2005-02-02 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc.c (send_and_recv_udp): make private again + + * lib/krb5/kcm.c: use AF_UNIX like the rest of the codebase, add + some more error strings + +2005-02-02 Luke Howard + + * configure.in: add --enable-kcm option for Kerberos + Credentials Manager (KCM) + + * lib/krb5/Makefile.am: add kcm.c + + * lib/krb5/cache.c: use cc_retrieve_cred if present rather + than enumerating ccache + + * lib/krb5/context.c: register KCM cc_ops + + * lib/krb5/get_cred.c: pass all options to cc_retrieve_cred + + * lib/krb5/init_creds_pw.c: add krb5_get_init_creds_keyblock + + * lib/krb5/kcm.[ch]: add initial implementation of KCM + client library + + * lib/krb5/krb5.h: fix cc_retrieve prototype, add KCM cc_ops + + * lib/krb5/send_to_kdc.c: add _krb5_send_and_recv_tcp + + * lib/krb5/store.c: add krb5_store_creds_tag, krb5_ret_creds_tag + +2005-01-24 Luke Howard + + * lib/krb5/init_creds_pw.c: allow NULL in_options to be passed + krb5_get_init_creds_password() + + * kdc/kerberos5.c: don't crash when logging no server etype + support if client == NULL + +2005-01-17 Love Hörnquist Åstrand + + * kdc/kstash.c: s/random_key/random_key_flag/, From Dave Love + + +2005-01-12 Love Hörnquist Åstrand + + * doc/apps.texi: Texinfo fixes. Text about irix 6.5 using + PAM. From: Dave Love + +2005-01-08 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: cast argument to isdigit to + unsigned char + + * lib/krb5/keytab_keyfile.c: cast argument to toupper to unsigned + char + + * lib/asn1/hash.c (hashcaseadd): cast argument to toupper to + unsigned char + + * appl/kf/kfd.c (kfd_match_version): cast argument to islower to + unsigned char + + * lib/krb5/krb5.3: drop krb5_{checksum,enctype}_is_disabled + + * lib/krb5/krb5_encrypt.3: drop krb5_enctype_is_disabled, more + text about krb5_enctype_valid + + * lib/krb5/krb5_create_checksum.3: drop + krb5_checksum_is_disabled + + * lib/krb5/crypto.c: drop krb5_{checksum,enctype}_isdisabled + + * lib/krb5/context.c: krb5_enctype_is_disabled is the same thing + as krb5_enctype_valid, so use the later since its older and the + api doesn't really need another entry point + + * lib/krb5/rd_req.c: krb5_enctype_is_disabled is the same thing as + krb5_enctype_valid, so use the later since its older and the api + doesn't really need another entry point + + * kdc/kerberos5.c: krb5_enctype_is_disabled is the same thing as + krb5_enctype_valid, so use the later since its older and the api + doesn't really need another entry point + +2005-01-05 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.8: document --addresses, controls what + addresses kpasswd should listen too + + * kpasswd/kpasswdd.c: add --addresses, controls what addresses + kpasswd should listen too + + * lib/krb5/addr_families.c (krb5_parse_address): filter out dup + addresses from getaddrinfo + + * kpasswd/kpasswd.1: document -c + + * kpasswd/kpasswd.c: allow specifying a credential cache to use + for the admin principal + + * include/bits.c: constify to avoid warning with -Wwrite-string + + * NEWS: add 0.6.2 and 0.6.3 items + + * lib/krb5/krb5_keyblock.3: document krb5_generate_subkey_extended + + * lib/krb5/krb5_is_thread_safe.3: document function + + * lib/krb5/Makefile.am (man_MANS) += krb5_is_thread_safe.3 + + * lib/krb5/context.c (krb5_is_thread_safe): return TRUE is the + library was compiled with multithreading support. If not, + application must global lock the library, it it uses threads that + call kerberos functions at the same time. + +2005-01-05 Luke Howard + + * lib/krb5/auth_context.c: use krb5_generate_subkey_extended() + + * lib/krb5/appdefault.c: remove redundant KRB5_LIB_FUNCTION + + * lib/krb5/build_auth.c: support for enctype negotiation + (client sends EtypeList in Authenticator authz data) + + * lib/krb5/context.c: mutex should be destroyed last in + krb5_free_context() + + * lib/krb5/generate_subkey.c: add krb5_generate_subkey_extended(), + set *subkey to NULL if key geneartion fails + + * lib/krb5/krb5.h: add KRB5_KU_PA_SERVER_REFERRAL_DATA + + * lib/krb5/mk_req_ext.c: support ETYPE_ARCFOUR_HMAC_MD5_56 + + * lib/krb5/rd_req.c: support for enctype negotiation + (client sends EtypeList in Authenticator authz data) + +2005-01-04 Luke Howard + + * lib/asn1/k5.asn1: add authorization data types for enctype + negotiation implementation + +2005-01-04 Love Hörnquist Åstrand + + * lib/krb5/changepw.c (change_password_loop): on failing to find a + kdc, set result_code to KRB5_KPASSWD_HARDERROR + +2005-01-01 Love Hörnquist Åstrand + + * doc/heimdal.texi: Happy New Year + diff --git a/third_party/heimdal/ChangeLog.2006 b/third_party/heimdal/ChangeLog.2006 new file mode 100644 index 0000000..d48ea8a --- /dev/null +++ b/third_party/heimdal/ChangeLog.2006 @@ -0,0 +1,2047 @@ +2006-12-28 Love Hörnquist Åstrand + + * kdc/process.c: Handle kx509 requests. + + * kdc/connect.c: Listen to 9878 if kca is turned on. + + * kdc/headers.h: Include . + + * kdc/config.c: code to parse [kdc]enable-kx509 + + * kdc/kdc.h: add enable_kx509 + + * kdc/Makefile.am: add kx509.c + + * kdc/kx509.c: Kx509server (external certificate genration). + + * lib/krb5/ticket.c: add krb5_ticket_get_endtime + + * lib/krb5/krb5_ticket.3: Document krb5_ticket_get_endtime + + * kdc/digest.c: Remove , its already included in + headers.h + + * kdc/digest.c: Return session key for the NTLMv2 case too + + * lib/krb5/digest.c (krb5_ntlm_rep_get_sessionkey): return value + is krb5_error_code + +2006-12-27 Love Hörnquist Åstrand + + * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): use md5 for + des-cbc-md4 and des-cbc-md5. This is for (older) windows that + will be unhappy anything else. From Inna Bort-Shatsky + +2006-12-26 Love Hörnquist Åstrand + + * kdc/digest.c: Prefix internal symbol with _kdc_. + + * kdc/kdc.h: add digests_allowed + + * kdc/digest.c: return NTLM2 targetinfo structure. + + * lib/krb5/digest.c: Add krb5_ntlm_init_get_targetinfo. + + * kdc/config.c: Parse digest acl's + + * kdc/kdc_locl.h: forward decl; + + * kdc/digest.c: Add digest acl's + +2006-12-22 Love Hörnquist Åstrand + + * fix-export: build ntlm-private.h + +2006-12-20 Love Hörnquist Åstrand + + * include/make_crypto.c: Include <.../hmac.h>. + + * kdc/digest.c: reorder to show slot here ntlmv2 code will be + placed. + + * kdc/digest.c: Announce that we support key exchange and add bits + to detect when it wasn't used. + + * kdc/digest.c: Add support for generating NTLM2 session security + answer. + +2006-12-19 Love Hörnquist Åstrand + + * lib/krb5/digest.c: Add sessionkey accessor functions. + +2006-12-18 Love Hörnquist Åstrand + + * kdc/digest.c: Unwrap the NTLM session key and return it to the + server. + +2006-12-17 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_ret_principal): Fix a bug in the malloc + failure part, noticed by Arnaud Lacombe in NetBSD coverity scan. + +2006-12-15 Love Hörnquist Åstrand + + * lib/krb5/fcache.c (fcc_get_cache_next): avoid const warning. + + * kdc/digest.c: Support NTLM verification, note that the KDC does + no NTLM packet parsing, its all done by the client side, the KDC + just calculate and verify the digest and return the result to the + service. + + * kuser/kdigest.c: add ntlm-server-init + + * kuser/Makefile.am: kdigest depends on libheimntlm.la + + * kdc/headers.h: Include . + + * kdc/Makefile.am: libkdc needs libheimntlm.la + + * autogen.sh: just run autoreconf -i -f + + * lib/Makefile.am: hook in ntlm + + * configure.in (AC_CONFIG_FILES): add lib/ntlm/Makefile + + * lib/krb5/digest.c: API to authenticate ntlm requests. + + * lib/krb5/fcache.c: Support "iteration" of file credential caches + by giving the user back the default file credential cache and only + that. + + * lib/krb5/krb5_locl.h: Expand the default root for some of the cc + type names. + +2006-12-14 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (free_paid): free the krb5_data + structure too. Bug report from Stefan Metzmacher. + +2006-12-12 Love Hörnquist Åstrand + + * kuser/kinit.c: Read the appdefault configration before we try to + use the flags. Bug reported by Ingemar Nilsson. + + * kuser/kdigest.c: prefix digest commands with digest_ + + * kuser/kdigest-commands.in: prefix digest commands with digest- + +2006-12-10 Love Hörnquist Åstrand + + * kdc/hprop.c: Return error codes on failure, improve error + reporting. + +2006-12-08 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: sprinkle more _krb5_pk_copy_error + + * lib/krb5/pkinit.c: Copy more hx509 error strings to krb5 error + strings + +2006-12-07 Love Hörnquist Åstrand + + * include/Makefile.am: CLEANFILES += vis.h + +2006-12-06 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_as_rep): add AD-INITAL-VERIFIED-CAS to the + encrypted ticket + + * kdc/pkinit.c (_kdc_add_inital_verified_cas): new function, adds + an empty (for now) AD_INITIAL_VERIFIED_CAS to tell the clients + that we vouches for the CA. + + * kdc/kerberos5.c (_kdc_tkt_add_if_relevant_ad): new function. + + * lib/Makefile.am: Make the directories test automake conditional + so automake can include directories in make dist step. + + * kdc/pkinit.c (_kdc_pk_rd_padata): leak less memory for + ExternalPrincipalIdentifiers + + * kdc/pkinit.c: Parse and use PA-PK-AS-REQ.trustedCertifiers + + * kdc/pkinit.c: Add comment that the anchors in the signed data + really should be the trust anchors of the client. + + * kuser/generate-requests.c: Use strcspn to remove \n from + string returned by fgets. From Björn Sandell + + * kpasswd/kpasswd-generator.c: Use strcspn to remove \n from + string returned by fgets. From Björn Sandell + +2006-12-05 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: Clear errno before calling the strtol + functions. From Paul Stoeber to OpenBSD by Ray Lai and Björn + Sandell. + + * lib/krb5/config_file.c: Use strcspn to remove \n from fgets + result. Prompted by change by Ray Lai of OpenBSD via Björn + Sandell. + + * kdc/string2key.c: Use strcspn to remove \n from fgets + result. Prompted by change by Ray Lai of OpenBSD via Björn + Sandell. + +2006-11-30 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c (plugin_get_hosts): be more paranoid and pass + in a NULLed plugin list + +2006-11-29 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: add more pkinit options. + + * lib/krb5/pkinit.c: Store what PK-INIT type we used to know reply + to expect, this avoids overwriting the real PK-INIT error from + just a failed requeat with a Windows PK-INIT error (that always + failes). + + * kdc/Makefile.am: Add LIB_pkinit to pacify AIX + + * lib/hdb/Makefile.am: Add LIB_com_err to pacify AIX + +2006-11-28 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: Make build again from the hdb_entry + wrapping. Patch from Andreas Hasenack. + + * kdc/pkinit.c: Need better code in the DH parameter rejection + case, add comment to that effect. + +2006-11-27 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG for too large + packets when using datagram based transports. + + * kdc/process.c: Pass down datagram_reply to _kdc_tgs_rep. + + * lib/krb5/pkinit.c (build_auth_pack): set supportedCMSTypes. + +2006-11-26 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Pass down hx509_peer_info. + + * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and + pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. + + * kdc/pkinit.c (_kdc_pk_rd_padata): Pick up supportedCMSTypes and + pass in into hx509_cms_create_signed_1 via hx509_peer_info blob. + +2006-11-24 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc.c: Set the large_msg_size to 1400, lets not + fragment packets and avoid stupid linklayers that doesn't allow + fragmented packets (unix dgram sockets on Mac OS X) + +2006-11-23 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_pk_create_sign): stuff down the users + certs in the pool to make sure a path is returned, without this + proxy certificates wont work. + +2006-11-21 Love Hörnquist Åstrand + + * kdc/config.c: Make all pkinit options prefixed with pkinit_ + + * lib/krb5/log.c (krb5_get_warn_dest): return warn_dest from + krb5_context + + * lib/krb5/krb5_warn.3: document krb5_[gs]et_warn_dest + + * lib/krb5/krb5.h: Drop KRB5_KU_TGS_IMPERSONATE. + + * kdc/krb5tgs.c: Use KRB5_KU_OTHER_CKSUM for the impersonate + checksum. + + * lib/krb5/get_cred.c: Use KRB5_KU_OTHER_CKSUM for the impersonate + checksum. + +2006-11-20 Love Hörnquist Åstrand + + * lib/krb5/verify_user.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * lib/krb5/krb5_get_init_creds.3: Make + krb5_get_init_creds_opt_free take a context argument. + + * lib/krb5/init_creds_pw.c: Make krb5_get_init_creds_opt_free take + a context argument. + + * kuser/kinit.c: Make krb5_get_init_creds_opt_free take a context + argument. + + * kpasswd/kpasswd.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * kpasswd/kpasswd-generator.c: Make krb5_get_init_creds_opt_free + take a context argument. + + * kdc/hprop.c: Make krb5_get_init_creds_opt_free take a context + argument. + + * lib/krb5/init_creds.c: Make krb5_get_init_creds_opt_free take a + context argument. + + * appl/gssmask/gssmask.c: Make krb5_get_init_creds_opt_free take a + context argument. + +2006-11-19 Love Hörnquist Åstrand + + * doc/setup.texi: fix pkinit option (s/-/_/) + + * kdc/config.c: revert the enable-pkinit change, and make it + consistant with all other other enable- options + +2006-11-17 Love Hörnquist Åstrand + + * doc/setup.texi: Make all pkinit options prefixed with pkinit_ + + * kdc/config.c: Make all pkinit options prefixed with pkinit_ + + * kdc/pkinit.c: Make app pkinit options prefixed with pkinit_ + + * lib/krb5/pkinit.c: Make app pkinit options prefixed with pkinit_ + + * lib/krb5/mit_glue.c (krb5_c_keylengths): make compile again. + + * lib/krb5/mit_glue.c (krb5_c_keylengths): rename. + + * lib/krb5/mit_glue.c (krb5_c_keylength): mit changed the api, + deal. + +2006-11-13 Love Hörnquist Åstrand + + * lib/krb5/pac.c (fill_zeros): stop using MIN. + + * kuser/kinit.c: Forward decl + + * lib/krb5/test_plugin.c: Use NOTHERE.H5L.SE. + + * lib/krb5/krbhst.c: Fill in hints for picky getaddrinfo()s. + + * lib/krb5/test_plugin.c: Set sin_len if it exists. + + * lib/krb5/krbhst.c: Use plugin for the other realm locate types + too. + +2006-11-12 Love Hörnquist Åstrand + + * lib/krb5/krb5_locl.h: Add plugin api + + * lib/krb5/Makefile.am: Add plugin api. + + * lib/krb5/krbhst.c: Use the resolve plugin interface. + + * lib/krb5/locate_plugin.h: Add plugin interface for resolving + that is API compatible with MITs version. + + * lib/krb5/plugin.c: Add first version of the plugin interface. + + * lib/krb5/test_pac.c: Test signing. + + * lib/krb5/pac.c: Add code to sign PACs, only arcfour for now. + + * lib/krb5/krb5.h: Add struct krb5_pac. + +2006-11-09 Love Hörnquist Åstrand + + * lib/krb5/test_pac.c: PAC testing. + + * lib/krb5/pac.c: Sprinkle error strings. + + * lib/krb5/pac.c: Verify LOGON_NAME. + + * kdc/pkinit.c (_kdc_pk_check_client): drop client_princ as an + argument + + * kdc/kerberos5.c (_kdc_as_rep): drop client_princ from + _kdc_pk_check_client since its not valid in canonicalize case + + * lib/krb5/krb5_c_make_checksum.3: Document krb5_c_keylength. + + * lib/krb5/mit_glue.c: Add krb5_c_keylength. + +2006-11-08 Love Hörnquist Åstrand + + * lib/krb5/pac.c: Almost enough code to do PAC parsing and + verification, missing in the unix2NTTIME and ucs2 corner. The + later will be adressed by finally adding libwind. + + * lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew + + * kdc/hpropd.c: Remove support dumping to a kerberos 4 database. + +2006-11-07 Love Hörnquist Åstrand + + * lib/krb5/context.c: rename krb5_[gs]et_time_wrap to + krb5_[gs]et_max_time_skew + + * kdc/pkinit.c: Catch error string from hx509_cms_verify_signed. + Check for id-pKKdcEkuOID and warn if its not there. + + * lib/krb5/rd_req.c: Add more krb5_rd_req_out_get functions. + +2006-11-06 Love Hörnquist Åstrand + + * lib/krb5/krb5.h: krb5_rd_req{,_in,_out}_ctx. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): Add context all singing-all + dancing version of the krb5_rd_req and implement krb5_rd_req and + krb5_rd_req_with_keyblock using it. + +2006-11-04 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_as_rep): More verbose time skew logging. + +2006-11-03 Love Hörnquist Åstrand + + * lib/krb5/expand_hostname.c: Rename various routines and + constants from canonize to canonicalize. From Andrew Bartlett + + * lib/krb5/context.c: Add krb5_[gs]et_time_wrap + + * lib/krb5/krb5_locl.h: Rename various routines and constants from + canonize to canonicalize. From Andrew Bartlett + + * appl/gssmask/common.c (add_list): fix alloc statement. + From Alex Deiter + +2006-10-25 Love Hörnquist Åstrand + + * include/Makefile.am: Move version.h and version.h.in to + DISTCLEANFILES. + +2006-10-24 Love Hörnquist Åstrand + + * appl/gssmask/gssmask.c: Only log when there are resources left. + + * appl/gssmask/gssmask.c: make compile + + * appl/gssmask/gssmask.c (AcquireCreds): free + krb5_get_init_creds_opt + +2006-10-23 Love Hörnquist Åstrand + + * configure.in: heimdal 0.8-RC1 + +2006-10-22 Love Hörnquist Åstrand + + * lib/krb5/digest.c: Try to not leak memory. + + * kdc/digest.c: Try to not leak memory. + + * Makefile.am: remove valgrind target, it doesn't belong here. + + * kuser/kinit.c: Try to not leak memory. + + * kuser/kgetcred.c: Try to not leak memory. + + * kdc/krb5tgs.c (check_KRB5SignedPath): free KRB5SignedPath on + successful completion too, not just the error cases. + + * fix-export: Make make fix-export less verbose. + + * kuser/kgetcred.c: Try to not leak memory. + + * lib/hdb/keys.c (hdb_generate_key_set): free list of enctype when + done. + + * lib/krb5/crypto.c: Allocate the memory we later use. + + * lib/krb5/test_princ.c: Try to not leak memory. + + * lib/krb5/test_crypto_wrapping.c: Try to not leak memory. + + * lib/krb5/test_cc.c: Try to not leak memory. + + * lib/krb5/addr_families.c (arange_free): Try to not leak memory. + + * lib/krb5/crypto.c (AES_string_to_key): Try to not leak memory. + +2006-10-21 Love Hörnquist Åstrand + + * tools/heimdal-build.sh: Add --test-environment + + * tools/heimdal-build.sh: Add --ccache-dir + + * lib/hdb/Makefile.am: remove dependency on et files covert_db + that now is removed + +2006-10-20 Love Hörnquist Åstrand + + * include/Makefile.am: add gssapi to subdirs + + * lib/hdb/hdb-ldap.c: Make compile. + + * configure.in: add include/gssapi/Makefile. + + * include/Makefile.am: clean more files + + * include/make_crypto.c: Avoid creating a file called --version. + + * include/bits.c: Avoid creating a file called --version. + + * appl/test/Makefile.am: add nt_gss_common.h + + * doc/Makefile.am: Disable TEXI2DVI for now. + + * tools/Makefile.am: more files + + * lib/krb5/context.c (krb5_free_context): free send_to_kdc context + + * doc/heimdal.texi: Put Heimdal in the dircategory Security. + + * lib/krb5/send_to_kdc.c: Add sent_to_kdc hook, from Andrew + Bartlet. + + * lib/krb5/krb5_locl.h: Add send_to_kdc hook. + + * lib/krb5/krb5.h: Add krb5_send_to_kdc_func prototype. + + * kcm/Makefile.am: more files + + * kdc/Makefile.am: more files + + * lib/hdb/Makefile.am: more files + + * lib/krb5/Makefile.am: add more files + +2006-10-19 Love Hörnquist Åstrand + + * tools/Makefile.am: Add heimdal-build.sh to EXTRA_DIST. + + * configure.in: Don't check for timegm, libroken provides it for + us. + + * lib/krb5/acache.c: Does function typecasts instead of void * + type-casts. + + * lib/krb5/krb5.h: Remove bonus , that Love sneeked in. + + * configure.in: make --disable-pk-init help text also negative + +2006-10-18 Love Hörnquist Åstrand + + * kuser/kgetcred.c: Avoid memory leak. + + * tools/heimdal-build.sh: Add more verbose logging, add version of + script and heimdal to the mail. + + * lib/hdb/db3.c: Wrap function call pointer calls in (*func) to + avoid macros rewriting open and close. + + * lib/krb5/Makefile.am: Add test_princ. + + * lib/krb5/principal.c: More error strings, handle realm-less + printing. + + * lib/krb5/test_princ.c: Test principal parsing and unparsing. + +2006-10-17 Love Hörnquist Åstrand + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): make sure we + don't recurse + + * lib/krb5/get_host_realm.c (krb5_get_host_realm): no components + -> no dns. no mapping, try local realm and hope KDC knows better. + + * lib/krb5/krb5.h: Add flags for krb5_unparse_name_flags + + * lib/krb5/krb5_principal.3: Document + krb5_unparse_name{_fixed,}_flags. + + * lib/krb5/principal.c: Add krb5_unparse_name_flags and + krb5_unparse_name_fixed_flags. + + * lib/krb5/krb5_principal.3: Document krb5_parse_name_flags. + + * lib/krb5/principal.c: Add krb5_parse_name_flags. + + * lib/krb5/principal.c: Add krb5_parse_name_flags. + + * lib/krb5/krb5.h: Add krb5_parse_name_flags flags. + + * lib/krb5/krb5_locl.h: Hide krb5_context_data from public + exposure. + + * lib/krb5/krb5.h: Hide krb5_context_data from public exposure. + + * kuser/klist.c: Use krb5_get_kdc_sec_offset. + + * lib/krb5/context.c: Document krb5_get_kdc_sec_offset() + + * lib/krb5/krb5_init_context.3: Add krb5_get_kdc_sec_offset() + + * lib/krb5/krb5_init_context.3: Add krb5_set_dns_canonize_hostname + and krb5_get_dns_canonize_hostname + + * lib/krb5/verify_krb5_conf.c: + add [libdefaults]dns_canonize_hostname + + * lib/krb5/expand_hostname.c: use dns_canonize_hostname to + determin if we should talk to dns to find the canonical name of + the host. + + * lib/krb5/krb5.h (krb5_context): add dns_canonize_hostname. + + * tools/heimdal-build.sh: Set status. + + * appl/gssmask/gssmask.c: handle more bits + + * kdc/kerberos5.c: Prefix asn1 primitives with der_. + +2006-10-16 Love Hörnquist Åstrand + + * fix-export: Build lib/asn1/der-protos.h. + +2006-10-14 Love Hörnquist Åstrand + + * appl/gssmask/Makefile.am: Add explit depenency on libroken. + + * kdc/krb5tgs.c: Prefix der primitives with der_. + + * kdc/pkinit.c: Prefix der primitives with der_. + + * lib/hdb/ext.c: Prefix der primitives with der_. + + * lib/hdb/ext.c: Prefix der primitives with der_. + + * lib/krb5/crypto.c: Remove workaround from when there wasn't + always aes. + + * lib/krb5/ticket.c: Prefix der primitives with der_. + + * lib/krb5/digest.c: Prefix der primitives with der_. + + * lib/krb5/crypto.c: Prefix der primitives with der_. + + * lib/krb5/data.c: Prefix der primitives with der_. + +2006-10-12 Love Hörnquist Åstrand + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): add missing break. From + Olga Kornievskaia. + + * kdc/kdc.8: document max-kdc-datagram-reply-length + + * include/bits.c: Include Xint64 types. + +2006-10-10 Love Hörnquist Åstrand + + * tools/heimdal-build.sh: Add socketwrapper and cputime limit. + + * kdc/connect.c (loop): Log that the kdc have started. + +2006-10-09 Love Hörnquist Åstrand + + * kdc/connect.c (do_request): tell krb5_kdc_process_request if its + a datagram reply or not + + * kdc/kerberos5.c: Reply KRB5KRB_ERR_RESPONSE_TOO_BIG error if its + a datagram reply and the datagram reply length limit is reached. + + * kdc/process.c: Rename krb5_kdc_process_generic_request to + krb5_kdc_process_request Add datagram_reply argument. + + * kdc/config.c: check for [kdc]max-kdc-datagram-reply-length + + * kdc/kdc.h (krb5_kdc_config): Add max_datagram_reply_length. + + * lib/hdb/keytab.c: Change || to |, From metze. + + * lib/hdb/keytab.c: Add back :file to sample format. + + * lib/hdb/keytab.c: Add more HDB_F flags to hdb_fetch. Pointed out + by Andrew Bartlet. + + * kdc/krb5tgs.c (tgs_parse_request): set cusec, not csec from + auth->cusec. + +2006-10-08 Love Hörnquist Åstrand + + * fix-export: dist_-ify libkadm5clnt_la_SOURCES too + + * doc/heimdal.texi: Update (c) years. + + * appl/gssmask/protocol.h: Clarify protocol. + + * kdc/hpropd.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/kerberos4.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/connect.c (handle_vanilla_tcp): shorten length when we + shorten the buffer, this matter im the PK-INIT encKey case where a + checksum is done over the whole packet. Reported by Olga + Kornievskaia + +2006-10-07 Love Hörnquist Åstrand + + * include/Makefile.am: crypto-headers.h is a nodist header + + * lib/krb5/aes-test.c: Make argument to PKCS5_PBKDF2_HMAC_SHA1 + unsigned char to make OpenSSL happy. + + * appl/kf/Makefile.am: Add man_MANS to EXTRA_DIST + + * kuser/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * lib/hdb/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * lib/krb5/Makefile.am: split build files into dist_ and noinst_ + SOURCES + + * kdc/kerberos5.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + +2006-10-06 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c (common_init): don't try DNS when there is + realm w/o a dot. + + * kdc/524.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * kdc/krb5tgs.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/get_in_tkt.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/rd_cred.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/rd_req.c: Adapt to signature change of + _krb5_principalname2krb5_principal. + + * lib/krb5/asn1_glue.c (_krb5_principalname2krb5_principal): add + krb5_context to signature. + + * kdc/524.c (_krb5_principalname2krb5_principal): adapt to + signature change + + * lib/hdb/keytab.c (hdb_get_entry): close and destroy the database + later, the hdb_entry_ex might still contain links to the database + that it expects to use. + + * kdc/digest.c: Make digest argument o MD5_final unsigned char to + help OpenSSL. + + * kuser/kdigest.c: Make digest argument o MD5_final unsigned char + to help OpenSSL. + + * appl/gssmask/common.h: Maybe include . + +2006-10-05 Love Hörnquist Åstrand + + * appl/gssmask/common.h: disable ENABLE_PTHREAD_SUPPORT and + explain why + + * tools/heimdal-build.sh: Another mail header. + + * tools/heimdal-build.sh: small fixes + + * fix-export: More liberal parsing of AC_INIT + + * tools/heimdal-build.sh: first cut + +2006-10-04 Love Hörnquist Åstrand + + * configure.in: Call AB_INIT. + + * kuser/kinit.c: Add flag --pk-use-enckey. + + * kdc/pkinit.c: Sign the request in the encKey case. Bug reported + by Olga Kornievskaia of Umich. + + * lib/krb5/Makefile.am: man_MANS += krb5_digest.3 + + * lib/krb5/krb5_digest.3: Add all protos + +2006-10-03 Love Hörnquist Åstrand + + * lib/krb5/krb5_digest.3: Basic krb5_digest manpage. + +2006-10-02 Love Hörnquist Åstrand + + * fix-export: build gssapi mech private files + + * lib/krb5/init_creds_pw.c: minimize layering and remove + krb5_kdc_flags + + * lib/krb5/get_in_tkt.c: Always use the kdc_flags in the right bit + order. + + * lib/krb5/init_creds_pw.c: Always use the kdc_flags in the right + bit order. + + * kuser/kdigest.c: Don't require --kerberos-realm. + + * lib/krb5/digest.c (digest_request): if NULL is passed in as + realm, use default realm. + + * fix-export: build gssapi mech private files + +2006-09-26 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c: Handle FIRST_CALL in the context + building, better error handling. + + * appl/gssmask/gssmaestro.c: switch from wrap/unwrap to + encrypt/decrypt + + * appl/gssmask/gssmask.c: Don't announce spn if there is none. + + * appl/gssmask/gssmaestro.c: Check that the pre-wrapped data is + the same as afterward. + +2006-09-25 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c: Remove stray GSS_C_DCE_STYLE. + + * appl/gssmask/gssmaestro.c: Add logsocket support. + +2006-09-22 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c (build_context): print the step the + context exchange. + +2006-09-21 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c: Add GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG + to all context flags + + * appl/gssmask/gssmaestro.c: Add wrap and mic tests for all + elements + + * appl/gssmask/gssmask.c: Add mic tests + + * appl/gssmask/gssmaestro.c: dont exit early then when context + is half built. + + * lib/krb5/rd_req.c: disable ETypeList parsing usage for now, cfx + seems broken and its not good to upgrade to a broken enctype. + +2006-09-20 Love Hörnquist Åstrand + + * appl/gssmask/gssmask.c: Add wrap/unwrap ops + + * appl/gssmask/protocol.h: Add eGetVersionAndCapabilities flags + + * appl/gssmask/common.c: Add permutate_all (and support + functions). + + * appl/gssmask/common.h: Add permutate_all + + * appl/gssmask/gssmask.c: use new flags, return moniker + + * appl/gssmask/gssmaestro.c: test self context building and all + permutation of clients + +2006-09-19 Love Hörnquist Åstrand + + * appl/gssmask/gssmask.c: add --logfile option, use htons() on + port number + + * appl/gssmask/gssmaestro.c: Log port in connection message. + + * configure.in: Make pk-init turned on by default. + +2006-09-18 Love Hörnquist Åstrand + + * fix-export: Build lib/hx509/{hx509-protos.h,hx509-private.h}. + + * kuser/Makefile.am: Add tool for printing tickets. + + * kuser/kimpersonate.1: Add tool for printing tickets. + + * kuser/kimpersonate.c: Add tool for printing tickets. + + * kdc/krb5tgs.c: Check the adtkt in the constrained delegation + case too. + +2006-09-16 Love Hörnquist Åstrand + + * kdc/main.c (sigterm): don't _exit, let loop() catch the signal + instead. + + * lib/krb5/krb5_timeofday.3: Fixes from Björn Sandell. + + * lib/krb5/krb5_get_init_creds.3: Fixes from Björn Sandell. + +2006-09-15 Love Hörnquist Åstrand + + * tools/krb5-config.in: Add "kafs" option. + +2006-09-12 Love Hörnquist Åstrand + + * lib/hdb/db.c: By using full function calling conversion (*func) + we avoid problem when close(fd) is overridden using a macro. + + * lib/krb5/cache.c: By using full function calling + conversion (*func) we avoid problem when close(fd) is overridden + using a macro. + +2006-09-11 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Signing outgoing tickets. + + * kdc/krb5tgs.c: Add signing and checking of tickets to s4u2self + works securely. + + * lib/krb5/pkinit.c: Adapt to new signature of + hx509_cms_unenvelope. + +2006-09-09 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (pk_verify_host): set errorstrings in a + sensable way + +2006-09-08 Love Hörnquist Åstrand + + * lib/krb5/krb5_init_context.3: Prevent a font generation warning, + from Jason McIntyre. + +2006-09-06 Love Hörnquist Åstrand + + * lib/krb5/context.c (krb5_init_ets): Add the hx errortable + + * lib/krb5/krb5_locl.h: Include hx509_err.h. + + * lib/krb5/pkinit.c (_krb5_pk_verify_sign): catch the error string + from the hx509 lib + +2006-09-04 Love Hörnquist Åstrand + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): + fix argument to krb5_get_init_creds_opt_set_addressless. + + * lib/krb5/init_creds_pw.c (init_cred_loop): try to catch the + error when we actually have an error to catch. + + * lib/krb5/init_creds_pw.c: Remove debug printfs. + + * kuser/kinit.c: Remove debug printf + + * lib/krb5/krb5_get_init_creds.3: Document + krb5_get_init_creds_opt_set_addressless. + + * kuser/kinit.c: Use new function + krb5_get_init_creds_opt_set_addressless. + + * lib/krb5/krb5_locl.h: use new addressless, convert pa-pac option + to use the same tri-state option as the new addressless option. + + * lib/krb5/init_creds_pw.c: use new addressless, convert pa-pac + option to use the same tri-state option as the new addressless + option. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_addressless): + used to control the address-lessness of the initial tickets + instead of passing in the empty set of address into + krb5_get_init_creds_opt_set_addresses. + +2006-09-01 Love Hörnquist Åstrand + + * kuser/kinit.c (renew_validate): inherit the proxiable and + forwardable from the orignal ticket, pointed out by Bernard + Antoine of CERN. + + * doc/setup.texi: More text about the acl_file entry and + hdb-ldap-structural-object. From Rüdiger Ranft. + + * lib/krb5/krbhst.c (fallback_get_hosts): limit the fallback + lookups to 5. Patch from Wesley Craig, umich.edu + + * configure.in: Add special tests for , include test + for sys/param.h and sys/types.h + + * appl/test/tcp_server.c (proto): use keytab for krb5_recvauth + Patch from Ingemar Nilsson + +2006-08-28 Love Hörnquist Åstrand + + * kuser/kdigest.c (help): use sl_slc_help(). + + * kdc/digest.c: Catch more error, add SASL DIGEST MD5. + + * lib/krb5/digest.c: Catch more error. + +2006-08-25 Love Hörnquist Åstrand + + * doc/setup.texi: language. + + * doc/heimdal.texi: Add last updated text. + + * doc/heimdal.css: make box around heimdal title + + * doc/heimdal.css: Inital Heimdal css for the info manual + + * lib/krb5/digest.c: In the case where we get a DigestError back, + save the error string and code. + +2006-08-24 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Remove _kdc_find_etype(), its no longer used. + + * kdc/digest.c: Remove local error label and have just one exit + label, set error strings properly. + + * kdc/digest.c: Simply the disabled-service case. Check the + allow-digest flag in the HDB entry for the client. + + * kdc/process.c (krb5_kdc_process_generic_request): check if we + got a digest request and process it. + + * kdc/main.c: Register hdb keytab operations. + + * kdc/kdc.8: document [kdc]enable-digest=boolean + + * kdc/Makefile.am: add digest to libkdc + + * kdc/digest.c: Make a return a goto to avoid freeing un-inited + memory in cleanup code. + + * kdc/default_config.c (krb5_kdc_default_config): default to all + bits set to zero. + + * kdc/kdc.h (krb5_kdc_configuration): Add enable_digest + + * kdc/headers.h: Include . + + * lib/krb5/context.c (krb5_kerberos_enctypes): new function, + returns the list of Kerberos encryption types sorted in order of + most preferred to least preferred encryption type. + + * kdc/misc.c (_kdc_get_preferred_key): new function, Use the order + list of preferred encryption types and sort the available keys and + return the most preferred key. + + * kdc/krb5tgs.c: Adapt to the new sigature of _kdc_find_keys(). + + * kdc/kerberos5.c: Handle session key etype separately from the + tgt etype, now the krbtgt can be a aes-only key without the need + to support not-as-good etypes for the krbtgt. + +2006-08-23 Love Hörnquist Åstrand + + * kdc/misc.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/krb5tgs.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kerberos5.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kerberos4.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/kaserver.c: Change _kdc_db_fetch() to return the database + pointer to if needed by the consumer. + + * kdc/524.c: Change _kdc_db_fetch() to return the database pointer + to if needed by the consumer. + + * kuser/kdigest-commands.in: Add --kerberos-realm, add client + request command. + + * lib/krb5/Makefile.am: digest.c + + * lib/krb5/krb5.h: Add digest glue. + + * lib/krb5/digest.c (krb5_digest_set_authentication_user): use + krb5_principal + + * lib/krb5/digest.c: Add digest support to the client side. + +2006-08-21 Love Hörnquist Åstrand + + * lib/krb5/rd_rep.c (krb5_rd_rep): free krb5_ap_rep_enc_part on + error and set return pointer to NULL + (krb5_free_ap_rep_enc_part): permit freeing of NULL + +2006-08-18 Love Hörnquist Åstrand + + * kdc/{Makefile.am,kdigest.c,kdigest-commands.in}: + Frontend for remote digest service in KDC + + * lib/krb5/krb5_storage.3: Document krb5_{ret,store}_stringnl + functions. + + * lib/krb5/store.c: Add krb5_{ret,store}_stringnl functions, + stores/retrieves a \n terminated string. + + * lib/krb5/krb5_locl.h: Default to address-less tickets. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): clear + error string on error. + +2006-07-20 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: remove aes-192 (CMS) + + * lib/krb5/crypto.c: Remove more CMS bits. + + * lib/krb5/crypto.c: Remove CMS symmetric encryption support. + +2006-07-13 Love Hörnquist Åstrand + + * kdc/pkinit.c (_kdc_pk_check_client): make it not crash when + there are no acl + + * kdc/pkinit.c (_kdc_pk_check_client): use the acl in the kerberos + database + + * lib/hdb/hdb.asn1: Rename HDB-Ext-PKINIT-certificate to + HDB-Ext-PKINIT-hash. Add trust anchor to HDB-Ext-PKINIT-acl. + + * lib/hdb/Makefile.am: rename asn1_HDB_Ext_PKINIT_certificate to + asn1_HDB_Ext_PKINIT_hash + + * lib/hdb/ext.c: Add hdb_entry_get_pkinit_hash(). + +2006-07-10 Love Hörnquist Åstrand + + * kuser/kinit.c: If --password-file gets STDIN, read the password + from the standard input. + + * kuser/kinit.1: Document --password-file=STDIN. + + * lib/krb5/krb5_string_to_key.3: Remove duplicate to. + +2006-07-06 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: (tgs_build_reply): when checking for removed + principals, check the second component of the krbtgt, otherwise + cross realm wont work. Prompted by report from Mattias Amnefelt. + +2006-07-05 Love Hörnquist Åstrand + + * kdc/connect.c (handle_vanilla_tcp): use unsigned integer for for + length + (handle_tcp): if the high bit it set in the unknown case, send + back a KRB_ERR_FIELD_TOOLONG + +2006-07-03 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c: Add get_version_capa, cache + target_name. + + * appl/gssmask/gssmask.c: use utname() to find the local hostname + and version of operatingsystem + + * appl/gssmask/common.h: include + + * appl/gssmask/gssmask.c: break out creation of a client and make + handleServer pthread_create compatible + + * appl/gssmask/gssmaestro.c: break out out the build context + function + +2006-07-01 Love Hörnquist Åstrand + + * appl/gssmask/gssmaestro.c: externalize slave handling, add + GetTargetName glue + + * appl/gssmask/gssmaestro.c: externalize principal/password handling + + * lib/krb5/principal.c (krb5_parse_name): set *principal to NULL + the first thing we do, so that on failure its set to a known value + + * appl/gssmask/gssmask.c: AcquireCreds: set principal to NULL to + avoid memory corruption GetTargetName: always send a string, even + though we don't have a targetname + + * appl/gssmask: break out common function; add gssmaestro (that + only tests one context for now) + +2006-06-30 Love Hörnquist Åstrand + + * lib/krb5/store_fd.c (krb5_storage_from_fd): don't leak fd on + malloc failure + + * appl/gssmask/gssmask.c: split out fetching of credentials for + easier reuse for pk-init testing + + * appl/gssmask: maggot replacement, handles context testing + + * lib/krb5/cache.c (krb5_cc_new_unique): use KRB5_DEFAULT_CCNAME + as the default prefix + +2006-06-28 Love Hörnquist Åstrand + + * doc/heimdal.texi: Add Doug Rabson's license + +2006-06-22 Love Hörnquist Åstrand + + * lib/krb5/init_creds.c: Add storing and getting KRB-ERROR in the + krb5_get_init_creds_opt structure. + + * lib/krb5/init_creds_pw.c: Save KRB-ERROR on error. + + * lib/krb5/krb5_locl.h (_krb5_get_init_creds_opt_private): add + KRB-ERROR + +2006-06-21 Love Hörnquist Åstrand + + * doc/setup.texi: section about verify_krb5_conf and kadmin check + +2006-06-15 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (get_init_creds_common): drop cred + argument, its unused + + * lib/krb5/Makefile.am: install krb5_get_creds.3 + + * lib/krb5/krb5_get_creds.3: new file + +2006-06-14 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: don't use the sambaNTPassword if there is + ARCFOUR key already. Idea from Andreas Hasenack. While here, set + pw change time using sambaPwdLastSet + + * kdc/kerberos4.c: Use enable_v4_per_principal and check the new + hdb flag. + + * kdc/kdc.h: Add enable_v4_per_principal + +2006-06-12 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_as_rep): if kdc_time + + config->kdc_warn_pwexpire is past pw_end, add expiration + message. From Bernard Antoine. + + * kdc/default_config.c (krb5_kdc_default_config): set + kdc_warn_pwexpire to 0 + + * kdc/kerberos5.c: indent. + +2006-06-07 Love Hörnquist Åstrand + + * kdc/kerberos5.c: constify + +2006-06-06 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c: Allow setting additional tickets in the + tgs-req + + * kuser/kgetcred.c: add --delegation-credential-cache + + * kdc/krb5tgs.c (tgs_build_reply): add constrained delegation. + + * kdc/krb5tgs.c: Add impersonation. + + * kuser/kgetcred.c: use new krb5_get_creds interface, add + impersonation. + + * lib/krb5/get_cred.c (krb5_get_creds): add + KRB5_GC_NO_TRANSIT_CHECK + + * lib/krb5/misc.c: Add impersonate support functions. + + * lib/krb5/get_cred.c: Add impersonate and new krb5_get_creds interface. + + * lib/hdb/hdb.asn1 (HDBFlags): add trusted-for-delegation + + * lib/krb5/krb5.h: Add krb5_get_creds_opt_data and some more + KRB5_GC flags. + +2006-06-01 Love Hörnquist Åstrand + + * lib/hdb/ext.c (hdb_entry_get_ConstrainedDelegACL): new function. + + * lib/krb5/pkinit.c: Avoid more shadowing. + + * kdc/connect.c (do_request): clean reply with krb5_data_zero + + * kdc/krb5tgs.c: Split up the reverse cross krbtgt check and local + clien must exists test. + + * kdc/krb5tgs.c: Plug old memory leaks, unify all goto's. + + * kdc/krb5tgs.c: Split tgs_rep2 into tgs_parse_request and + tgs_build_reply. + + * kdc/kerberos5.c: split out krb5 tgs req to make it easier to + reorganize the code. + +2006-05-29 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_init_creds.3: spelling Björn Sandell + + * lib/krb5/krb5_get_in_cred.3: spelling Björn Sandell + +2006-05-13 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.c (change): select the realm based on the + target principal From Gabor Gombas + + * lib/krb5/krb5_get_init_creds.3: Add KRB5_PROMPT_TYPE_INFO + + * lib/krb5/krb5.h: Add KRB5_PROMPT_TYPE_INFO + +2006-05-12 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Hidden field of hx509 prompter is removed. + Fix a warning. + + * doc/setup.texi: Point to more examples, hint that you have to + use openssl 0.9.8a or later. + + * doc/setup.texi: DIR now handles both PEM and DER. + + * kuser/kinit.c: Pass down prompter and password to + krb5_get_init_creds_opt_set_pkinit. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): only use password if its + longer then 0 + + * doc/ack.texi: Add Jason McIntyre. + + * lib/krb5/krb5_acl_match_file.3: Various tweaks, from Jason + McIntyre. + +2006-05-11 Love Hörnquist Åstrand + + * kuser/kinit.c: Move parsing of the PK-INIT configuration file to + the library so application doesn't need to deal with it. + + * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit): move + parsing of the configuration file to the library so application + doesn't need to deal with it. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): pass the hx509_lock to + when trying to read the user certificate. + + * lib/krb5/pkinit.c (hx_pass_prompter): return 0 on success and 1 + on failure. Pointed out by Douglas E. Engert. + +2006-05-08 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: Catches both keyed checkout w/o crypto + context cases and doesn't reset the string, and corrects the + grammar. + + * lib/krb5/crypto.c: Drop aes-cbc, rc2 and CMS padding support, + its all containted in libhcrypto and libhx509 now. + +2006-05-07 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_pk_verify_sign): Use + hx509_get_one_cert. + + * lib/krb5/crypto.c (create_checksum): provide a error message + that a key checksum needs a key. From Andew Bartlett. + +2006-05-06 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Now that hcrypto supports DH, remove check + for hx509 null DH. + + * kdc/pkinit.c: Don't call DH_check_pubkey, it doesn't exists in + older OpenSSL. + + * doc/heimdal.texi: Add blob about imath. + + * doc/ack.texi: Add blob about imath. + + * include/make_crypto.c: Move up evp.h to please OpenSSL, from + Douglas E. Engert. + + * kcm/acl.c: Multicache kcm interation isn't done yet, let wait + with this enum. + +2006-05-05 Love Hörnquist Åstrand + + * lib/krb5/krb5_set_default_realm.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/krb5_rcache.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_keytab.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_get_in_cred.3: Spelling/mdoc from Björn Sandell + + * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc from Björn + Sandell + + * lib/krb5/keytab_file.c (fkt_next_entry_int): read the 32 bit + kvno if the reset of the data is longer then 4 bytes in hope to be + forward compatible. Pointed out by Michael B Allen. + + * doc/programming.texi: Add fileformats. + + * appl/test: Rename u_intXX_t to uintXX_t + + * kuser: Rename u_intXX_t to uintXX_t + + * kdc: Rename u_intXX_t to uintXX_t + + * lib/hdb: Rename u_intXX_t to uintXX_t + + * lib/45]: Rename u_intXX_t to uintXX_t + + * lib/krb5: Rename u_intXX_t to uintXX_t + + * lib/krb5/Makefile.am: Add test_store to TESTS + + * lib/krb5/pkinit.c: Catch using hx509 null DH and print a more + useful error message. + + * lib/krb5/store.c: Rewrite the krb5_ret_u as proposed by Johan. + +2006-05-04 Love Hörnquist Åstrand + + * kdc/kerberos4.c: Use the new unsigned integer storage types. + + * kdc/kaserver.c: Use the new unsigned integer storage + types. Sprinkle some error handling. + + * lib/krb5/krb5_storage.3: Document ret and store function for the + unsigned fixed size integer types. + + * lib/krb5/v4_glue.c: Use the new unsigned integer storage + types. Fail that the address doesn't match, not the reverse. + + * lib/krb5/store.c: Add ret and store function for the unsigned + fixed size integer types. + + * lib/krb5/test_store.c: Test the integer storage types. + +2006-05-03 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_store_principal): make it take a + krb5_const_principal, indent + + * lib/krb5/krb5_storage.3: krb5_store_principal takes a + krb5_const_principal + + * lib/krb5/pkinit.c: Deal with that hx509_prompt.reply is no + longer a pointer. + + * kdc/kdc.h (krb5_kdc_configuration): add pkinit_kdc_ocsp_file + + * kdc/config.c: read [kdc]pki-kdc-ocsp + +2006-05-02 Love Hörnquist Åstrand + + * kdc/pkinit.c (_kdc_pk_mk_pa_reply): send back ocsp response if + it seems to be valid, simplfy the pkinit-windows DH case (it + doesn't exists). + +2006-05-01 Love Hörnquist Åstrand + + * lib/krb5/krb5_warn.3: Spelling/mdoc changes, from Björn Sandell. + + * lib/krb5/krb5_verify_user.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_verify_init_creds.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_timeofday.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_ticket.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_rd_safe.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_rcache.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_principal.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_parse_name.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_mk_safe.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_keyblock.3: Spelling/mdoc changes, from Björn + Sandell. + + * lib/krb5/krb5_is_thread_safe.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, + from Björn Sandell. + + * lib/krb5/krb5_generate_random_block.3: Spelling/mdoc changes, + from Björn Sandell. + + * lib/krb5/krb5_expand_hostname.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_check_transited.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_c_make_checksum.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_address.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5_acl_match_file.3: Spelling/mdoc changes, from + Björn Sandell. + + * lib/krb5/krb5.3: Spelling, from Björn Sandell. + + * doc/ack.texi: add Björn + +2006-04-30 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (cert2epi): don't include subject if its null + +2006-04-29 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Send over what trust anchors the client have + configured. + + * lib/krb5/pkinit.c (pk_verify_host): set better error string, + only check kdc name/address when we got a hostname/address passed + in the the function. + + * kdc/pkinit.c (_kdc_pk_check_client): reorganize and make log + when a SAN matches. + +2006-04-28 Love Hörnquist Åstrand + + * doc/setup.texi: More options and some text about windows + clients, certificate and KDCs. + + * doc/setup.texi: notice about pki-mappings file space sensitive + + * doc/setup.texi: Example pki-mapping file. + + * lib/krb5/pkinit.c (pk_verify_host): verify hostname/address + + * lib/hdb/hdb.h: Bump hdb interface version to 4. + +2006-04-27 Love Hörnquist Åstrand + + * kuser/kdestroy.1: Document --credential=principal. + + * kdc/kerberos5.c (tgs_rep2): check that the client exists in the + kerberos database if its local request. + + * kdc/{misc.c,524.c,kaserver.c,kerberos5.c}: pass down HDB_F_GET_ + flags as appropriate + + * kdc/kerberos4.c (_kdc_db_fetch4): pass down flags though + krb5_425_conv_principal_ext2 + + * kdc/misc.c (_kdc_db_fetch): Break out the that we request from + principal from the entry and pass it in as a seprate argument. + + * lib/hdb/keytab.c (hdb_get_entry): Break out the that we request + from principal from the entry and pass it in as a seprate + argument. + + * lib/hdb/common.c: Break out the that we request from principal + from the entry and pass it in as a seprate argument. + + * lib/hdb/hdb.h: Break out the that we request from principal from + the entry and pass it in as a seprate argument. Add more flags to + ->hdb_get(). Re-indent. + +2006-04-26 Love Hörnquist Åstrand + + * doc/setup.texi: document pki-allow-proxy-certificate + + * kdc/pkinit.c: Add option [kdc]pki-allow-proxy-certificate=bool + to allow using proxy certificate. + + * lib/krb5/pkinit.c (_krb5_pk_allow_proxy_certificates): expose + hx509_verify_set_proxy_certificate + + * kdc/pkinit.c (_kdc_pk_check_client): Use + hx509_cert_get_base_subject to get subject name of the + certificate, needed for proxy certificates. + + * kdc/kerberos5.c: Now that find_keys speaks for it self, remove + extra logging. + + * kdc/kerberos5.c (find_keys): add client_name and server_name + argument and use them, and adapt callers. + +2006-04-25 Love Hörnquist Åstrand + + * kuser/kinit.1: document option password-file + + * kuser/kinit.c: Add option password-file, read password from the + first line of a file. + + * configure.in: make tests/kdc/Makefile + + * kdc/kerberos5.c: Catch the case where the client sends no + encryption types or no pa-types. + + * lib/hdb/ext.c (hdb_replace_extension): set error message on + failure, not success. + + * lib/hdb/keys.c (parse_key_set): handle error case better + (hdb_generate_key_set): return better error + +2006-04-24 Love Hörnquist Åstrand + + * lib/hdb/hdb.c (hdb_create): print out what we don't support + + * lib/krb5/principal.c: Remove a double free introduced in 1.93 + + * lib/krb5/log.c (log_file): reset pointer to freed memory + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): reset d->cell to + make sure its not refereced + + * tools/krb5-config.in: libhcrypto might depend on libasn1, switch + order + + * lib/krb5/recvauth.c: indent + + * doc/heimdal.texi: Add Setting up PK-INIT to Detailed Node + Listing. + + * lib/krb5/pkinit.c: Pass down realm to pk_verify_host so the + function can verify the certificate is from the right realm. + + * lib/krb5/init_creds_pw.c: Pass down realm to + _krb5_pk_rd_pa_reply + +2006-04-23 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (pk_verify_host): Add begining of finding + subjectAltName_otherName pk-init-san and verifing it. + + * lib/krb5/sendauth.c: reindent + + * doc/Makefile.am: use --no-split to make one large file, mostly + for html + + * doc/setup.texi: "document" pkinit_require_eku and + pkinit_require_krbtgt_otherName + + * lib/krb5/pkinit.c: Add pkinit_require_eku and + pkinit_require_krbtgt_otherName + + * doc/setup.texi: Add text about pk-init + + * tools/kdc-log-analyze.pl: count v5 cross realms too + +2006-04-22 Love Hörnquist Åstrand + + * kdc/pkinit.c: Adapt to change in hx509_cms_create_signed_1. + + * lib/krb5/pkinit.c: Adapt to change in hx509_cms_create_signed_1. + +2006-04-20 Love Hörnquist Åstrand + + * kdc/pkinit.c (_kdc_pk_rd_padata): use + hx509_cms_unwrap_ContentInfo. + + * kdc/config.c: unbreak + + * lib/krb5/pkinit.c: Handle diffrences between libhcrypto and + libcrypto. + + * kdc/config.c: Rename pki-chain to pki-pool to match rest of + code. + +2006-04-12 Love Hörnquist Åstrand + + * lib/krb5/rd_priv.c: Fix argument to krb5_data_zero. + + * kdc/config.c: Added certificate revoke information from + configuration file. + + * kdc/pkinit.c: Added certificate revoke information. + + * kuser/kinit.c: Added certificate revoke information from + configuration file. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): Added certificate revoke + information, ie CRL's + +2006-04-10 Love Hörnquist Åstrand + + * lib/krb5/replay.c (krb5_rc_resolve_full): make compile again. + + * lib/krb5/keytab_krb4.c (krb4_kt_start_seq_get_int): make compile + again. + + * lib/krb5/transited.c (make_path): make sure we return allocated + memory Coverity, NetBSD CID#1892 + + * lib/krb5/transited.c (make_path): make sure we return allocated + memory Coverity, NetBSD CID#1892 + + * lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): on + protocol failure, avoid leaking memory Coverity, NetBSD CID#1900 + + * lib/krb5/principal.c (krb5_parse_name): remember to free realm + in case of error Coverity, NetBSD CID#1883 + + * lib/krb5/principal.c (krb5_425_conv_principal_ext2): remove + memory leak in case of weird formated dns replys. + Coverity, NetBSD CID#1885 + + * lib/krb5/replay.c (krb5_rc_resolve_full): don't return pointer + to a allocated krb5_rcache in case of error. + + * lib/krb5/log.c (krb5_addlog_dest): free fn in case of error + Coverity, NetBSD CID#1882 + + * lib/krb5/keytab_krb4.c: Fix deref before NULL check, fix error + handling. Coverity, NetBSD CID#2369 + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + in_creds->client should always be set, assume so. + + * lib/krb5/keytab_any.c (any_next_entry): restructure to make it + easier to read Fixes Coverity, NetBSD CID#625 + + * lib/krb5/crypto.c (krb5_string_to_key_derived): deref after NULL + check. Coverity NetBSD CID#2367 + + * lib/krb5/build_auth.c (krb5_build_authenticator): use + calloc. removed check that was never really used. Coverity NetBSD + CID#2370 + +2006-04-09 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c (krb5_verify_ap_req2): make sure `ticket´ + points to NULL in case of error, add error handling, use calloc. + + * kpasswd/kpasswdd.c (doit): when done, close all fd in the + sockets array and free it. Coverity NetBSD CID#1916 + +2006-04-08 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_ret_principal): fix memory leak Coverity, + NetBSD CID#1695 + + * kdc/524.c (_kdc_do_524): Handle memory allocation failure + Coverity, NetBSD CID#2752 + +2006-04-07 Love Hörnquist Åstrand + + * lib/krb5/keytab_file.c (krb5_kt_ret_principal): plug a memory + leak Coverity NetBSD CID#1890 + + * kdc/hprop.c (main): make sure type doesn't need to be set + + * kdc/mit_dump.c (mit_prop_dump): close fd when done processing + Coverity NetBSD CID#1955 + + * kdc/string2key.c (tokey): catch warnings, free memory after use. + Based on Coverity NetBSD CID#1894 + + * kdc/hprop.c (main): remove dead code. Coverity NetBSD CID#633 + +2006-04-04 Love Hörnquist Åstrand + + * kpasswd/kpasswd-generator.c (read_words): catch empty file case, + will cause PBE (division by zero) later. From Tobias Stoeckmann. + +2006-04-02 Love Hörnquist Åstrand + + * lib/hdb/keytab.c: Remove a delta from last revision that should + have gone in later. + + * lib/krb5/krbhst.c: fix spelling + + * lib/krb5/send_to_kdc.c (send_and_recv_http): don't expose freed + pointer, found by IBM checker. + + * lib/krb5/rd_cred.c (krb5_rd_cred): don't expose freed pointer, + found by IBM checker. + + * lib/krb5/addr_families.c (krb5_make_addrport): clear return + value on error, found by IBM checker. + + * kdc/kerberos5.c (check_addresses): treat netbios as no addresses + + * kdc/{kerberos4,kaserver}.c: _kdc_check_flags takes hdb_entry_ex + + * kdc/kerberos5.c (_kdc_check_flags): make it take hdb_entry_ex to + avoid ?:'s at callers + + * lib/krb5/v4_glue.c: Avoid using free memory, found by IBM + checker. + + * lib/krb5/transited.c (expand_realm): avoid passing NULL to + strlen, found by IBM checker. + + * lib/krb5/rd_cred.c (krb5_rd_cred): avoid a memory leak on malloc + failure, found by IBM checker. + + * lib/krb5/krbhst.c (_krb5_krbhost_info_move): replace a strcpy + with a memcpy + + * lib/krb5/keytab_keyfile.c (get_cell_and_realm): plug a memory + leak, found by IBM checker. + + * lib/krb5/keytab_file.c (fkt_next_entry_int): remove a + dereferencing NULL pointer, found by IBM checker. + + * lib/krb5/init_creds_pw.c (init_creds_init_as_req): in AS-REQ the + cname must always be given, don't avoid that fact and remove a + cname == NULL case. Plugs a memory leak found by IBM checker. + + * lib/krb5/init_creds_pw.c (default_s2k_func): avoid exposing + free-ed memory on error. Found by IBM checker. + + * lib/krb5/init_creds.c (_krb5_get_init_creds_opt_copy): use + calloc to avoid uninitialized memory problem. + + * lib/krb5/data.c (krb5_copy_data): avoid exposing free-ed memory + on error. Found by IBM checker. + + * lib/krb5/fcache.c (fcc_gen_new): fix a use after free, found by + IBM checker. + + * lib/krb5/config_file.c (krb5_config_vget_strings): IBM checker + thought it found a memory leak, it didn't, but there was another + error in the code, lets fix that instead. + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): plug memory + leak. Found by IBM checker. + + * lib/krb5/cache.c (_krb5_expand_default_cc_name): avoid return + pointer to freed memory in the error case. Found by IBM checker. + + * lib/hdb/keytab.c (hdb_resolve): off by one, found by IBM + checker. + + * lib/hdb/keys.c (hdb_generate_key_set): set ret_key_set before + going into the error clause and freeing key_set. Found by IBM + checker. Make sure ret == 0 after of parse error, we catch the + "no entries parsed" case later. + + * lib/krb5/log.c (krb5_addlog_dest): make string length match + strings in strcasecmp. Found by IBM checker. + +2006-03-30 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c (LDAP_message2entry): in declaration set + variable_name as "hdb_entry_ex" + (hdb_ldap_common): change "arg" in condition (if) to "search_base" + (hdb_ldapi_create): change "serach_base" to "search_base" From + Alex V. Labuta. + + * lib/krb5/pkinit.c (krb5_get_init_creds_opt_set_pkinit); fix + prototype + + * kuser/kinit.c: Add pool of certificates to help certificate path + building for clients sending incomplete path in the signedData. + +2006-03-28 Love Hörnquist Åstrand + + * kdc/pkinit.c: Add pool of certificates to help certificate path + building for clients sending incomplete path in the signedData. + + * lib/krb5/pkinit.c: Add pool of certificates to help certificate + path building for clients sending incomplete path in the + signedData. + +2006-03-27 Love Hörnquist Åstrand + + * kdc/config.c: Allow passing in related certificates used to + build the chain. + + * kdc/pkinit.c: Allow passing in related certificates used to + build the chain. + + * kdc/kerberos5.c (log_patype): Add case for + KRB5_PADATA_PA_PK_OCSP_RESPONSE. + + * tools/Makefile.am: Spelling + + * tools/krb5-config.in: Add hx509 when using PK-INIT. + + * tools/Makefile.am: Add hx509 when using PK-INIT. + +2006-03-26 Love Hörnquist Åstrand + + * lib/krb5/acache.c: Use ticket flags definition, might fix Mac OS + X Kerberos.app problems. + + * lib/krb5/krb5_ccapi.h: Add ticket flags definitions + + * lib/krb5/pkinit.c: Use less openssl, spell chelling. + + * kdc/pkinit.c (pk_mk_pa_reply_dh): encode the DH public key with + asn1 wrapping + + * configure.in (AC_CONFIG_FILES): add lib/hx509/Makefile + + * lib/Makefile.am: Add hx509. + + * lib/krb5/Makefile.am: Add libhx509.la when PKINIT is used. + + * configure.in: define automake PKINIT variable + + * kdc/pkinit.c: Switch to hx509. + + * lib/krb5/pkinit.c: Switch to hx509. + +2006-03-24 Love Hörnquist Åstrand + + * kdc/kerberos5.c (log_patypes): log the patypes requested by the + client + +2006-03-23 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c (_krb5_pk_rd_pa_reply): pass down the + req_buffer in the w2k case too. From Douglas E. Engert. + +2006-03-19 Love Hörnquist Åstrand + + * lib/krb5/mk_req_ext.c (_krb5_mk_req_internal): on failure, goto + error handling. Fixes Coverity NetBSD CID 2591 by catching a + failing krb5_copy_keyblock() + +2006-03-17 Love Hörnquist Åstrand + + * lib/krb5/addr_families.c (krb5_free_addresses): reset val,len in + address when free-ing. Fixes Coverity NetBSD bug #2605 + (krb5_parse_address): reset val,len before possibly return errors + Fixes Coverity NetBSD bug #2605 + +2006-03-07 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc.c (recv_loop): it should never happen, but + make sure nbytes > 0 + + * lib/krb5/get_for_creds.c (add_addrs): handle the case where + addr->len == 0 and n == 0, then realloc might return NULL. + + * lib/krb5/crypto.c (decrypt_*): handle the case where the + plaintext is 0 bytes long, realloc might then return NULL. + +2006-02-28 Love Hörnquist Åstrand + + * lib/krb5/krb5_string_to_key.3: Drop krb5_string_to_key_derived. + + * lib/krb5/krb5.3: Remove krb5_string_to_key_derived. + + * lib/krb5/crypto.c (AES_string_to_key): drop _krb5_PKCS5_PBKDF2 + and use PKCS5_PBKDF2_HMAC_SHA1 instead. + + * lib/krb5/aes-test.c: reformat, avoid free-ing un-init'd memory + + * lib/krb5/aes-test.c: Only use PKCS5_PBKDF2_HMAC_SHA1. + +2006-02-27 Johan Danielsson + + * doc/setup.texi: remove cartouches - we don't use them anywhere + else, they should be around the example, not inside it, and + probably shouldn't be used in html at all + +2006-02-18 Love Hörnquist Åstrand + + * lib/krb5/krb5_warn.3: Document that applications want to use + krb5_get_error_message, add example. + +2006-02-16 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (krb5_generate_random_block): check return + value from RAND_bytes + + * lib/krb5/error_string.c: Change indentation, update (c) + +2006-02-14 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Make struct krb5_dh_moduli available when + compiling w/o pkinit. + +2006-02-13 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: update to new paChecksum definition, update + the dhgroup handling + + * kdc/pkinit.c: update to new paChecksum definition, use + hdb_entry_ex + +2006-02-09 Love Hörnquist Åstrand + + * lib/krb5/krb5_locl.h: Move Configurable options to last in the + file. + + * lib/krb5/krb5_locl.h: Wrap KRB5_ADDRESSLESS_DEFAULT with #ifndef + +2006-02-03 Love Hörnquist Åstrand + + * kpasswd/kpasswdd.c: Send back a better error-message to the + client in case the password change was rejected. + + * lib/krb5/krb5_warn.3: Document krb5_get_error_message. + + * lib/krb5/error_string.c (krb5_get_error_message): new function, + and combination of krb5_get_error_string and krb5_get_err_text + + * lib/krb5/krb5.3: sort, and krb5_get_error_message + + * lib/hdb/hdb-ldap.c: Log the filter string to the error message + when doing searches. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_default_flags): + Use KRB5_ADDRESSLESS_DEFAULT when + checking [appdefault]no-addresses. + + * lib/krb5/get_cred.c (get_cred_from_kdc_flags): Use + KRB5_ADDRESSLESS_DEFAULT when checking + [appdefault]no-addresses. + + * lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): + Use [appdefault]no-addresses before checking if the krbtgt is + address-less, use KRB5_ADDRESSLESS_DEFAULT. + + * lib/krb5/krb5_locl.h: Introduce KRB5_ADDRESSLESS_DEFAULT that + controlls all address-less behavior. Defaults to false. + +2006-02-01 Love Hörnquist Åstrand + + * lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION + + * lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE + failes to produce the matching lenghts. + +2006-01-27 Love Hörnquist Åstrand + + * kcm/protocol.c (kcm_op_retrieve): remove unused variable + +2006-01-15 Love Hörnquist Åstrand + + * tools/krb5-config.in: Move depenency on @LIB_dbopen@ to + kadm-server, kerberos library doesn't depend on db-library. + +2006-01-13 Love Hörnquist Åstrand + + * include/Makefile.am: Don't clean crypto headers, they now live + in hcrypto/. Add hcrypto to SUBDIRS. + + * include/hcrypto/Makefile.am: clean installed headers + + * include/make_crypto.c: include crypto headers from hcrypto/ + + * include/make_crypto.c: Include more crypto headerfiles. Remove + support for old hash names. + +2006-01-02 Love Hörnquist Åstrand + + * kdc/misc.c (_kdc_db_fetch): use calloc to allocate the entry, + from Andrew Bartlet. + + * Happy New Year. diff --git a/third_party/heimdal/ChangeLog.2007 b/third_party/heimdal/ChangeLog.2007 new file mode 100644 index 0000000..60c9545 --- /dev/null +++ b/third_party/heimdal/ChangeLog.2007 @@ -0,0 +1,1321 @@ +2007-12-28 Love Hörnquist Åstrand + + * kdc/digest.c: Log probe message, add NTLM_TARGET_DOMAIN to the + type2 message. + +2007-12-14 Love Hörnquist Åstrand + + * lib/hdb/dbinfo.c: Add hdb_default_db(). + + * Makefile.am: Add some extra cf/*. + +2007-12-12 Love Hörnquist Åstrand + + * kuser/kgetcred.c: Fix type of name-type. From Andy Polyakov. + +2007-12-09 Love Hörnquist Åstrand + + * kdc/log.c: Use hdb_db_dir(). + + * kpasswd/kpasswdd.c: Use hdb_db_dir(). + +2007-12-08 Love Hörnquist Åstrand + + * kdc/config.c: Use hdb_db_dir(). + + * kdc/kdc_locl.h: add KDC_LOG_FILE + + * kdc/hpropd.c: Use hdb_default_db(). + + * kdc/kstash.c: Use hdb_db_dir(). + + * kdc/pkinit.c: Adapt to hx509 changes, use hdb_db_dir(). + + * lib/krb5/rd_req.c: Document krb5_rd_req_in_set_pac_check. + + * lib/krb5/verify_krb5_conf.c: Check check_pac. + + * lib/krb5/rd_req.c: use KRB5_CTX_F_CHECK_PAC to init check_pac + field in the krb5_rd_req_in_ctx + + * lib/krb5/expand_hostname.c: Adapt to changing + dns_canonicalize_hostname into flags field. + + * lib/krb5/context.c: Adapt to changing dns_canonicalize_hostname + into flags field, add check-pac as an libdefaults option. + + * lib/krb5/pkinit.c: Adapt to changes in hx509 interface. + + * doc: add doxygen documentation to hcrypto + + * doc/doxytmpl.dxy: generate links + +2007-12-07 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: build_HEADERZ += heim_threads.h + + * lib/hdb/dbinfo.c (hdb_db_dir): Return the directory where the + hdb database resides. + + * configure.in: Add --with-hdbdir to specify where the database is + stored. + + * lib/krb5/crypto.c: revert previous patch, the problem is located + in the RAND_file_name() function that will cause recursive nss + lookups, can't fix that here. + +2007-12-06 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (krb5_generate_random_block): try to avoid the + dead-lock in by not holding the lock while running + RAND_file_name. Prompted by Hai Zaar. + + * lib/krb5/n-fold.c: spelling + +2007-12-04 Love Hörnquist Åstrand + + * kuser/kdigest.c (digest-probe): implement command. + + * kuser/kdigest-commands.in (digest-probe): new command + + * kdc/digest.c: Implement supportedMechs request. + + * lib/krb5/error_string.c: Make krb5_get_error_string return an + allocated string to make the function indempotent. From + Zeqing (Fred) Xia. + +2007-12-03 Love Hörnquist Åstrand + + * lib/krb5/krb5_locl.h (krb5_context_data): Flag if + default_cc_name was set by the user. + + * lib/krb5/fcache.c (fcc_move): make sure ->version is uptodate. + + * kcm/acquire.c: use krb5_free_cred_contents + + * kuser/kimpersonate.c: use krb5_free_cred_contents + + * kuser/kinit.c: Use krb5_cc_move to make an atomic switch of the + cred cache. + + * lib/krb5/cache.c: Put back code that was needed, move gen_new + into new_unique. + + * lib/krb5/mcache.c (mcc_default_name): Remove const + + * lib/krb5/krb5_locl.h: Add KRB5_DEFAULT_CCNAME_KCM, redefine + KRB5_DEFAULT_CCNAME to KRB5_DEFAULT_CCTYPE + + * lib/krb5/cache.c: Use krb5_cc_ops->default_name to get the + default name. + + * lib/krb5/kcm.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/mcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/fcache.c: Implement krb5_cc_ops->default_name. + + * lib/krb5/krb5.h: Add krb5_cc_ops->default_name. + + * lib/krb5/acache.c: Free context when done, implement + krb5_cc_ops->default_name. + + * lib/krb5/kcm.c: implement dummy kcm_move + + * lib/krb5/mcache.c: Implement the move operation. + + * lib/krb5/version-script.map: export krb5_cc_move + + * lib/krb5/cache.c: New function krb5_cc_move(). + + * lib/krb5/fcache.c: Implement the move operation. + + * lib/krb5/krb5.h: Add move to the krb5_cc_ops, causes major + version bump. + + * lib/krb5/acache.c: Implement the move operation. Avoid using + cc_set_principal() since it broken on Mac OS X 10.5.0. + +2007-12-02 Love Hörnquist Åstrand + + * lib/krb5/krb5_ccapi.h: Drop variable names to avoid -Wshadow. + +2007-11-14 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Should pass different key usage constants + depending on whether or not optional sub-session key was passed by + the client for the check of authorization data. The constant is + used to derive "specific key" and its values are specified in + 7.5.1 of RFC4120. + + Patch from Andy Polyakov. + + * kdc/krb5tgs.c: Don't send auth data in referrals, microsoft + clients have started to not like that. Thanks to Andy Polyakov for + excellent research. + +2007-11-11 Love Hörnquist Åstrand + + * lib/krb5/creds.c: use krb5_data_cmp + + * lib/krb5/acache.c: use krb5_free_cred_contents + + * lib/krb5/test_renew.c: use krb5_free_cred_contents + +2007-11-10 Love Hörnquist Åstrand + + * lib/krb5/acl.c: doxygen documentation + + * lib/krb5/addr_families.c: doxygen documentation + + * doc: add doxygen + + * lib/krb5/plugin.c: doxygen documentation + + * lib/krb5/kcm.c: doxygen documentation + + * lib/krb5/fcache.c: doxygen documentation + + * lib/krb5/cache.c: doxygen documentations + + * lib/krb5/doxygen.c: doxygen introduction + + * lib/krb5/error_string.c: Doxygen documentation. + +2007-11-03 Love Hörnquist Åstrand + + * lib/krb5/test_plugin.c: expose krb5_plugin_register + + * lib/krb5/plugin.c: expose krb5_plugin_register + + * lib/krb5/version-script.map: sort, expose krb5_plugin_register + +2007-10-24 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Adding same enctype is enough one time. From + Andy Polyakov and Bjorn Sandell. + +2007-10-18 Love + + * lib/krb5/cache.c (krb5_cc_retrieve_cred): check return value + from krb5_cc_start_seq_get. From Zeqing (Fred) Xia + + * lib/krb5/fcache.c (init_fcc): provide better error codes + + * kdc/kerberos5.c (get_pa_etype_info2): more paranoia, avoid + sending warning about pruned etypes. + + * kdc/kerberos5.c (older_enctype): old windows enctypes (arcfour + based) "old", this to support windows 2000 clients (unjoined to a + domain). From Andy Polyakov. + +2007-10-07 Love Hörnquist Åstrand + + * doc/setup.texi: Spelling, from Mark Peoples via Bjorn Sandell. + +2007-10-04 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: More prettier printing of enctype, from KAMADA + Ken'ichi. + + * lib/krb5/crypto.c (krb5_enctype_to_string): make sure string is + NULL on failure. + +2007-10-03 Love Hörnquist Åstrand + + * kdc/kdc-replay.c: Catch KRB5_PROG_ATYPE_NOSUPP from + krb5_addr2sockaddr and igore thte test is that case. + +2007-09-29 Love Hörnquist Åstrand + + * lib/krb5/context.c (krb5_free_context): free + default_cc_name_env, from Gunther Deschner. + +2007-08-27 Love Hörnquist Åstrand + + * lib/krb5/{krb5.h,pac.c,test_pac.c,send_to_kdc.c,rd_req.c}: Make + work with c++, reported by Hai Zaar + + * lib/krb5/{digest.c,krb5.h}: Make work with c++, reported by Hai Zaar + +2007-08-20 Love Hörnquist Åstrand + + * lib/hdb/Makefile.am: EXTRA_DIST += hdb.schema + +2007-07-31 Love Hörnquist Åstrand + + * check return value of alloc functions, from Charles Longeau + + * lib/krb5/principal.c: spelling. + + * kadmin/kadmin.8: spelling + + * lib/krb5/crypto.c: Check return values from alloc + functions. Prompted by patch of Charles Longeau. + + * lib/krb5/n-fold.c: Make _krb5_n_fold return a error + code. Prompted by patch of Charles Longeau. + +2007-07-27 Love Hörnquist Åstrand + + * lib/krb5/init_creds.c: Always set the ticket options, use + KRB5_ADDRESSLESS_DEFAULT as the default value, this make the unset + tri-state not so useful. + +2007-07-24 Love Hörnquist Åstrand + + * tools/heimdal-gssapi.pc.in: Add LIB_pkinit to the list of + libraries. + + * tools/heimdal-gssapi.pc.in: pkg-config file for libgssapi in + heimdal. + + * tools/Makefile.am: Add heimdal-gssapi.pc and install it into + $(libdir)/pkgconfig + +2007-07-23 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Add RFC3526 modp group14 as a default. + +2007-07-22 Love Hörnquist Åstrand + + * lib/hdb/dbinfo.c (get_dbinfo): use dbname instead of realm as + key if the entry is a correct entry. + + * lib/krb5/get_cred.c: Make krb5_get_renewed_creds work, from + Gunther Deschner. + + * lib/krb5/Makefile.am: Add test_renew to noinst_PROGRAMS. + + * lib/krb5/test_renew.c: Test for krb5_get_renewed_creds. + +2007-07-21 Love Hörnquist Åstrand + + * lib/hdb/keys.c: Make parse_key_set handle key set string "v5", + from Peter Meinecke. + + * kdc/kaserver.c: Don't ovewrite the error code, from Peter + Meinecke. + +2007-07-18 Love Hörnquist Åstrand + + * TODO-1.0: remove + + * Makefile.am: remove TODO-1.0 + +2007-07-17 Love Hörnquist Åstrand + + * Heimdal 1.0 release branch cut here + + * doc/hx509.texi: use version.texi + + * doc/heimdal.texi: use version.texi + + * doc/version.texi: version.texi + + * lib/hdb/db3.c: avoid type-punned pointer warning. + + * kdc/kx509.c: Use unsigned char * as argument to HMAC_Update to + please OpenSSL and gcc. + + * kdc/digest.c: Use unsigned char * as argument to MD5_Update to + please OpenSSL and gcc. + +2007-07-16 Love Hörnquist Åstrand + + * include/Makefile.am: Add krb_err.h. + + * kdc/set_dbinfo.c: Print acl file too. + + * kdc/kerberos4.c: Error codes are just fine, remove XXX now. + + * lib/krb5/krb5-v4compat.h: Drop duplicate error codes. + + * kdc/kerberos4.c: switch to ET errors. + + * lib/krb5/Makefile.am: Add krb_err.h to build_HEADERZ. + + * lib/krb5/v4_glue.c: If its a Kerberos 4 error-code, remove the + et BASE. + +2007-07-15 Love Hörnquist Åstrand + + * lib/krb5/krb5-v4compat.h: Include "krb_err.h". + + * lib/krb5/v4_glue.c: return more interesting error codes. + + * lib/krb5/plugin.c: Prefix enum plugin_type. + + * lib/krb5/krb5_locl.h: Expose plugin structures. + + * lib/krb5/krb5.h: Add plugin structures. + + * lib/krb5/krb_err.et: V4 errors. + + * lib/krb5/version-script.map: First version of version script. + +2007-07-13 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Java 1.6 expects the name to be the same type, + lets allow that for uncomplicated name-types. + +2007-07-12 Love Hörnquist Åstrand + + * lib/krb5/v4_glue.c (_krb5_krb_rd_req): if ticket contains + address 0, its ticket less and don't really care about + from_addr. return better error codes. + + * kpasswd/kpasswdd.c: Fix pointer vs strict alias rules. + +2007-07-11 Love Hörnquist Åstrand + + * lib/hdb/hdb-ldap.c: When using sambaNTPassword, avoid adding + more then one enctype 23 to krb5EncryptionType. + + * lib/krb5/cache.c: Spelling. + + * kdc/kerberos5.c: Don't send newer enctypes in ETYPE-INFO. + (get_pa_etype_info2): return the enctypes as sorted in the + database + +2007-07-10 Love Hörnquist Åstrand + + * kuser/kinit.c: krb5-v4compat.h defines prototypes for + v4 (semiprivate functions) in libkrb5, don't include + krb5-private.h any longer. + + * lib/krb5/krbhst.c: Set error string when there is no KDC for a + realm. + + * lib/krb5/Makefile.am: New library version. + + * kdc/Makefile.am: New library version. + + * lib/krb5/krb5_locl.h: Add default_cc_name_env. + + * lib/krb5/cache.c (enviroment_changed): return non-zero if + enviroment that will determine default krb5cc name has changed. + (krb5_cc_default_name): also check if cached value is uptodate. + + * lib/krb5/krb5_locl.h: Drop pkinit_flags. + +2007-07-05 Love Hörnquist Åstrand + + * configure.in: add tests/java/Makefile + + * lib/hdb/dbinfo.c: Add hdb_dbinfo_get_log_file. + +2007-07-04 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Improve the default salt detection to avoid + returning v4 password salting to java that doesn't look at the + returning padata for salting. + + * kdc: Split out krb5_kdc_set_dbinfo, From Andrew Bartlett + +2007-07-02 Love Hörnquist Åstrand + + * kdc/digest.c: Try harder to provide better error message for + digest messages. + + * lib/krb5/Makefile.am: verify_krb5_conf_OBJECTS depends on + krb5-pr*.h, make -j finds this. + +2007-06-28 Love Hörnquist Åstrand + + * kdc/digest.c: On success, print username, not ip-adress. + +2007-06-26 Love Hörnquist Åstrand + + * lib/krb5/get_cred.c: Add krb5_get_renewed_creds. + + * lib/krb5/krb5_get_credentials.3: add krb5_get_renewed_creds + + * lib/krb5/pkinit.c: Use hx509_cms_unwrap_ContentInfo. + +2007-06-25 Love Hörnquist Åstrand + + * doc/setup.texi: Add example for pkinit_win2k_require_binding + in [kdc] section. + + * kdc/default_config.c: Rename require_binding to + win2k_require_binding to match client configuration. + + * kdc/default_config.c: Add [kdc]pkinit_require_binding option. + + * kdc/pkinit.c (pk_mk_pa_reply_enckey): only allow non-bound reply + if its not required. + + * kdc/default_config.c: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/kdc.h: rename pkinit_princ_in_cert and add + pkinit_require_binding + + * kdc/pkinit.c: rename pkinit_princ_in_cert + +2007-06-24 Love Hörnquist Åstrand + + * lib/krb5/pkinit.c: Adapt to hx509_verify_hostname change. + +2007-06-21 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Drop unused variable. + + * kdc/krb5tgs.c: disable anonyous tgs requests + + * kdc/krb5tgs.c: Don't check PAC on cross realm for now. + + * kuser/kgetcred.c: Set KRB5_GC_CONSTRAINED_DELEGATION and parse + nametypes. + + * lib/krb5/krb5_principal.3: Document krb5_parse_nametype. + + * lib/krb5/principal.c (krb5_parse_nametype): parse nametype and + return their integer values. + + * lib/krb5/krb5.h (krb5_get_creds): Add + KRB5_GC_CONSTRAINED_DELEGATION. + + * lib/krb5/get_cred.c (krb5_get_creds): if + KRB5_GC_CONSTRAINED_DELEGATION is set, set both request_anonymous + and constrained_delegation. + +2007-06-20 Love Hörnquist Åstrand + + * kdc/digest.c: Return an error message instead of dropping the + packet for more failure cases. + + * lib/krb5/krb5_principal.3: Add KRB5_PRINCIPAL_UNPARSE_DISPLAY. + + * appl/gssmask/gssmask.c (AcquirePKInitCreds): fail more + gracefully + +2007-06-18 Love Hörnquist Åstrand + + * lib/krb5/pac.c: make compile. + + * lib/krb5/pac.c (verify_checksum): memset cksum to avoid using + pointer from stack. + + * lib/krb5/plugin.c: Don't expose free pointer. + + * lib/krb5/pkinit.c (_krb5_pk_load_id): fail directoy for first + calloc. + + * lib/krb5/pkinit.c (get_reply_key*): don't expose freed memory + + * lib/krb5/krbhst.c: Host is static memory, don't free. + + * lib/krb5/crypto.c (decrypt_internal_derived): make sure length + is longer then confounder + checksum. + + * kdc: export get_dbinfo as krb5_kdc_set_dbinfo and call from + users. This to allows libkdc users to to specify their own + databases + + * lib/krb5/pkinit.c (pk_rd_pa_reply_enckey): simplify handling of + content data (and avoid leaking memory). + + * kdc/misc.c (_kdc_db_fetch): set error string for failures. + +2007-06-15 Love Hörnquist Åstrand + + * kdc/pkinit.c: Use KRB5_AUTHDATA_INITIAL_VERIFIED_CAS. + +2007-06-13 Love Hörnquist Åstrand + + * kdc/pkinit.c: tell user when they got a pk-init request with + pkinit disabled. + +2007-06-12 Love Hörnquist Åstrand + + * lib/krb5/principal.c: Rename UNPARSE_NO_QUOTE to + UNPARSE_DISPLAY. + + * lib/krb5/krb5.h: Rename UNPARSE_NO_QUOTE to UNPARSE_DISPLAY. + + * lib/krb5/principal.c: Make no-quote mean replace strange chars + with space. + + * lib/krb5/principal.c: Support KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_UNPARSE_NO_QUOTE. + + * lib/krb5/test_princ.c: Test quoteing. + + * lib/krb5/pkinit.c: update (c) + + * lib/krb5/get_cred.c: use krb5_sendto_context to talk to the KDC. + + * lib/krb5/send_to_kdc.c (_krb5_kdc_retry): check if the whole + process needs to restart or just skip this KDC. + + * lib/krb5/init_creds_pw.c: Use krb5_sendto_context to talk to + KDC. + + * lib/krb5/krb5.h: Add sendto hooks and opaque structure. + + * lib/krb5/krb5_rd_error.3: Update prototype. + + * lib/krb5/send_to_kdc.c: Add hooks for processing the reply from + the server. + +2007-06-11 Love Hörnquist Åstrand + + * lib/krb5/krb5_err.et: Some new error codes from RFC 4120. + +2007-06-09 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Constify. + + * kdc/kerberos5.c: Constify. + + * kdc/pkinit.c: Check for KRB5-PADATA-PK-AS-09-BINDING. Constify. + +2007-06-08 Love Hörnquist Åstrand + + * include/Makefile.am: Make krb5-types.h nodist_include_HEADERS. + + * kdc/Makefile.am: EXTRA_DIST += version-script.map. + +2007-06-07 Love Hörnquist Åstrand + + * Makefile.am (print-distdir): print name of dist + + * kdc/pkinit.c: Break out loading of mappings file to a separate + function and remove warning that it can't open the mapping file, + there are now mappings in the db, maybe the users uses that + instead... + + * lib/krb5/crypto.c: Require the raw key have the correct size and + do away with the minsize. Minsize was a thing that originated + from RC2, but since RC2 is done in the x509/cms subsystem now + there is no need to keep that around. + + * lib/hdb/dbinfo.c: If there is no default dbname, also check for + unset mkey_file and set it default mkey name, make backward compat + stuff work. + + * kdc/version-script.map: add new symbols + + * kdc/kdc-replay.c: Also update krb5_context view of what the time + is. + + * configure.in: add tests/can/Makefile + + * kdc/kdc-replay.c: Add --[version|help]. + + * kdc/pkinit.c: Push down the kdc time into the x509 library. + + * kdc/connect.c: Move up krb5_kdc_save_request so we can catch the + reply data too. + + * kdc/kdc-replay.c: verify reply by checking asn1 class, type and + tag of the reply if there is one. + + * kdc/process.c: Save asn1 class, type and tag of the reply if + there is one. Used to verify the reply in kdc-replay. + +2007-06-06 Love Hörnquist Åstrand + + * kdc/kdc_locl.h: extern for request_log. + + * kdc/Makefile.am: Add kdc-replay. + + * kdc/kdc-replay.c: Replay kdc messages to the KDC library. + + * kdc/config.c: Pick up request_log from [kdc]kdc-request-log. + + * kdc/connect.c: Option to save the request to disk. + + * kdc/process.c (krb5_kdc_save_request): save request to file. + + * kdc/process.c (krb5_kdc_process*): dont update _kdc_time + automagicly. + (krb5_kdc_update_time): set or get current kdc-time. + + * kdc/pkinit.c (_kdc_pk_rd_padata): accept both pkcs-7 and + pkauthdata as the signeddata oid + + * kdc/pkinit.c (_kdc_pk_rd_padata): Try to log what went wrong. + +2007-06-05 Love Hörnquist Åstrand + + * kdc/pkinit.c: Use oid_id_pkcs7_data for pkinit-9 encKey reply to + match windows DC behavior better. + +2007-06-04 Love Hörnquist Åstrand + + * configure.in: use test for -framework Security + + * appl/test/uu_server.c: Print status to stdout. + + * kdc/digest.c (digest ntlm): provide log entires by setting ret + to an error. + +2007-06-03 Love Hörnquist Åstrand + + * doc/hx509.texi: Indent crl-sign. + + * doc/hx509.texi: One more crl-sign example. + + * lib/krb5/test_princ.c: plug memory leaks. + + * lib/krb5/pac.c: plug memory leaks. + + * lib/krb5/test_pac.c: plug memory leaks. + + * lib/krb5/test_prf.c: plug memory leak. + + * lib/krb5/test_cc.c: plug memory leaks. + + * doc/hx509.texi: Simple blob about publishing CRLs. + + * doc/win2k.texi: drop text about enctypes. + +2007-06-02 Love Hörnquist Åstrand + + * kdc/pkinit.c: In case of OCSP verification failure, referash + every 5 min. In case of success, refreash 2 min before expiring or + faster. + +2007-05-31 Love Hörnquist Åstrand + + * lib/krb5/krb5_err.et: add error 68, WRONG_REALM + + * kdc/pkinit.c: Handle the ms san in a propper way, still cheat + with the realm name. + + * kdc/kerberos5.c: If _kdc_pk_check_client failes, bail out + directly and hand the error back to the client. + + * lib/krb5/krb5_err.et: Add missing REVOCATION_STATUS_UNAVAILABLE + and fix error message for CLIENT_NAME_MISMATCH. + + * kdc/pkinit.c: More logging for pk-init client mismatch. + + * kdc/kerberos5.c: Also add a KRB5_PADATA_PK_AS_REQ_WIN for + windows pk-init (-9) to make MIT clients happy. + +2007-05-30 Love Hörnquist Åstrand + + * kdc/pkinit.c: Force des3 for win2k. + + * kdc/pkinit.c: Add wrapping to ContentInfo wrapping to + COMPAT_WIN2K. + + * lib/krb5/keytab_keyfile.c: Spelling. + + * kdc/pkinit.c: Allow matching by MS UPN SAN, note that this delta + doesn't deal with case of realm. + +2007-05-16 Love Hörnquist Åstrand + + * lib/krb5/crypto.c (krb5_crypto_overhead): return static overhead + of encryption. + +2007-05-10 Dave Love + + * doc/win2k.texi: Update some URLs. + +2007-05-13 Love Hörnquist Åstrand + + * kuser/kimpersonate.c: Fix version number of ticket, it should be + 5 not the kvno. + +2007-05-08 Love Hörnquist Åstrand + + * doc/setup.texi: Salting is really Encryption types and salting. + +2007-05-07 Love Hörnquist Åstrand + + * doc/setup.texi: spelling, from Ronny Blomme + + * doc/win2k.texi: Fix ksetup /SetComputerPassword, from Ronny + Blomme + +2007-05-02 Love Hörnquist Åstrand + + * lib/hdb/dbinfo.c (hdb_get_dbinfo) If there are no database + specified, create one and let it use the defaults. + +2007-04-27 Love Hörnquist Åstrand + + * lib/hdb/test_dbinfo.c: test acl file + + * lib/hdb/test_dbinfo.c: test acl file + + * lib/hdb/dbinfo.c: add acl file + + * etc: ignore Makefile.in + + * Makefile.am: SUBDIRS += etc + + * configure.in: Add etc/Makefile. + + * etc/Makefile.am: make sure services.append is distributed + +2007-04-24 Love Hörnquist Åstrand + + * kdc: rename windc_init to krb5_kdc_windc_init + + * kdc/version-script.map: version script for libkdc + + * kdc/Makefile.am: version script for libkdc + +2007-04-23 Love Hörnquist Åstrand + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_get_error): + correct the order of the arguments. + + * lib/hdb/Makefile.am: Add and test dbinfo. + + * lib/hdb/hdb.h: Forward declaration for struct hdb_dbinfo; + + * kdc/config.c: Use krb5_kdc_get_config and just fill in what the + users wanted differently. + + * kdc/default_config.c: Make the default configuration fetch info + from the krb5.conf. + +2007-04-22 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key, for the second place in the + function. + + * tools/krb5-config.in: rename des to hcrypto + + * kuser/Makefile.am: depend on libheimntlm + + * kuser/kinit.c: Add --ntlm-domain that store the ntlm cred for + this domain if the Kerberos password auth worked. + + * kuser/klist.c: add new option --hidden that doesn't display + principal that starts with @ + + * tools/krb5-config.in: Add heimntlm when we use gssapi. + + * lib/krb5/krb5_ccache.3 (krb5_cc_retrieve_cred): document what to + free 'cred' with. + + * lib/krb5/cache.c (krb5_cc_retrieve_cred): document what to free + 'cred' with. + +2007-04-21 Love Hörnquist Åstrand + + * lib/krb5/store.c (krb5_store_creds_tag): use session.keytype to + determine if to send the session-key. + + * kcm/client.c (kcm_ccache_new_client): make root be able to pass + the name constraints, not the opposite. From Bryan Jacobs. + +2007-04-20 Love Hörnquist Åstrand + + * kcm/acl.c: make compile again. + + * kcm/client.c: fix warning. + + * kcm: First, it allows root to ignore the naming conventions. + Second, it allows root to always perform any operation on any + ccache. Note that root could do this anyway with FILE ccaches. + From Bryan Jacobs. + + * Rename libdes to libhcrypto. + +2007-04-19 Love Hörnquist Åstrand + + * kinit: remove code that depend on kerberos 4 library + + * kdc: remove code that depend on kerberos 4 library + + * configure.in: Drop kerberos 4 support. + + * kdc/hpropd.c (main): free the message when done with it. + + * lib/krb5/pkinit.c (_krb5_get_init_creds_opt_free_pkinit): + remember to free memory too. + + * lib/krb5/pkinit.c (pk_rd_pa_reply_dh): free content-type when + done. + + * configure.in: test rk_VERSIONSCRIPT + +2007-04-18 Love Hörnquist Åstrand + + * fix-export: remove, all done by make dist now + +2007-04-15 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_credentials.3: spelling, from Jason McIntyre + +2007-04-11 Love Hörnquist Åstrand + + * kdc/kstash.8: Spelling, from raga + via Bjorn Sandell. + + * lib/krb5/store_mem.c: indent. + + * lib/krb5/recvauth.c: Set error string. + + * lib/krb5/rd_req.c: clear error strings. + + * lib/krb5/rd_cred.c: clear error string. + + * lib/krb5/pkinit.c: Set error strings. + + * lib/krb5/get_cred.c: Tell what principal we are not finding for + all KRB5_CC_NOTFOUND. + +2007-02-22 Love Hörnquist Åstrand + + * kdc/kerberos5.c: Return the same error codes as a windows KDC. + + * kuser/kinit.c: KRB5KDC_ERR_PREAUTH_FAILED is also a password + failed. + + * kdc/kerberos5.c: Make handling of replying e_data more generic, + from metze. + + * kdc/kerberos5.c: Fix (string const and shadow) warnings, from + metze. + + * lib/krb5/pac.c: Create the PAC element in the same order as + w2k3, maybe there's some broken code in windows which relies on + this... From metze. + + * kdc/kerberos5.c: Select a session enctype from the list of the + crypto systems supported enctype, is supported by the client and + is one of the enctype of the enctype of the krbtgt. + + The later is used as a hint what enctype all KDC are supporting to + make sure a newer version of KDC wont generate a session enctype + that and older version of a KDC in the same realm can't decrypt. + + But if the KDC admin is paranoid and doesn't want to have "no the + best" enctypes on the krbtgt, lets save the best pick from the + client list and hope that that will work for any other KDCs. + + Reported by metze. + + * kdc/hprop.c (propagate_database): on any failure, drop the + connection to the peer and try next one. + +2007-02-18 Love Hörnquist Åstrand + + * lib/krb5/krb5_get_init_creds.3: document new options. + + * kdc/krb5tgs.c: Only check service key for cross realm PACs. + + * lib/krb5/init_creds.c: use the new merged flags field. + (krb5_get_init_creds_opt_set_win2k): new function, turn on all w2k + compat flags. + + * lib/krb5/init_creds_pw.c: use the new merged flags field. + + * lib/krb5/krb5_locl.h: merge all flags into one entity + +2007-02-11 Dave Love + + * lib/krb5/krb5_aname_to_localname.3: Small fixes + + * lib/krb5/krb5_digest.3: Small fixes + + * kuser/kimpersonate.1: Small fixes + +2007-02-17 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (find_pa_data): if there is no list, + there is no entry. + + * kdc/krb5tgs.c: Don't check PACs on cross realm requests. + + * lib/krb5/krb5.h: add KRB5_KU_CANONICALIZED_NAMES. + + * lib/krb5/init_creds_pw.c: Verify client referral data. + + * kdc/kerberos5.c: switch some "return ret" to "goto out". + + * kdc/kerberos5.c: Pass down canonicalize request to hdb layer, + sign client referrals. + + * lib/hdb/hdb.h: Add HDB_F_CANON. + + * lib/hdb: add simple alias support to the database backends + +2007-02-16 Love Hörnquist Åstrand + + * kuser/kinit.c: Add canonicalize flag. + + * lib/krb5/init_creds_pw.c: Use EXTRACT_TICKET_* flags, support + canonicalize. + + * lib/krb5/init_creds.c (krb5_get_init_creds_opt_set_canonicalize): + new function. + + * lib/krb5/get_cred.c: Use EXTRACT_TICKET_* flags. + + * lib/krb5/get_in_tkt.c: Use EXTRACT_TICKET_* flags. + + * lib/krb5/krb5_locl.h: Add EXTRACT_TICKET_* flags. + +2007-02-15 Love Hörnquist Åstrand + + * lib/krb5/test_princ.c: test parsing enterprise-names. + + * lib/krb5/principal.c: Add support for parsing enterprise-names. + + * lib/krb5/krb5.h: Add KRB5_PRINCIPAL_PARSE_ENTERPRISE. + + * lib/hdb/hdb-ldap.c: Make work again. + +2007-02-11 Dave Love + + * kcm/client.c (kcm_ccache_new_client): Cast snprintf'ed value. + +2007-02-10 Love Hörnquist Åstrand + + * doc/setup.texi: prune trailing space + + * lib/hdb/db.c: Be better at setting and clearing error string. + + * lib/hdb/hdb.c: Be better at setting and clearing error string. + +2007-02-09 Love Hörnquist Åstrand + + * lib/krb5/keytab.c (krb5_kt_get_entry): Use krb5_kt_get_full_name + to print out the keytab name. + + * doc/setup.texi: Spelling, from Guido Guenther + +2007-02-08 Love Hörnquist Åstrand + + * lib/krb5/rd_cred.c: Plug memory leak, from Michael B Allen. + +2007-02-06 Love Hörnquist Åstrand + + * lib/krb5/test_store.c (test_uint16): unsigned ints can't be + negative + +2007-02-03 Love Hörnquist Åstrand + + * kdc/pkinit.c: pass extra flags for detached signatures. + + * lib/krb5/pkinit.c: pass extra flags for detached signatures. + + * kdc/digest.c: Remove debug output. + + * kuser/kdigest.c: Add support for ms-chap-v2 client. + +2007-02-02 Love Hörnquist Åstrand + + * kdc/digest.c: Fix ms-chap-v2 get_masterkey + + * kdc/digest.c: Fix ms-chap-v2 mutual response auth code. + + * kuser/kdigest.c: Print session key if there is one. + + * lib/krb5/digest.c: rename hash-a1 to session key + + * kdc/digest.c: Add get_master from RFC 3079 3.4 for MS-CHAP-V2 + + * kuser/kdigest.c: print rsp if there is one, from Klas. + + * kdc/digest.c: Use right size, from Klas Lindfors. + + * kuser/kdigest.c: Set client nonce if avaible, from Klas. + + * kdc/digest.c: First version from kllin. + + * kuser/kdigest.c: Don't restrict the type. + +2007-02-01 Love Hörnquist Åstrand + + * kuser/kdigest-commands.in: add --client-response + + * kuser/kdigest.c: Print status instead of response. + + * kdc/digest.c: Better logging and return status = FALSE when + checksum doesn't match. + + * kdc/digest.c: Check the digest response in the KDC. + + * lib/krb5/digest.c: New functions to send in requestResponse to + KDC and get status of the request. + + * kdc/digest.c: Add support for MS-CHAP v2. + + * lib/hdb/hdb-ldap.c: Set hdb->hdb_db for ldap. + +2007-01-31 Love Hörnquist Åstrand + + * fix-export: Make hx509.info too + + * kdc/digest.c: don't verify identifier in CHAP, its the client + that chooses it. + +2007-01-23 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: Basic test of prf. + + * lib/krb5/test_prf.c: Basic test of prf. + + * lib/krb5/mit_glue.c: Add MIT glue for Kerberos RFC 3961 PRF + functions. + + * lib/krb5/crypto.c: Add Kerberos RFC 3961 PRF functions. + + * lib/krb5/krb5_data.3: Document krb5_data_cmp. + + * lib/krb5/data.c: Add krb5_data_cmp. + +2007-01-20 Love Hörnquist Åstrand + + * kdc/kx509.c: Don't use C99 syntax. + +2007-01-17 Love Hörnquist Åstrand + + * configure.in: its LIBADD_roken (and shouldn't really exist, our + libtool usage it broken) + + * configure.in: Add an extra variable for roken, LIBADD, that + should be used for library depencies. + + * lib/krb5/send_to_kdc.c (krb5_sendto): zero out receive buffer. + + * lib/krb5/krb5_init_context.3: fix mdoc errors + + * Heimdal 0.8 branch cut today + + * doc/hx509.texi: Spelling and more about proxy certificates. + + * configure.in: check for arc4random + +2007-01-16 Love Hörnquist Åstrand + + * lib/krb5/send_to_kdc.c (krb5_sendto): zero receive krb5_data + before starting + + * tools/heimdal-build.sh: make cvs keep quiet + + * kuser/kverify.c: Use argument as principal if passed an + argument. Bug report from Douglas E. Engert + +2007-01-15 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): The code failed to consider + the enc_tkt_in_skey case, from Douglas E. Engert. + + * kdc/kx509.c: Issue certificates. + + * kdc/config.c: Parse kx509/kca configuration. + + * kdc/kdc.h: add kx509 config + +2007-01-14 Love Hörnquist Åstrand + + * kdc/kerberos5.c (_kdc_find_padata): if there is not padata, + there is nothing find. + + * doc/hx509.texi: Examples for pk-init. + + * doc/hx509.texi: About extending ca lifetime and sub cas. + +2007-01-13 Love Hörnquist Åstrand + + * doc/hx509.texi: More about certificates. + +2007-01-12 Love Hörnquist Åstrand + + * doc/hx509.texi: add Application requirements and write about + xmpp/jabber. + +2007-01-11 Love Hörnquist Åstrand + + * doc/hx509.texi: More about issuing certificates. + + * doc/hx509.texi: Start of a x.509 manual. + + * include/Makefile.am: remove install headerfiles + + * lib/krb5/test_pac.c: Use more interesting data to cause more + errors. + + * include/Makefile.am: remove install headerfiles + + * lib/krb5/mcache.c: MCC_CURSOR not used, remove. + + * lib/krb5/crypto.c: macro kcrypto_oid_enc now longer used + + * lib/krb5/rd_safe.c (krb5_rd_safe): set length before trying to + allocate data + +2007-01-10 Love Hörnquist Åstrand + + * doc/setup.texi: Hint about hxtool validate. + + * appl/test/uu_server.c: print both "server" and "client" + + * kdc/krb5tgs.c: Rename keys to be more obvious what they do. + + * kdc/kerberos5.c: Use other keys to sign PAC with. From Andrew + Bartlett + + * kdc/windc.c: ident, spelling. + + * kdc/windc_plugin.h: indent. + + * kdc/krb5tgs.c: Pass down server entry to verify_pac function. + from Andrew Bartlett + + * kdc/windc.c: pass down server entry to verify_pac function, from + Andrew Bartlett + + * kdc/windc_plugin.h: pass down server entry to verify_pac + function, from Andrew Bartlett + + * configure.in: Provide a automake symbol ENABLE_SHARED if shared + libraries are built. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): Use the correct keyblock + when verifying the PAC. From Andrew Bartlett. + +2007-01-09 Love Hörnquist Åstrand + + * lib/krb5/test_pac.c: move around to code test on real PAC. + + * lib/krb5/pac.c: A tiny 2 char diffrence that make the code work + for real. + + * lib/krb5/test_pac.c: Test more PAC (note that the values used in + this test is wrong, they have to be fixed when the pac code is + fixed). + + * doc/setup.texi: Update to new hxtool issue-certificate usage + + * lib/krb5/init_creds_pw.c: Make sure we don't sent both ENC-TS + and PK-INIT pa data, no need to expose our password protecting our + PKCS12 key. + + * kuser/klist.c (print_cred_verbose): include ticket length in the + verbose output + +2007-01-08 Love Hörnquist Åstrand + + * lib/krb5/acache.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. + + * lib/krb5/plugin.c (loadlib): pass RTLD_LAZY to dlopen, without + it linux is unhappy. + + * lib/krb5/name-45-test.c: One of the hosts I sometimes uses is + named "bar.domain", this make one of the tests pass when it + shouldn't. + +2007-01-05 Love Hörnquist Åstrand + + * doc/setup.texi: Change --key argument to --out-key. + + * kuser/kimpersonate.1: mangle my name + +2007-01-04 Love Hörnquist Åstrand + + * doc/setup.texi: describe how to use hx509 to create + certificates. + + * tools/heimdal-build.sh: Add --distcheck. + + * kdc/kerberos5.c: Check for KRB5_PADATA_PA_PAC_REQUEST to check + if we should include the PAC in the krbtgt. + + * kdc/pkinit.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. + + * kdc/kerberos5.c (_kdc_as_rep): check if + krb5_generate_random_keyblock failes. + + * kdc/krb5tgs.c (tgs_build_reply): check if + krb5_generate_random_keyblock failes. + + * kdc/krb5tgs.c: Scope etype. + + * lib/krb5/rd_req.c: Make it possible to turn off PAC check, its + default on. + + * lib/krb5/rd_req.c (krb5_rd_req_ctx): If there is a PAC, verify + its server signature. + + * kdc/kerberos5.c (_kdc_as_rep): call windc client access hook. + (_kdc_tkt_add_if_relevant_ad): constify in data argument. + + * kdc/windc_plugin.h: More comments add a client_access hook. + + * kdc/windc.c: Add _kdc_windc_client_access. + + * kdc/krb5tgs.c: rename functions after export some more pac + functions. + + * lib/krb5/test_pac.c: export some more pac functions. + + * lib/krb5/pac.c: export some more pac functions. + + * kdc/krb5tgs.c: Resign the PAC in tgsreq if we have a PAC. + + * configure.in: add tests/plugin/Makefile + +2007-01-03 Love Hörnquist Åstrand + + * kdc/krb5tgs.c: Get right key for PAC krbtgt verification. + + * kdc/config.c: spelling + + * lib/krb5/krb5.h: typedef for krb5_pac. + + * kdc/headers.h: Include . + + * kdc/Makefile.am: Include windc.c and use windc_plugin.h + + * kdc/krb5tgs.c: Call callbacks for emulating a Windows Domain + Controller. + + * kdc/kerberos5.c: Call callbacks for emulating a Windows Domain + Controller. Move the some of the log related stuff to its own + function. + + * kdc/config.c: Init callbacks for emulating a Windows Domain + Controller. + + * kdc/windc.c: Rename the init function to windc instead of pac. + + * kdc/windc.c: Callbacks specific to emulating a Windows Domain + Controller. + + * kdc/windc_plugin.h: Callbacks specific to emulating a Windows + Domain Controller. + + * lib/krb5/Makefile.am: add krb5_HEADERS to build_HEADERZ + + * lib/krb5/pac.c: Support all keyed checksum types. + +2007-01-02 Love Hörnquist Åstrand + + * lib/krb5/pac.c (krb5_pac_get_types): Return list of types. + + * lib/krb5/test_pac.c: test krb5_pac_get_types + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krbhst.c: Add KRB5_KRBHST_KCA. + + * lib/krb5/krb5.h: Add KRB5_KRBHST_KCA. + + * lib/krb5/test_pac.c: test Add/remove pac buffer functions. + + * lib/krb5/pac.c: Add/remove pac buffer functions. + + * lib/krb5/pac.c: sprinkle const + + * lib/krb5/pac.c: rename DCHECK to CHECK + + * Happy New Year. diff --git a/third_party/heimdal/HEIMDAL-LICENCE.txt b/third_party/heimdal/HEIMDAL-LICENCE.txt new file mode 100644 index 0000000..18d03d7 --- /dev/null +++ b/third_party/heimdal/HEIMDAL-LICENCE.txt @@ -0,0 +1,44 @@ +This is a copy of the standard copyright notice on most files in the +heimdal tree. This license is confidered to be GPL compatible by the +Free Software Foundation (see http://www.fsf.org/licensing/licenses/index_html#GPLCompatibleLicenses) + +Note that the list of copyright holders varies between the individial +files. Also note that this Samba4 MODIFIED VERSION may depend on GPL'ed +libraries. + +Many thanks to the Heimdal developers for their support and +cooperation in the use of the heimdal code in Samba. + + +/* + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan and others. + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ diff --git a/third_party/heimdal/LICENSE b/third_party/heimdal/LICENSE new file mode 100644 index 0000000..c76fc23 --- /dev/null +++ b/third_party/heimdal/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 1995 - 2014 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + + +Please see info documentation for the complete list of licenses. diff --git a/third_party/heimdal/Makefile.am b/third_party/heimdal/Makefile.am new file mode 100644 index 0000000..b9bdcf4 --- /dev/null +++ b/third_party/heimdal/Makefile.am @@ -0,0 +1,70 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +if KCM +kcm_dir = kcm +endif + +SUBDIRS= include lib kuser kdc admin kadmin kpasswd +SUBDIRS+= $(kcm_dir) appl tools tests packages etc po + +if HEIMDAL_DOCUMENTATION +SUBDIRS+= doc +endif + + + +## ACLOCAL = @ACLOCAL@ -I cf +ACLOCAL_AMFLAGS = -I cf + +EXTRA_DIST = \ + NTMakefile \ + windows \ + TODO \ + LICENSE \ + README \ + ChangeLog \ + ChangeLog.1998 \ + ChangeLog.1999 \ + ChangeLog.2000 \ + ChangeLog.2001 \ + ChangeLog.2002 \ + ChangeLog.2003 \ + ChangeLog.2004 \ + ChangeLog.2005 \ + ChangeLog.2006 \ + Makefile.am.common \ + autogen.sh \ + krb5.conf \ + cf/make-proto.pl \ + cf/roken-h-process.pl \ + cf/install-catman.sh \ + cf/ChangeLog \ + cf/c-function.m4 \ + cf/ChangeLog \ + cf/have-pragma-weak.m4 \ + cf/have-types.m4 \ + cf/krb-prog-ranlib.m4 \ + cf/krb-prog-yacc.m4 \ + cf/krb-sys-aix.m4 \ + cf/krb-sys-nextstep.m4 \ + cf/roken.m4 \ + cf/valgrind-suppressions \ + cf/maybe-valgrind.sh \ + cf/symbol-version.py \ + cf/w32-check-exported-symbols.pl \ + cf/w32-def-from-dll.pl \ + cf/w32-detect-vc-version.pl \ + cf/w32-hh-toc-from-info.pl \ + cf/w32-list-externs-from-objs.pl \ + cf/vararray.m4 + +print-distdir: + @echo $(distdir) + +clean-local-gcov: + find . '(' -name '*.gcno' -o -name '*.gcda' -o -name '*.gcov' ')' -a -print|xargs rm -f + +.PHONY: clean-local-gcov + diff --git a/third_party/heimdal/Makefile.am.common b/third_party/heimdal/Makefile.am.common new file mode 100644 index 0000000..7f10e71 --- /dev/null +++ b/third_party/heimdal/Makefile.am.common @@ -0,0 +1,4 @@ +# $Id$ + +include $(top_srcdir)/cf/Makefile.am.common + diff --git a/third_party/heimdal/NEWS b/third_party/heimdal/NEWS new file mode 100644 index 0000000..79efe80 --- /dev/null +++ b/third_party/heimdal/NEWS @@ -0,0 +1,1152 @@ +Release Notes - Heimdal - Version Heimdal 7.3 + + Security + + - Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently + caused the previous hop realm to not be added to the transit path + of issued tickets. This may, in some cases, enable bypass of capath + policy in Heimdal versions 1.5 through 7.2. + + Note, this may break sites that rely on the bug. With the bug some + incomplete [capaths] worked, that should not have. These may now break + authentication in some cross-realm configurations. + (CVE-2017-6594) + +Release Notes - Heimdal - Version Heimdal 7.2 + + Bug fixes + - Portability improvements + - More strict parsing of encoded URI components in HTTP KDC + - Fixed memory leak in malloc error recovery in NTLM GSSAPI mechanism + - Avoid overly specific CPU info in krb5-config in aid of reproducible builds + - Don't do AFS string-to-key tests when feature is disabled + - Skip mdb_stat test when the command is not available + - Windows: update SHA2 timestamp server + - hdb: add missing export hdb_generate_key_set_password_with_ks_tuple + - Fix signature of hdb_generate_key_set_password() + - Windows: enable KX509 support in the KDC + - kdc: fix kx509 service principal match + - iprop: handle case where master sends nothing new + - ipropd-slave: fix incorrect error codes + - Allow choice of sqlite for HDB pref + - check-iprop: don't fail to kill daemons + - roken: pidfile -> rk_pidfile + - kdc: _kdc_do_kx509 fix use after free error + - Do not detect x32 as 64-bit platform. + - No sys/ttydefaults.h on CYGWIN + - Fix check-iprop races + - roken_detach_prep() close pipe + +Release Notes - Heimdal - Version Heimdal 7.1 + + Security + + - kx509 realm-chopping security bug + - non-authorization of alias additions/removals in kadmind + (CVE-2016-2400) + + Feature + + - iprop has been revamped to fix a number of race conditions that could + lead to inconsistent replication + - Hierarchical capath support + - AES Encryption with HMAC-SHA2 for Kerberos 5 + draft-ietf-kitten-aes-cts-hmac-sha2-11 + - hcrypto is now thread safe on all platforms + - libhcrypto has new backends: CNG (Windows), PKCS#11 (mainly for + Solaris), and OpenSSL. OpenSSL is now a first-class libhcrypto backend. + OpenSSL 1.0.x and 1.1 are both supported. AES-NI used when supported by + backend + - HDB now supports LMDB + - Thread support on Windows + - RFC 6113 Generalized Framework for Kerberos Pre-Authentication (FAST) + - New GSS APIs: + . gss_localname + - Allow setting what encryption types a principal should have with + [kadmin] default_key_rules, see krb5.conf manpage for more info + - Unify libhcrypto with LTC (libtomcrypto) + - asn1_compile 64-bit INTEGER functionality + - HDB key history support including --keepold kadmin password option + - Improved cross-realm key rollover safety + - New krb5_kuserok() and krb5_aname_to_localname() plug-in interfaces + - Improved MIT compatibility + . kadm5 API + . Migration from MIT KDB via "mitdb" HDB backend + . Capable of writing the HDB in MIT dump format + - Improved Active Directory interoperability + . Enctype selection issues for PAC and other authz-data signatures + . Cross realm key rollover (kvno 0) + - New [kdc] enctype negotiation configuration: + . tgt-use-strongest-session-key + . svc-use-strongest-session-key + . preauth-use-strongest-session-key + . use-strongest-server-key + - The KDC process now uses a multi-process model improving + resiliency and performance + - Allow batch-mode kinit with password file + - SIGINFO support added to kinit cmd + - New kx509 configuration options: + . kx509_ca + . kca_service + . kx509_include_pkinit_san + . kx509_template + - Improved Heimdal library/plugin version safety + - Name canonicalization + . DNS resolver searchlist + . Improved referral support + . Support host:port host-based services + - Pluggable libheimbase interface for DBs + - Improve IPv6 Support + - LDAP + . Bind DN and password + . Start TLS + - klist --json + - DIR credential cache type + - Updated upstream SQLite and libedit + - Removed legacy applications: ftp, kx, login, popper, push, rcp, rsh, + telnet, xnlock + - Completely remove RAND_egd support + - Moved kadmin and ktutil to /usr/bin + - Stricter fcache checks (see fcache_strict_checking krb5.conf setting) + . use O_NOFOLLOW + . don't follow symlinks + . require cache files to be owned by the user + . require sensible permissions (not group/other readable) + - Implemented gss_store_cred() + - Many more + + Bug fixes + - iprop has been revamped to fix a number of race conditions that could + lead to data loss + - Include non-loopback addresses assigned to loopback interfaces + when requesting tickets with addresses + - KDC 1DES session key selection (for AFS rxkad-k5 compatibility) + - Keytab file descriptor and lock leak + - Credential cache corruption bugs + (NOTE: The FILE ccache is still not entirely safe due to the + fundamentally unsafe design of POSIX file locking) + - gss_pseudo_random() interop bug + - Plugins are now preferentially loaded from the run-time install tree + - Reauthentication after password change in init_creds_password + - Memory leak in the client kadmin library + - TGS client requests renewable/forwardable/proxiable when possible + - Locking issues in DB1 and DB3 HDB backends + - Master HDB can remain locked while waiting for network I/O + - Renewal/refresh logic when kinit is provided with a command + - KDC handling of enterprise principals + - Use correct bit for anon-pkinit + - Many more + + Acknowledgements + + This release of Heimdal includes contributions from: + + Abhinav Upadhyay Heath Kehoe Nico Williams + Andreas Schneider Henry Jacques Patrik Lundin + Andrew Bartlett Howard Chu Philip Boulain + Andrew Tridgell Igor Sobrado Ragnar Sundblad + Antoine Jacoutot Ingo Schwarze Remi Ferrand + Arran Cudbard-Bell Jakub Čajka Rod Widdowson + Arvid Requate James Le Cuirot Rok Papež + Asanka Herath James Lee Roland C. Dowdeswell + Ben Kaduk Jeffrey Altman Ross L Richardson + Benjamin Kaduk Jeffrey Clark Russ Allbery + Bernard Spil Jeffrey Hutzelman Samuel Cabrero + Brian May Jelmer Vernooij Samuel Thibault + Chas Williams Ken Dreyer Santosh Kumar Pradhan + Chaskiel Grundman Kiran S J Sean Davis + Dana Koch Kumar Thangavelu Sergio Gelato + Daniel Schepler Landon Fuller Simon Wilkinson + David Mulder Linus Nordberg Stef Walter + Douglas Bagnall Love Hörnquist Åstrand Stefan Metzmacher + Ed Maste Luke Howard Steffen Jaeckel + Eray Aslan Magnus Ahltorp Timothy Pearson + Florian Best Marc Balmer Tollef Fog Heen + Fredrik Pettai Marcin Cieślak Tony Acero + Greg Hudson Marco Molteni Uri Simchoni + Gustavo Zacarias Matthieu Hautreux Viktor Dukhovni + Günther Deschner Michael Meffie Volker Lendecke + Harald Barth Moritz Lenz + +Release Notes - Heimdal - Version Heimdal 1.5.3 + + Bug fixes + - Fix leaking file descriptors in KDC + - Better socket/timeout handling in libkrb5 + - General bug fixes + - Build fixes + +Release Notes - Heimdal - Version Heimdal 1.5.2 + + Security fixes + - CVE-2011-4862 Buffer overflow in libtelnet/encrypt.c in telnetd - escalation of privilege + - Check that key types strictly match - denial of service + +Release Notes - Heimdal - Version Heimdal 1.5.1 + + Bug fixes + - Fix building on Solaris, requires c99 + - Fix building on Windows + - Build system updates + +Release Notes - Heimdal - Version Heimdal 1.5 + +New features + + - Support GSS name extensions/attributes + - SHA512 support + - No Kerberos 4 support + - Basic support for MIT Admin protocol (SECGSS flavor) + in kadmind (extract keytab) + - Replace editline with libedit + +Release Notes - Heimdal - Version Heimdal 1.4 + + New features + + - Support for reading MIT database file directly + - KCM is polished up and now used in production + - NTLM first class citizen, credentials stored in KCM + - Table driven ASN.1 compiler, smaller!, not enabled by default + - Native Windows client support + +Notes + + - Disabled write support NDBM hdb backend (read still in there) since + it can't handle large records, please migrate to a diffrent backend + (like BDB4) + +Release Notes - Heimdal - Version Heimdal 1.3.3 + + Bug fixes + - Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] + - Check NULL pointers before dereference them [kdc] + +Release Notes - Heimdal - Version Heimdal 1.3.2 + + Bug fixes + + - Don't mix length when clearing hmac (could memset too much) + - More paranoid underrun checking when decrypting packets + - Check the password change requests and refuse to answer empty packets + - Build on OpenSolaris + - Renumber AD-SIGNED-TICKET since it was stolen from US + - Don't cache /dev/*random file descriptor, it doesn't get unloaded + - Make C++ safe + - Misc warnings + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + Bug fixes + + - Store KDC offset in credentials + - Many many more bug fixes + +Release Notes - Heimdal - Version Heimdal 1.3.1 + + New features + + - Make work with OpenLDAPs krb5 overlay + +Release Notes - Heimdal - Version Heimdal 1.3 + + New features + + - Partial support for MIT kadmind rpc protocol in kadmind + - Better support for finding keytab entries when using SPN aliases in the KDC + - Support BER in ASN.1 library (needed for CMS) + - Support decryption in Keychain private keys + - Support for new sqlite based credential cache + - Try both KDC referals and the common DNS reverse lookup in GSS-API + - Fix the KCM to not leak resources on failure + - Add IPv6 support to iprop + - Support localization of error strings in + kinit/klist/kdestroy and Kerberos library + - Remove Kerberos 4 support in application (still in KDC) + - Deprecate DES + - Support i18n password in windows domains (using UTF-8) + - More complete API emulation of OpenSSL in hcrypto + - Support for ECDSA and ECDH when linking with OpenSSL + + API changes + + - Support for settin friendly name on credential caches + - Move to using doxygen to generate documentation. + - Sprinkling __attribute__((__deprecated__)) for old function to be removed + - Support to export LAST-REQUST information in AS-REQ + - Support for client deferrals in in AS-REQ + - Add seek support for krb5_storage. + - Support for split AS-REQ, first step for IA-KERB + - Fix many memory leaks and bugs + - Improved regression test + - Support krb5_cccol + - Switch to krb5_set_error_message + - Support krb5_crypto_*_iov + - Switch to use EVP for most function + - Use SOCK_CLOEXEC and O_CLOEXEC (close on exec) + - Add support for GSS_C_DELEG_POLICY_FLAG + - Add krb5_cc_[gs]et_config to store data in the credential caches + - PTY testing application + +Bugfixes + - Make building on AIX6 possible. + - Bugfixes in LDAP KDC code to make it more stable + - Make ipropd-slave reconnect when master down gown + + +Release Notes - Heimdal - Version Heimdal 1.2.1 + +* Bug + + [HEIMDAL-147] - Heimdal 1.2 not compiling on Solaris + [HEIMDAL-151] - Make canned tests work again after cert expired + [HEIMDAL-152] - iprop test: use full hostname to avoid realm + resolving errors + [HEIMDAL-153] - ftp: Use the correct length for unmap, msync + +Release Notes - Heimdal - Version Heimdal 1.2 + +* Bug + + [HEIMDAL-10] - Follow-up on bug report for SEGFAULT in + gss_display_name/gss_export_name when using SPNEGO + [HEIMDAL-15] - Re: [Heimdal-bugs] potential bug in Heimdal 1.1 + [HEIMDAL-17] - Remove support for depricated [libdefaults]capath + [HEIMDAL-52] - hdb overwrite aliases for db databases + [HEIMDAL-54] - Two issues which affect credentials delegation + [HEIMDAL-58] - sockbuf.c calls setsockopt with bad args + [HEIMDAL-62] - Fix printing of sig_atomic_t + [HEIMDAL-87] - heimdal 1.1 not building under cygwin in hcrypto + [HEIMDAL-105] - rcp: sync rcp with upstream bsd rcp codebase + [HEIMDAL-117] - Use libtool to detect symbol versioning (Debian Bug#453241) + +* Improvement + [HEIMDAL-67] - Fix locking and store credential in atomic writes + in the FILE credential cache + [HEIMDAL-106] - make compile on cygwin again + [HEIMDAL-107] - Replace old random key generation in des module + and use it with RAND_ function instead + [HEIMDAL-115] - Better documentation and compatibility in hcrypto + in regards to OpenSSL + +* New Feature + [HEIMDAL-3] - pkinit alg agility PRF test vectors + [HEIMDAL-14] - Add libwind to Heimdal + [HEIMDAL-16] - Use libwind in hx509 + [HEIMDAL-55] - Add flag to krb5 to not add GSS-API INT|CONF to + the negotiation + [HEIMDAL-74] - Add support to report extended error message back + in AS-REQ to support windows clients + [HEIMDAL-116] - test pty based application (using rkpty) + [HEIMDAL-120] - Use new OpenLDAP API (older deprecated) + +* Task + [HEIMDAL-63] - Dont try key usage KRB5_KU_AP_REQ_AUTH for TGS-REQ. + This drop compatibility with pre 0.3d KDCs. + [HEIMDAL-64] - kcm: first implementation of kcm-move-cache + [HEIMDAL-65] - Failed to compile with --disable-pk-init + [HEIMDAL-80] - verify that [VU#162289]: gcc silently discards some + wraparound checks doesn't apply to Heimdal + +Changes in release 1.1 + + * Read-only PKCS11 provider built-in to hx509. + + * Documentation for hx509, hcrypto and ntlm libraries improved. + + * Better compatibilty with Windows 2008 Server pre-releases and Vista. + + * Mac OS X 10.5 support for native credential cache. + + * Provide pkg-config file for Heimdal (heimdal-gssapi.pc). + + * Bug fixes. + +Changes in release 1.0.2 + +* Ubuntu packages. + +* Bug fixes. + +Changes in release 1.0.1 + + * Serveral bug fixes to iprop. + + * Make work on platforms without dlopen. + + * Add RFC3526 modp group14 as default. + + * Handle [kdc] database = { } entries without realm = stanzas. + + * Make krb5_get_renewed_creds work. + + * Make kaserver preauth work again. + + * Bug fixes. + +Changes in release 1.0 + + * Add gss_pseudo_random() for mechglue and krb5. + + * Make session key for the krbtgt be selected by the best encryption + type of the client. + + * Better interoperability with other PK-INIT implementations. + + * Inital support for Mac OS X Keychain for hx509. + + * Alias support for inital ticket requests. + + * Add symbol versioning to selected libraries on platforms that uses + GNU link editor: gssapi, hcrypto, heimntlm, hx509, krb5, and libkdc. + + * New version of imath included in hcrypto. + + * Fix memory leaks. + + * Bugs fixes. + +Changes in release 0.8.1 + + * Make ASN.1 library less paranoid to with regard to NUL in string to + make it inter-operate with MIT Kerberos again. + + * Make GSS-API library work again when using gss_acquire_cred + + * Add symbol versioning to libgssapi when using GNU ld. + + * Fix memory leaks + + * Bugs fixes + +Changes in release 0.8 + + * PK-INIT support. + + * HDB extensions support, used by PK-INIT. + + * New ASN.1 compiler. + + * GSS-API mechglue from FreeBSD. + + * Updated SPNEGO to support RFC4178. + + * Support for Cryptosystem Negotiation Extension (RFC 4537). + + * A new X.509 library (hx509) and related crypto functions. + + * A new ntlm library (heimntlm) and related crypto functions. + + * Updated the built-in crypto library with bignum support using + imath, support for RSA and DH and renamed it to libhcrypto. + + * Subsystem in the KDC, digest, that will perform the digest + operation in the KDC, currently supports: CHAP, MS-CHAP-V2, SASL + DIGEST-MD5 NTLMv1 and NTLMv2. + + * KDC will return the "response too big" error to force TCP retries + for large (default 1400 bytes) UDP replies. This is common for + PK-INIT requests. + + * Libkafs defaults to use 2b tokens. + + * Default to use the API cache on Mac OS X. + + * krb5_kuserok() also checks ~/.k5login.d directory for acl files, + see manpage for krb5_kuserok for description. + + * Many, many, other updates to code and info manual and manual pages. + + * Bug fixes + +Changes in release 0.7.2 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +* Make gss_acquire_cred(GSS_C_ACCEPT) check that the requested name + exists in the keytab before returning success. This allows servers + to check if its even possible to use GSSAPI. + +* Fix receiving end of token delegation for GSS-API. It still wrongly + uses subkey for sending for compatibility reasons, this will change + in 0.8. + +* telnetd, login and rshd are now more verbose in logging failed and + successful logins. + +* Bug fixes + +Changes in release 0.7.1 + +* Bug fixes + +Changes in release 0.7 + + * Support for KCM, a process based credential cache + + * Support CCAPI credential cache + + * SPNEGO support + + * AES (and the gssapi conterpart, CFX) support + + * Adding new and improve old documentation + + * Bug fixes + +Changes in release 0.6.6 + +* Fix security problem in rshd that enable an attacker to overwrite + and change ownership of any file that root could write. + +* Fix a DOS in telnetd. The attacker could force the server to crash + in a NULL de-reference before the user logged in, resulting in inetd + turning telnetd off because it forked too fast. + +Changes in release 0.6.5 + + * fix vulnerabilities in telnetd + + * unbreak Kerberos 4 and kaserver + +Changes in release 0.6.4 + + * fix vulnerabilities in telnet + + * rshd: encryption without a separate error socket should now work + + * telnet now uses appdefaults for the encrypt and forward/forwardable + settings + + * bug fixes + +Changes in release 0.6.3 + + * fix vulnerabilities in ftpd + + * support for linux AFS /proc "syscalls" + + * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in + kpasswdd + + * fix possible KDC denial of service + + * bug fixes + +Changes in release 0.6.2 + + * Fix possible buffer overrun in v4 kadmin (which now defaults to off) + +Changes in release 0.6.1 + + * Fixed ARCFOUR suppport + + * Cross realm vulnerability + + * kdc: fix denial of service attack + + * kdc: stop clients from renewing tickets into the future + + * bug fixes + +Changes in release 0.6 + +* The DES3 GSS-API mechanism has been changed to inter-operate with + other GSSAPI implementations. See man page for gssapi(3) how to turn + on generation of correct MIC messages. Next major release of heimdal + will generate correct MIC by default. + +* More complete GSS-API support + +* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS + support in applications no longer requires Kerberos 4 libs + +* Kerberos 4 support in kdc defaults to turned off (includes ka and 524) + +* other bug fixes + +Changes in release 0.5.2 + + * kdc: add option for disabling v4 cross-realm (defaults to off) + + * bug fixes + +Changes in release 0.5.1 + + * kadmind: fix remote exploit + + * kadmind: add option to disable kerberos 4 + + * kdc: make sure kaserver token life is positive + + * telnet: use the session key if there is no subkey + + * fix EPSV parsing in ftp + + * other bug fixes + +Changes in release 0.5 + + * add --detach option to kdc + + * allow setting forward and forwardable option in telnet from + .telnetrc, with override from command line + + * accept addresses with or without ports in krb5_rd_cred + + * make it work with modern openssl + + * use our own string2key function even with openssl (that handles weak + keys incorrectly) + + * more system-specific requirements in login + + * do not use getlogin() to determine root in su + + * telnet: abort if telnetd does not support encryption + + * update autoconf to 2.53 + + * update config.guess, config.sub + + * other bug fixes + +Changes in release 0.4e + + * improve libcrypto and database autoconf tests + + * do not care about salting of server principals when serving v4 requests + + * some improvements to gssapi library + + * test for existing compile_et/libcom_err + + * portability fixes + + * bug fixes + +Changes in release 0.4d + + * fix some problems when using libcrypto from openssl + + * handle /dev/ptmx `unix98' ptys on Linux + + * add some forgotten man pages + + * rsh: clean-up and add man page + + * fix -A and -a in builtin-ls in tpd + + * fix building problem on Irix + + * make `ktutil get' more efficient + + * bug fixes + +Changes in release 0.4c + + * fix buffer overrun in telnetd + + * repair some of the v4 fallback code in kinit + + * add more shared library dependencies + + * simplify and fix hprop handling of v4 databases + + * fix some building problems (osf's sia and osfc2 login) + + * bug fixes + +Changes in release 0.4b + + * update the shared library version numbers correctly + +Changes in release 0.4a + + * corrected key used for checksum in mk_safe, unfortunately this + makes it backwards incompatible + + * update to autoconf 2.50, libtool 1.4 + + * re-write dns/config lookups (krb5_krbhst API) + + * make order of using subkeys consistent + + * add man page links + + * add more man pages + + * remove rfc2052 support, now only rfc2782 is supported + + * always build with kaserver protocol support in the KDC (assuming + KRB4 is enabled) and support for reading kaserver databases in + hprop + +Changes in release 0.3f + + * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab, + the new keytab type that tries both of these in order (SRVTAB is + also an alias for krb4:) + + * improve error reporting and error handling (error messages should + be more detailed and more useful) + + * improve building with openssl + + * add kadmin -K, rcp -F + + * fix two incorrect weak DES keys + + * fix building of kaserver compat in KDC + + * the API is closer to what MIT krb5 is using + + * more compatible with windows 2000 + + * removed some memory leaks + + * bug fixes + +Changes in release 0.3e + + * rcp program included + + * fix buffer overrun in ftpd + + * handle omitted sequence numbers as zeroes to handle MIT krb5 that + cannot generate zero sequence numbers + + * handle v4 /.k files better + + * configure/portability fixes + + * fixes in parsing of options to kadmin (sub-)commands + + * handle errors in kadmin load better + + * bug fixes + +Changes in release 0.3d + + * add krb5-config + + * fix a bug in 3des gss-api mechanism, making it compatible with the + specification and the MIT implementation + + * make telnetd only allow a specific list of environment variables to + stop it from setting `sensitive' variables + + * try to use an existing libdes + + * lib/krb5, kdc: use correct usage type for ap-req messages. This + should improve compatability with MIT krb5 when using 3DES + encryption types + + * kdc: fix memory allocation problem + + * update config.guess and config.sub + + * lib/roken: more stuff implemented + + * bug fixes and portability enhancements + +Changes in release 0.3c + + * lib/krb5: memory caches now support the resolve operation + + * appl/login: set PATH to some sane default + + * kadmind: handle several realms + + * bug fixes (including memory leaks) + +Changes in release 0.3b + + * kdc: prefer default-salted keys on v5 requests + + * kdc: lowercase hostnames in v4 mode + + * hprop: handle more types of MIT salts + + * lib/krb5: fix memory leak + + * bug fixes + +Changes in release 0.3a: + + * implement arcfour-hmac-md5 to interoperate with W2K + + * modularise the handling of the master key, and allow for other + encryption types. This makes it easier to import a database from + some other source without having to re-encrypt all keys. + + * allow for better control over which encryption types are created + + * make kinit fallback to v4 if given a v4 KDC + + * make klist work better with v4 and v5, and add some more MIT + compatibility options + + * make the kdc listen on the krb524 (4444) port for compatibility + with MIT krb5 clients + + * implement more DCE/DFS support, enabled with --enable-dce, see + lib/kdfs and appl/dceutils + + * make the sequence numbers work correctly + + * bug fixes + +Changes in release 0.2t: + + * bug fixes + +Changes in release 0.2s: + + * add OpenLDAP support in hdb + + * login will get v4 tickets when it receives forwarded tickets + + * xnlock supports both v5 and v4 + + * repair source routing for telnet + + * fix building problems with krb4 (krb_mk_req) + + * bug fixes + +Changes in release 0.2r: + + * fix realloc memory corruption bug in kdc + + * `add --key' and `cpw --key' in kadmin + + * klist supports listing v4 tickets + + * update config.guess and config.sub + + * make v4 -> v5 principal name conversion more robust + + * support for anonymous tickets + + * new man-pages + + * telnetd: do not negotiate KERBEROS5 authentication if there's no keytab. + + * use and set expiration and not password expiration when dumping + to/from ka server databases / krb4 databases + + * make the code happier with 64-bit time_t + + * follow RFC2782 and by default do not look for non-underscore SRV names + +Changes in release 0.2q: + + * bug fix in tcp-handling in kdc + + * bug fix in expand_hostname + +Changes in release 0.2p: + + * bug fix in `kadmin load/merge' + + * bug fix in krb5_parse_address + +Changes in release 0.2o: + + * gss_{import,export}_sec_context added to libgssapi + + * new option --addresses to kdc (for listening on an explicit set of + addresses) + + * bug fixes in the krb4 and kaserver emulation part of the kdc + + * other bug fixes + +Changes in release 0.2n: + + * more robust parsing of dump files in kadmin + * changed default timestamp format for log messages to extended ISO + 8601 format (Y-M-DTH:M:S) + * changed md4/md5/sha1 APIes to be de-facto `standard' + * always make hostname into lower-case before creating principal + * small bits of more MIT-compatability + * bug fixes + +Changes in release 0.2m: + + * handle glibc's getaddrinfo() that returns several ai_canonname + + * new endian test + + * man pages fixes + +Changes in release 0.2l: + + * bug fixes + +Changes in release 0.2k: + + * better IPv6 test + + * make struct sockaddr_storage in roken work better on alphas + + * some missing [hn]to[hn]s fixed. + + * allow users to change their own passwords with kadmin (with initial + tickets) + + * fix stupid bug in parsing KDC specification + + * add `ktutil change' and `ktutil purge' + +Changes in release 0.2j: + + * builds on Irix + + * ftpd works in passive mode + + * should build on cygwin + + * work around broken IPv6-code on OpenBSD 2.6, also add configure + option --disable-ipv6 + +Changes in release 0.2i: + + * use getaddrinfo in the missing places. + + * fix SRV lookup for admin server + + * use get{addr,name}info everywhere. and implement it in terms of + getipnodeby{name,addr} (which uses gethostbyname{,2} and + gethostbyaddr) + +Changes in release 0.2h: + + * fix typo in kx (now compiles) + +Changes in release 0.2g: + + * lots of bug fixes: + * push works + * repair appl/test programs + * sockaddr_storage works on solaris (alignment issues) + * works better with non-roken getaddrinfo + * rsh works + * some non standard C constructs removed + +Changes in release 0.2f: + + * support SRV records for kpasswd + * look for both _kerberos and krb5-realm when doing host -> realm mapping + +Changes in release 0.2e: + + * changed copyright notices to remove `advertising'-clause. + * get{addr,name}info added to roken and used in the other code + (this makes things work much better with hosts with both v4 and v6 + addresses, among other things) + * do pre-auth for both password and key-based get_in_tkt + * support for having several databases + * new command `del_enctype' in kadmin + * strptime (and new strftime) add to roken + * more paranoia about finding libdb + * bug fixes + +Changes in release 0.2d: + + * new configuration option [libdefaults]default_etypes_des + * internal ls in ftpd builds without KRB4 + * kx/rsh/push/pop_debug tries v5 and v4 consistenly + * build bug fixes + * other bug fixes + +Changes in release 0.2c: + + * bug fixes (see ChangeLog's for details) + +Changes in release 0.2b: + + * bug fixes + * actually bump shared library versions + +Changes in release 0.2a: + + * a new program verify_krb5_conf for checking your /etc/krb5.conf + * add 3DES keys when changing password + * support null keys in database + * support multiple local realms + * implement a keytab backend for AFS KeyFile's + * implement a keytab backend for v4 srvtabs + * implement `ktutil copy' + * support password quality control in v4 kadmind + * improvements in v4 compat kadmind + * handle the case of having the correct cred in the ccache but with + the wrong encryption type better + * v6-ify the remaining programs. + * internal ls in ftpd + * rename strcpy_truncate/strcat_truncate to strlcpy/strlcat + * add `ank --random-password' and `cpw --random-password' in kadmin + * some programs and documentation for trying to talk to a W2K KDC + * bug fixes + +Changes in release 0.1m: + + * support for getting default from krb5.conf for kinit/kf/rsh/telnet. + From Miroslav Ruda + * v6-ify hprop and hpropd + * support numeric addresses in krb5_mk_req + * shadow support in login and su. From Miroslav Ruda + * make rsh/rshd IPv6-aware + * make the gssapi sample applications better at reporting errors + * lots of bug fixes + * handle systems with v6-aware libc and non-v6 kernels (like Linux + with glibc 2.1) better + * hide failure of ERPT in ftp + * lots of bug fixes + +Changes in release 0.1l: + + * make ftp and ftpd IPv6-aware + * add inet_pton to roken + * more IPv6-awareness + * make mini_inetd v6 aware + +Changes in release 0.1k: + + * bump shared libraries versions + * add roken version of inet_ntop + * merge more changes to rshd + +Changes in release 0.1j: + + * restore back to the `old' 3DES code. This was supposed to be done + in 0.1h and 0.1i but I did a CVS screw-up. + * make telnetd handle v6 connections + +Changes in release 0.1i: + + * start using `struct sockaddr_storage' which simplifies the code + (with a fallback definition if it's not defined) + * bug fixes (including in hprop and kf) + * don't use mawk which seems to mishandle roken.awk + * get_addrs should be able to handle v6 addresses on Linux (with the + required patch to the Linux kernel -- ask within) + * rshd builds with shadow passwords + +Changes in release 0.1h: + + * kf: new program for forwarding credentials + * portability fixes + * make forwarding credentials work with MIT code + * better conversion of ka database + * add etc/services.append + * correct `modified by' from kpasswdd + * lots of bug fixes + +Changes in release 0.1g: + + * kgetcred: new program for explicitly obtaining tickets + * configure fixes + * krb5-aware kx + * bug fixes + +Changes in release 0.1f; + + * experimental support for v4 kadmin protokoll in kadmind + * bug fixes + +Changes in release 0.1e: + + * try to handle old DCE and MIT kdcs + * support for older versions of credential cache files and keytabs + * postdated tickets work + * support for password quality checks in kpasswdd + * new flag --enable-kaserver for kdc + * renew fixes + * prototype su program + * updated (some) manpages + * support for KDC resource records + * should build with --without-krb4 + * bug fixes + +Changes in release 0.1d: + + * Support building with DB2 (uses 1.85-compat API) + * Support krb5-realm.DOMAIN in DNS + * new `ktutil srvcreate' + * v4/kafs support in klist/kdestroy + * bug fixes + +Changes in release 0.1c: + + * fix ASN.1 encoding of signed integers + * somewhat working `ktutil get' + * some documentation updates + * update to Autoconf 2.13 and Automake 1.4 + * the usual bug fixes + +Changes in release 0.1b: + + * some old -> new crypto conversion utils + * bug fixes + +Changes in release 0.1a: + + * new crypto code + * more bug fixes + * make sure we ask for DES keys in gssapi + * support signed ints in ASN1 + * IPv6-bug fixes + +Changes in release 0.0u: + + * lots of bug fixes + +Changes in release 0.0t: + + * more robust parsing of krb5.conf + * include net{read,write} in lib/roken + * bug fixes + +Changes in release 0.0s: + + * kludges for parsing options to rsh + * more robust parsing of krb5.conf + * removed some arbitrary limits + * bug fixes + +Changes in release 0.0r: + + * default options for some programs + * bug fixes + +Changes in release 0.0q: + + * support for building shared libraries with libtool + * bug fixes + +Changes in release 0.0p: + + * keytab moved to /etc/krb5.keytab + * avoid false detection of IPv6 on Linux + * Lots of more functionality in the gssapi-library + * hprop can now read ka-server databases + * bug fixes + +Changes in release 0.0o: + + * FTP with GSSAPI support. + * Bug fixes. + +Changes in release 0.0n: + + * Incremental database propagation. + * Somewhat improved kadmin ui; the stuff in admin is now removed. + * Some support for using enctypes instead of keytypes. + * Lots of other improvement and bug fixes, see ChangeLog for details. diff --git a/third_party/heimdal/NTMakefile b/third_party/heimdal/NTMakefile new file mode 100644 index 0000000..adf04f8 --- /dev/null +++ b/third_party/heimdal/NTMakefile @@ -0,0 +1,47 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +!if exist("thirdparty\NTMakefile") +thirdparty=thirdparty +!endif + +!ifdef APPVEYOR +SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl \ + tools tests packages etc +!else +SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc \ + tools tests packages etc $(thirdparty) packages\windows\installer +!endif + +!include windows/NTMakefile.w32 + +all:: + @echo Build finished succesfully diff --git a/third_party/heimdal/README b/third_party/heimdal/README new file mode 100644 index 0000000..9e4ba91 --- /dev/null +++ b/third_party/heimdal/README @@ -0,0 +1,19 @@ + +Heimdal is an implementation of: ASN.1/DER, PKIX, and Kerberos. + +For information how to install see +. + +There are briefer man pages for most of the commands. + +Bug reports and bugs are appreciated. Use GitHub issues. +. + +For more information see the web-page at + or the mailing lists: + +heimdal-announce@heimdal.software low-volume announcement +heimdal-discuss@heimdal.software high-volume discussion + +send a mail to heimdal-announce-subscribe@heimdal.software and +heimdal-discuss-subscribe@heimdal.software respectively to subscribe. diff --git a/third_party/heimdal/README.fast b/third_party/heimdal/README.fast new file mode 100644 index 0000000..d0cd512 --- /dev/null +++ b/third_party/heimdal/README.fast @@ -0,0 +1,13 @@ + +-- in order of preference + +- client: plugin support for fast plugins + note GSS-API can be used as PA plugin interface + +- kdc: plugin support for fast plugins + partly done with "struct kdc_patypes" + +- kcm: support FAST armor ticket +-- using PK-INIT anonymous +-- using host key + diff --git a/third_party/heimdal/README.md b/third_party/heimdal/README.md new file mode 100644 index 0000000..5e49fd0 --- /dev/null +++ b/third_party/heimdal/README.md @@ -0,0 +1,39 @@ +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux) +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx) +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows) +[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master) +[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master) + +Heimdal +======= + +Heimdal is an implementation of: + + - ASN.1/DER, + - PKIX, and + - Kerberos. + +For information how to install see [here](https://github.com/heimdal/heimdal/wiki/Building-and-installing). + +There are man pages for most of the commands. + +Bug reports and bugs are appreciated. Use [GitHub issues](https://www.heimdal.software/heimdal/issues). + +For more information see the project homepage [https://heimdal.software/heimdal/](https://heimdal.software/heimdal/) or the mailing lists: + + heimdal-announce@heimdal.software low-volume announcement + heimdal-discuss@heimdal.software high-volume discussion + +send mail to [heimdal-announce-subscribe@heimdal.software](mailto:heimdal-announce-subscribe@heimdal.software) and +[heimdal-discuss-subscribe@heimdal.software](mailto:heimdal-discuss-subscribe@heimdal.software) +respectively to subscribe. + + +Build Status +============ + +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux) +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx) +[![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows) +[![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master) +[![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master) diff --git a/third_party/heimdal/SECURITY.md b/third_party/heimdal/SECURITY.md new file mode 100644 index 0000000..77b313b --- /dev/null +++ b/third_party/heimdal/SECURITY.md @@ -0,0 +1,90 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 7.x.x | :white_check_mark: | +| < 7.0 | :x: | + +## Reporting a Vulnerability + +Security sensitive bug reports should be sent to +heimdal-security@heimdal.team using this PGP key. + +Key ID: 9A077911BB7DC320 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (MingW32) + +mQINBFz8mXMBEAC3oUdMAP52TaJYQ2Rri0C4hNx7v73Jb/MqoAJKyJ7RKlGkpNp4 +8K7+/VwRqiex0Cs//wU2TMCLRK7n/J2YG3Z+Eu2FZeWRUmEJfvzgXDi/IfYmyytV +DU5RxFF7oB3X8xeESoLLB1haGuDR4fTxgtIJGVgh6ShddcMObO9zhqGtLmlf6BTD +fXPxxPn0fNqStVh38rEoL3Ri/KFoojOxIFubhfrKfTwRarNUUCT6b+ybra82rfB1 +JzNICraskvZGelCvC7vIflHLeg6a2a9dYkJeaNbXPR0p2BbNWoZ+y/nukCtTQHNO +avsFnALgm4LpWjEOkCr38TRPllrrYYA+DbjfB4bnp4BxOd1DaXtwBvkm/QMn2xuv +DBsJklY2RzAW9/l0S6VDVNbtIao21wtDLC98SdR9iweOcuvm0LcTfzEfiSf6vqIt +YIatTo7wh2/X0axzHsE5XTxmwzutMQ5ysOkgj5v6bmhxhAxNYspmSeei8698t2xT +ezOJwj2zjzaqgSQVND9uaRkxWkEQnp8P26DizGgO8VygAKSM6abqGnSXQgHrLYWR +FziTai98M3f9DA8m4aAxYHNRh/EnE7CieM8QglEEqRjfUzaZs+cUQMZaEMAkh8G6 +yJKhEWfhiWR6vK6vdA1lUSgzTGynch96OCrOYebjfp0VKLOFgkGauusyZwARAQAB +tDBIZWltZGFsIFNlY3VyaXR5IDxoZWltZGFsLXNlY3VyaXR5QGhlaW1kYWwudGVh +bT6JAjkEEwECACMFAlz8mXMCGyMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRCaB3kRu33DICt6D/4/SzcNwUHb4CsOFgBVX/f4Gi6VDaGzgcthX8ddby2sHmgJ +YvmHD3ftwATVPZ0NtZ0h0v6tlBBVP6lq2lV0dJk4wDRZU2x2xxCMNFvgid2OFH4n +s47Wyed63IKokuwfqqDRcTMKLG/8zE0s/zmczxGw4KTPkiFe58qWPS4WdQqxhGbQ +byDByi16yO/5Yp13kFhtdzpDiwCIlf4W1DkwK133JZRKGvvc2E8dFY0H1u+ZYWj5 +YkJMbxSJkUD8vOarO7LaHLTeu+nRwrbmBqNX3e7UOcgCozwTpTlD63oxZ25HOSCb +nJs0xjQU0lGhebbBWO0e2gGljE+irAuIO5sPd/JOxV+Ppl97LkRFs2PrNqABj1XP +caknBkeT//12s2YbmQAMv3xWdqsH8YypWHMSG4vTwxS/CdM2FqrPiAUUa9OoZaSK +Oi9CxV5/02XkGIdVDKLqAXpzYMbQXRGyUORL/93QLULq3CMZq8depzELJGGhTr52 +tqtK1ecq8hUqtroSixFydKOfHL/CnssteRHTOT0O110PLOkrcPAE7cadjhYYUXWc +4R8QnUQpUnpsEDBLOeqLubw/yGCG9YfA3j6uXkWsKeFuC5P0QG1ptoOEcT40l0J0 +bbHSSrbeAsovGQcs7qZGs0Vybetufx3YbhFcj85W64+Q36YK97L2gnuitnxNPIhG +BBMRAgAGBQJc/Jr7AAoJEFWROgb+WUtoRN4An1T7Oz+P0xe+TRCDISoofk9QuXLk +AKCw9dd28MLBFjeBSDgihi27RqtjOIkBHAQTAQIABgUCXPybJwAKCRDcZtQjSX34 +eN2sB/46kXACbiPbfZKa4HuipnTGbmach66PrTkpdZUXt+kYyO9Os33kLO33qNSe +mFZwRHJGMhahzMZMEA18n85HYyQw4/Kqx/Atr2TnVigJpN2YIw0L6rfv9KP8vhwK +fn4YXpH1ZFs54EUK85pT+Orbkk83tWPDnUlf9dkVX2GHWBqTbUjbKduaEbdDvRqE +NiiXTWhaSBpxLW/Iqu/ogwAH+36B1apLjoBtMYzU3up+OKrNN+Lrsi0ztCdhGIjj +jND4JiqnnaKbKOpj6htXJHryXNicXfFa64cHtrYkz8PJVEpo4AkBIAZRvgl0C5vT +HkeyBuRAHSbvtN0EfQCgIFJRUVnmiQIcBBMBAgAGBQJc/JtjAAoJEPd6c1WStpoE +GooQAJB1zZwIeTKj77FqqfPtU9sc8DWrxnBSYSJCYJAM4520OaG2RBpLFjJ30GSY +Ky9MeUGOCfOl4wx9LfMU4GKFqxjw5N0H7f2DTNdPKp5QzZT5LIle5xu4UerolDdU +Wn/LOJpYJbYnyFKOi3NU0A8yS1wJsJ1ZGf4GB6Xi9q8Wx+E482pSFDWkFInwAozc +rvZCtx/4vsEKLWDCEOlUclbnmipiUtKm1jxyOnTQbzqx5X5ZLxIjTmz/LdvJJiYf +H+BAFAaIlCr5JWw6SSRo/cL0l7b+Q0YPqaY+ElTdYQXyfC0C0yPVmpA2jnqpgUp/ +O53AYZNZtvRnbBq67VWSbBUXllu44QgVI180tBeDqZWYbGcyRWQ+36S3xh6O1gfA +cOqs6IzKNtALFOYKLvaWFP+Tls+uGAzYeQFN92V0n3agK1p9rGmMa79yPyIqeHfi +7cpnqtsjXDm6qoMD+119tWL+exg3GKzZpYVpptpSQXnVzqOLGhEQdVtQ8uLaY/4g +2CL27Rg3wp+dmQDPmUWqZIWBg32R6vqxzbKcnwaAqLiH0ryULOB2ebKPu/FKQGZN +5I6S75pwzXoDioXD1ALAeAyhfpp2XSYDI3AeLvF34hgPwLuw1AVdr0VF27E7IAub +lcHvdNS+bry6k16difwjJS9G2qRblZmwxpv5UpdiRW87YDjLuQINBFz8mXMBEACg +P4pnjDcLtWTDfNNaRbTl/4VTLKEgTwF04dslWFKJt7SiDepwcJNBux6sPdF3B4/U +VQXI1OqQ9msBz4nQj5c+m2ZQC2mRohLIjigmEiCe+62CbauKP5Jaj4xKW0xEkPiX +DsiUWZqetQBXvxjVvh6rS1MArzKtLOGXHsaRRK84JquD+CjMxKwOPPgRJNbOay5f +rXfKV2oxVWGxylaZnc1zZhLau+Z1mto1c80glt1HNTNzue1NLBckB55Z7nUn0ue8 +q2pay1VrPwdM2Ym/r+K5mpwvqKw9Xwc8Uj/Uypb9r9Qt8WvlZ7j1lbbF9Tgs4Hjk +O5ZmHN4SZxhRHSymwce6R3efp+3T1A2I0es5BGBhmz62i2x98Jf3uaR7wQIGO+bS +3XoVG1llghpYYZIVK1x+2HyWqfVBfnO62vbULA5wtXYdY5V+R7gzctnybr0SUjh0 +msWLh39G3yReU9ia4dZg4CLb3/bAf25AeN+V8DraGyPdeieMOfad+IpazFm0aPo/ +zmMe94mhyOK/pDkuvLOvSGQm0dy/lWPLK8K8p4fLMKKRv6Tyzps77407GWqo8+8R +sF9YPvN2/E0iJXokgIKrCQtoovNsitgL9CANX8+kzcs5QHsh/FJJhLoA3zwaR/9S +nAP3JeAubda4PbBXggzsv2+lIIBvz5URwN9lSPdblQARAQABiQIfBBgBAgAJBQJc +/JlzAhsMAAoJEJoHeRG7fcMgMGwP/00bpcf6K/GCZxAuu0vuohvKe3tTR1cD8Sks +ZsavXyvaUuHkZn31OPow/RGYcRnMLfh9iddgV++lxYcaZ8iILtGnH9vXg0bhiX1x +XLhSRwcpF1Rf7/1KgAsKcd0PtHehxNMEiS9ISqZBDZQyMYaCh2wK5FienQziGOLx +ehHxarEfwQJEFqW3+rWs5YhaRD4fLuxi4fxefT9TQp+rZp+2CNFENI5w2bFFkFYe +wUZ2waTbxpFUDV2HB0znH8HEyIfEBGGpbD8tHCiM7W46gpi6mBnEfd/3gQu+ewoz +z4dfspKTQfuIUMN1s0+iqzY9to1Bzfrnc328ntMnhfXsz91hwqMLpD36zLUTtHPc +Zf9E+R4Q9bsqGUoVo8xrkd52Nxta24leF5x7+8K90vghsFJ8dP1qS2y8w3emUlDn +++GVrZWJRLhwbVOtcroRF2WqGTRRJZ5sgaMq5LIE9KUCKioq+/gFvWyDABH1Y1jq +vEep+eyl6DuEoDY9KV912EUtF7Fn7mM1aY4tLOYYGVIqy/SfvKKS+8Fv9QUkFjVV +PhkGVow1Hh8SHAzq/8mMV6/D7xUgMJhfnjwUNp0t7s5J9xN4uLSKSVlyNkI2JRvd +m445blzP6zyWOwlY1RdOX+qEo+y7zyruWc3EB8kzQTKjIzShVN3k+SOAO4QGM6Jy +CthJqQ8K +=Nb2m +-----END PGP PUBLIC KEY BLOCK----- diff --git a/third_party/heimdal/TODO b/third_party/heimdal/TODO new file mode 100644 index 0000000..87c50b8 --- /dev/null +++ b/third_party/heimdal/TODO @@ -0,0 +1,30 @@ +-*- indented-text -*- + +** lib/gssapi + +cache delegation credentials to avoid hitting the kdc ? require time +stampless tickets, and was supported in the recv'ing end with 0.6.1. + +make iov work for arcfour + +make iov work for ntlm + +interop test + +make TYPE_STREAM work + +** lib/kadm5 + +add policies? + +** lib/krb5 + +verify_user: handle non-secure verification failing because of +host->realm mapping + +* windows stuff + +-- drop all double negation #ifndef NO_ +-- got though windows specific ifdefs to minimized them +-- switch to use heim-ipc for services, like the kadmin change notification socket +-- Unify lib/krb5/expand_path_w32.c diff --git a/third_party/heimdal/acinclude.m4 b/third_party/heimdal/acinclude.m4 new file mode 100644 index 0000000..7fd37ff --- /dev/null +++ b/third_party/heimdal/acinclude.m4 @@ -0,0 +1,9 @@ +dnl $Id$ +dnl +dnl Only put things that for some reason can't live in the `cf' +dnl directory in this file. +dnl + +dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ +dnl +m4_define([upcase],`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/third_party/heimdal/admin/ChangeLog b/third_party/heimdal/admin/ChangeLog new file mode 100644 index 0000000..1cdc153 --- /dev/null +++ b/third_party/heimdal/admin/ChangeLog @@ -0,0 +1,70 @@ +2006-10-07 Love Hörnquist Åstrand + + * Makefile.am: Add man_MANS to EXTRA_DIST + + * Makefile.am: split build files into dist_ and noinst_ SOURCES + +2005-07-07 Love Hörnquist Åstrand + + * ktutil.c: rename optind to optidx + + * list.c: make a copy of realm and admin_server to avoid + un-consting avoid shadowing + + * get.c: make a copy of realm and admin_server to avoid + un-consting avoid shadowing + + * change.c (change_entry): just use global context to avoid + shadowing; make a copy of realm and admin_server to avoid + un-consting. + +2005-05-19 Love Hörnquist Åstrand + + * change.c (kt_change): plug memory leak from + krb5_kt_remove_entry, print principal on error. + +2005-05-02 Dave Love + + * ktutil.c (help): Don't use non-constant initializer for `fake'. + +2005-04-15 Love Hörnquist Åstrand + + * ktutil_locl.h: include + +2005-04-14 Love Hörnquist Åstrand + + * add.c: add option -H --hex to the add command + + * ktutil-commands.in: add option -H --hex to the add command + + * ktutil.8: document option -H --hex to the add command + +2004-09-29 Love Hörnquist Åstrand + + * list.c: un c99'ify, from Anders.Magnusson@ltu.se + +2004-09-23 Johan Danielsson + + * purge.c: convert to slc; don't purge keys older that a certain + time, instead purge keys that have newer versions that are at + least a certain age + + * rename.c: convert to slc + + * remove.c: convert to slc + + * get.c: convert to slc; warn if resetting disallow-all-tix + + * copy.c: convert to slc + + * change.c: convert to slc + + * add.c: convert to slc + + * list.c: convert to slc + + * ktutil_locl.h: convert to slc + + * ktutil.c: convert to slc + + * ktutil-commands.in: slc source file diff --git a/third_party/heimdal/admin/Makefile.am b/third_party/heimdal/admin/Makefile.am new file mode 100644 index 0000000..a4a7bb4 --- /dev/null +++ b/third_party/heimdal/admin/Makefile.am @@ -0,0 +1,43 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +AM_CPPFLAGS += $(INCLUDE_readline) + +man_MANS = ktutil.1 + +bin_PROGRAMS = ktutil + +dist_ktutil_SOURCES = \ + add.c \ + change.c \ + copy.c \ + destroy.c \ + get.c \ + ktutil.c \ + ktutil_locl.h \ + list.c \ + purge.c \ + remove.c \ + rename.c + +nodist_ktutil_SOURCES = \ + ktutil-commands.c + +$(ktutil_OBJECTS): ktutil-commands.h + +CLEANFILES = ktutil-commands.h ktutil-commands.c + +ktutil-commands.c ktutil-commands.h: ktutil-commands.in + $(SLC) $(srcdir)/ktutil-commands.in + +LDADD = \ + $(top_builddir)/lib/kadm5/libkadm5clnt.la \ + $(top_builddir)/lib/krb5/libkrb5.la \ + $(LIB_hcrypto) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/sl/libsl.la \ + $(LIB_readline) \ + $(LIB_roken) + +EXTRA_DIST = NTMakefile ktutil-version.rc $(man_MANS) ktutil-commands.in diff --git a/third_party/heimdal/admin/NTMakefile b/third_party/heimdal/admin/NTMakefile new file mode 100644 index 0000000..06f90c9 --- /dev/null +++ b/third_party/heimdal/admin/NTMakefile @@ -0,0 +1,74 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=admin +cincdirs=$(cincdirs) -I$(OBJ) +!include ../windows/NTMakefile.w32 + +SBINPROGRAMS=$(SBINDIR)\ktutil.exe + +KTUTIL_OBJS= \ + $(OBJ)\add.obj \ + $(OBJ)\change.obj \ + $(OBJ)\copy.obj \ + $(OBJ)\destroy.obj \ + $(OBJ)\get.obj \ + $(OBJ)\ktutil.obj \ + $(OBJ)\ktutil-commands.obj \ + $(OBJ)\list.obj \ + $(OBJ)\purge.obj \ + $(OBJ)\remove.obj \ + $(OBJ)\rename.obj + +KTUTIL_LIBS= \ + $(LIBHEIMDAL) \ + $(LIBKADM5SRV) \ + $(LIBSL) \ + $(LIBROKEN) \ + $(LIBVERS) + +$(SBINDIR)\ktutil.exe: $(KTUTIL_OBJS) $(KTUTIL_LIBS) $(OBJ)\ktutil-version.res + $(EXECONLINK) + $(EXEPREP) + +$(OBJ)\ktutil-commands.c $(OBJ)\ktutil-commands.h: ktutil-commands.in + cd $(OBJ) + $(CP) $(SRCDIR)\ktutil-commands.in $(OBJ) + $(BINDIR)\slc.exe ktutil-commands.in + cd $(SRCDIR) + +INCFILES=\ + $(OBJ)\ktutil-commands.h + +all:: $(INCFILES) $(SBINPROGRAMS) + +clean:: + -$(RM) $(SBINPROGRAMS:.exe=.*) diff --git a/third_party/heimdal/admin/add.c b/third_party/heimdal/admin/add.c new file mode 100644 index 0000000..13580b9 --- /dev/null +++ b/third_party/heimdal/admin/add.c @@ -0,0 +1,158 @@ +/* + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +static char * +readstring(const char *prompt, char *buf, size_t len) +{ + printf("%s", prompt); + if (fgets(buf, len, stdin) == NULL) + return NULL; + buf[strcspn(buf, "\r\n")] = '\0'; + return buf; +} + +int +kt_add(struct add_options *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_keytab keytab; + krb5_keytab_entry entry; + char buf[1024]; + krb5_enctype enctype; + + if((keytab = ktutil_open_keytab()) == NULL) + return 1; + + memset(&entry, 0, sizeof(entry)); + if(opt->principal_string == NULL) { + if(readstring("Principal: ", buf, sizeof(buf)) == NULL) + return 1; + opt->principal_string = buf; + } + ret = krb5_parse_name(context, opt->principal_string, &entry.principal); + if(ret) { + krb5_warn(context, ret, "%s", opt->principal_string); + goto out; + } + if(opt->enctype_string == NULL) { + if(readstring("Encryption type: ", buf, sizeof(buf)) == NULL) { + ret = 1; + goto out; + } + opt->enctype_string = buf; + } + ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); + if(ret) { + int t; + if(sscanf(opt->enctype_string, "%d", &t) == 1) + enctype = t; + else { + krb5_warn(context, ret, "%s", opt->enctype_string); + goto out; + } + } + if(opt->kvno_integer == -1) { + if(readstring("Key version: ", buf, sizeof(buf)) == NULL) { + ret = 1; + goto out; + } + if(sscanf(buf, "%u", &opt->kvno_integer) != 1) + goto out; + } + if(opt->password_string == NULL && opt->random_flag == 0) { + if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", + UI_UTIL_FLAG_VERIFY)) { + ret = 1; + goto out; + } + opt->password_string = buf; + } + if(opt->password_string) { + if (opt->hex_flag) { + size_t len; + void *data; + + len = (strlen(opt->password_string) + 1) / 2; + + data = malloc(len); + if (data == NULL) { + krb5_warn(context, ENOMEM, "malloc"); + goto out; + } + + if ((size_t)hex_decode(opt->password_string, data, len) != len) { + free(data); + krb5_warn(context, ENOMEM, "hex decode failed"); + goto out; + } + + ret = krb5_keyblock_init(context, enctype, + data, len, &entry.keyblock); + free(data); + } else if (!opt->salt_flag) { + krb5_salt salt; + krb5_data pw; + + salt.salttype = KRB5_PW_SALT; + salt.saltvalue.data = NULL; + salt.saltvalue.length = 0; + pw.data = (void*)opt->password_string; + pw.length = strlen(opt->password_string); + ret = krb5_string_to_key_data_salt(context, enctype, pw, salt, + &entry.keyblock); + } else { + ret = krb5_string_to_key(context, enctype, opt->password_string, + entry.principal, &entry.keyblock); + } + memset (opt->password_string, 0, strlen(opt->password_string)); + } else { + ret = krb5_generate_random_keyblock(context, enctype, &entry.keyblock); + } + if(ret) { + krb5_warn(context, ret, "add"); + goto out; + } + entry.vno = opt->kvno_integer; + entry.timestamp = time (NULL); + ret = krb5_kt_add_entry(context, keytab, &entry); + if(ret) + krb5_warn(context, ret, "add"); + out: + krb5_kt_free_entry(context, &entry); + krb5_kt_close(context, keytab); + return ret != 0; +} diff --git a/third_party/heimdal/admin/change.c b/third_party/heimdal/admin/change.c new file mode 100644 index 0000000..b9d0e83 --- /dev/null +++ b/third_party/heimdal/admin/change.c @@ -0,0 +1,297 @@ +/* + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +static krb5_error_code +change_entry(krb5_keytab keytab, + krb5_principal principal, + krb5_kvno kvno, + int keep, + size_t nkstuple, + krb5_key_salt_tuple *kstuple, + const char *realm, + const char *admin_server, + int server_port) +{ + krb5_error_code ret; + kadm5_config_params conf; + void *kadm_handle; + char *client_name; + krb5_keyblock *keys; + size_t i; + int num_keys; + + ret = krb5_unparse_name (context, principal, &client_name); + if (ret) { + krb5_warn (context, ret, "krb5_unparse_name"); + return ret; + } + + memset (&conf, 0, sizeof(conf)); + + if(realm == NULL) + realm = krb5_principal_get_realm(context, principal); + conf.realm = strdup(realm); + if (conf.realm == NULL) { + free (client_name); + krb5_set_error_message(context, ENOMEM, "malloc failed"); + return ENOMEM; + } + conf.mask |= KADM5_CONFIG_REALM; + + if (admin_server) { + conf.admin_server = strdup(admin_server); + if (conf.admin_server == NULL) { + free(client_name); + free(conf.realm); + krb5_set_error_message(context, ENOMEM, "malloc failed"); + return ENOMEM; + } + conf.mask |= KADM5_CONFIG_ADMIN_SERVER; + } + + if (server_port) { + conf.kadmind_port = htons(server_port); + conf.mask |= KADM5_CONFIG_KADMIND_PORT; + } + + ret = kadm5_init_with_skey_ctx (context, + client_name, + keytab_string, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, + &kadm_handle); + free(conf.admin_server); + free(conf.realm); + if (ret) { + krb5_warn (context, ret, + "kadm5_c_init_with_skey_ctx: %s:", client_name); + free (client_name); + return ret; + } + ret = kadm5_randkey_principal_3(kadm_handle, principal, keep, nkstuple, + kstuple, &keys, &num_keys); + kadm5_destroy(kadm_handle); + if (ret) { + krb5_warn(context, ret, "kadm5_randkey_principal_3: %s:", client_name); + free (client_name); + return ret; + } + free(client_name); + for (i = 0; i < num_keys; ++i) { + krb5_keytab_entry new_entry; + + new_entry.principal = principal; + new_entry.timestamp = time (NULL); + new_entry.vno = kvno + 1; + new_entry.keyblock = keys[i]; + + ret = krb5_kt_add_entry (context, keytab, &new_entry); + if (ret) + krb5_warn (context, ret, "krb5_kt_add_entry"); + krb5_free_keyblock_contents (context, &keys[i]); + } + return ret; +} + +/* + * loop over all the entries in the keytab (or those given) and change + * their keys, writing the new keys + */ + +struct change_set { + krb5_principal principal; + krb5_kvno kvno; +}; + +int +kt_change(struct change_options *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_keytab keytab; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_key_salt_tuple *kstuple = NULL; + const char *enctype; + size_t i, j, max, nkstuple; + int keep = 1; + struct change_set *changeset; + int errors = 0; + + i = 0; + + if (opt->keepold_flag) { + keep = 1; + i++; + } + if (opt->keepallold_flag) { + keep = 2; + i++; + } + if (opt->pruneall_flag) { + keep = 0; + i++; + } + if (i > 1) { + fprintf(stderr, "use only one of --keepold, --keepallold, or --pruneall\n"); + return EINVAL; + } + + enctype = opt->enctype_string; + if (enctype == NULL || enctype[0] == '\0') + enctype = krb5_config_get_string(context, NULL, "libdefaults", + "supported_enctypes", NULL); + if (enctype == NULL || enctype[0] == '\0') + enctype = "aes128-cts-hmac-sha1-96"; + ret = krb5_string_to_keysalts2(context, enctype, &nkstuple, &kstuple); + if (ret) { + fprintf(stderr, "enctype(s) unknown\n"); + return ret; + } + + /* XXX Parameterize keytab name */ + if ((keytab = ktutil_open_keytab()) == NULL) { + free(kstuple); + return 1; + } + + j = 0; + max = 0; + changeset = NULL; + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret){ + krb5_warn(context, ret, "%s", keytab_string); + goto out; + } + + while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { + int add = 0; + + for (i = 0; i < j; ++i) { + if (krb5_principal_compare (context, changeset[i].principal, + entry.principal)) { + if (changeset[i].kvno < entry.vno) + changeset[i].kvno = entry.vno; + break; + } + } + if (i < j) { + krb5_kt_free_entry (context, &entry); + continue; + } + + if (argc == 0) { + add = 1; + } else { + for (i = 0; i < argc; ++i) { + krb5_principal princ; + + ret = krb5_parse_name (context, argv[i], &princ); + if (ret) { + krb5_warn (context, ret, "%s", argv[i]); + continue; + } + if (krb5_principal_compare (context, princ, entry.principal)) + add = 1; + + krb5_free_principal (context, princ); + } + } + + if (add) { + if (j >= max) { + void *tmp; + + max = max(max * 2, 1); + tmp = realloc (changeset, max * sizeof(*changeset)); + if (tmp == NULL) { + krb5_kt_free_entry (context, &entry); + krb5_warnx (context, "realloc: out of memory"); + ret = ENOMEM; + break; + } + changeset = tmp; + } + ret = krb5_copy_principal (context, entry.principal, + &changeset[j].principal); + if (ret) { + krb5_warn (context, ret, "krb5_copy_principal"); + krb5_kt_free_entry (context, &entry); + break; + } + changeset[j].kvno = entry.vno; + ++j; + } + krb5_kt_free_entry (context, &entry); + } + krb5_kt_end_seq_get(context, keytab, &cursor); + + if (ret == KRB5_KT_END) { + for (i = 0; i < j; i++) { + if (verbose_flag) { + char *client_name; + + ret = krb5_unparse_name (context, changeset[i].principal, + &client_name); + if (ret) { + krb5_warn (context, ret, "krb5_unparse_name"); + } else { + printf("Changing %s kvno %d\n", + client_name, changeset[i].kvno); + free(client_name); + } + } + ret = change_entry(keytab, + changeset[i].principal, changeset[i].kvno, + keep, nkstuple, kstuple, + opt->realm_string, + opt->admin_server_string, + opt->server_port_integer); + if (ret != 0) + errors = 1; + } + } else + errors = 1; + for (i = 0; i < j; i++) + krb5_free_principal (context, changeset[i].principal); + free (changeset); + + out: + free(kstuple); + krb5_kt_close(context, keytab); + return errors; +} diff --git a/third_party/heimdal/admin/copy.c b/third_party/heimdal/admin/copy.c new file mode 100644 index 0000000..7b50de1 --- /dev/null +++ b/third_party/heimdal/admin/copy.c @@ -0,0 +1,143 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + + +static krb5_boolean +compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) +{ + if(a->keytype != b->keytype || + a->keyvalue.length != b->keyvalue.length || + memcmp(a->keyvalue.data, b->keyvalue.data, a->keyvalue.length) != 0) + return FALSE; + return TRUE; +} + +int +kt_copy (void *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_keytab src_keytab, dst_keytab; + krb5_kt_cursor cursor; + krb5_keytab_entry entry, dummy; + const char *from = argv[0]; + const char *to = argv[1]; + + ret = krb5_kt_resolve (context, from, &src_keytab); + if (ret) { + krb5_warn (context, ret, "resolving src keytab `%s'", from); + return 1; + } + + ret = krb5_kt_resolve (context, to, &dst_keytab); + if (ret) { + krb5_kt_close (context, src_keytab); + krb5_warn (context, ret, "resolving dst keytab `%s'", to); + return 1; + } + + ret = krb5_kt_start_seq_get (context, src_keytab, &cursor); + if (ret) { + krb5_warn (context, ret, "krb5_kt_start_seq_get %s", keytab_string); + goto out; + } + + if (verbose_flag) + fprintf(stderr, "copying %s to %s\n", from, to); + + while((ret = krb5_kt_next_entry(context, src_keytab, + &entry, &cursor)) == 0) { + char *name_str; + char *etype_str; + ret = krb5_unparse_name (context, entry.principal, &name_str); + if(ret) { + krb5_warn(context, ret, "krb5_unparse_name"); + name_str = NULL; /* XXX */ + } + ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); + if(ret) { + krb5_warn(context, ret, "krb5_enctype_to_string"); + etype_str = NULL; /* XXX */ + } + ret = krb5_kt_get_entry(context, dst_keytab, + entry.principal, + entry.vno, + entry.keyblock.keytype, + &dummy); + if(ret == 0) { + /* this entry is already in the new keytab, so no need to + copy it; if the keyblocks are not the same, something + is weird, so complain about that */ + if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { + krb5_warnx(context, "entry with different keyvalue " + "already exists for %s, keytype %s, kvno %d", + name_str, etype_str, entry.vno); + } + krb5_kt_free_entry(context, &dummy); + krb5_kt_free_entry (context, &entry); + free(name_str); + free(etype_str); + continue; + } else if(ret != KRB5_KT_NOTFOUND) { + krb5_warn (context, ret, "%s: fetching %s/%s/%u", + to, name_str, etype_str, entry.vno); + krb5_kt_free_entry (context, &entry); + free(name_str); + free(etype_str); + break; + } + if (verbose_flag) + fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, + etype_str, entry.vno); + ret = krb5_kt_add_entry (context, dst_keytab, &entry); + krb5_kt_free_entry (context, &entry); + if (ret) { + krb5_warn (context, ret, "%s: adding %s/%s/%u", + to, name_str, etype_str, entry.vno); + free(name_str); + free(etype_str); + break; + } + free(name_str); + free(etype_str); + } + krb5_kt_end_seq_get (context, src_keytab, &cursor); + + out: + krb5_kt_close (context, src_keytab); + krb5_kt_close (context, dst_keytab); + return ret != 0; +} diff --git a/third_party/heimdal/admin/destroy.c b/third_party/heimdal/admin/destroy.c new file mode 100644 index 0000000..0e989d9 --- /dev/null +++ b/third_party/heimdal/admin/destroy.c @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +int +kt_destroy (void *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_keytab keytab; + + if((keytab = ktutil_open_keytab()) == NULL) + return 1; + + ret = krb5_kt_destroy (context, keytab); + if (ret) { + krb5_warn (context, ret, "destroy keytab failed"); + return 1; + } + + return 0; +} diff --git a/third_party/heimdal/admin/get.c b/third_party/heimdal/admin/get.c new file mode 100644 index 0000000..f56e50f --- /dev/null +++ b/third_party/heimdal/admin/get.c @@ -0,0 +1,264 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +static void* +open_kadmin_connection(char *principal, + const char *realm, + char *admin_server, + int server_port) +{ + static kadm5_config_params conf; + krb5_error_code ret; + void *kadm_handle; + memset(&conf, 0, sizeof(conf)); + + if(realm) { + conf.realm = strdup(realm); + if (conf.realm == NULL) { + krb5_set_error_message(context, 0, "malloc: out of memory"); + return NULL; + } + conf.mask |= KADM5_CONFIG_REALM; + } + + if (admin_server) { + conf.admin_server = admin_server; + conf.mask |= KADM5_CONFIG_ADMIN_SERVER; + } + + if (server_port) { + conf.kadmind_port = htons(server_port); + conf.mask |= KADM5_CONFIG_KADMIND_PORT; + } + + /* should get realm from each principal, instead of doing + everything with the same (local) realm */ + + ret = kadm5_init_with_password_ctx(context, + principal, + NULL, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, + &kadm_handle); + free(conf.realm); + if(ret) { + krb5_warn(context, ret, "kadm5_init_with_password"); + return NULL; + } + return kadm_handle; +} + +static int +parse_enctypes(struct get_options *opt, + size_t *nks, + krb5_key_salt_tuple **ks) +{ + const char *str; + char *s = NULL; + char *tmp; + size_t i; + int ret; + + *nks = 0; + *ks = NULL; + if (opt->enctypes_strings.num_strings == 0) { + str = krb5_config_get_string(context, NULL, "libdefaults", + "supported_enctypes", NULL); + if (str == NULL) + str = "aes128-cts-hmac-sha1-96"; + return krb5_string_to_keysalts2(context, str, nks, ks); + } + + for (i = 0; i < opt->enctypes_strings.num_strings; i++) { + if (asprintf(&tmp, "%s%s%s", i ? s : "", i ? "," : "", + opt->enctypes_strings.strings[i]) == -1) { + free(s); + return krb5_enomem(context); + } + s = tmp; + } + ret = krb5_string_to_keysalts2(context, s, nks, ks); + free(s); + return ret; +} + +int +kt_get(struct get_options *opt, int argc, char **argv) +{ + krb5_error_code ret = 0; + krb5_keytab keytab; + void *kadm_handle = NULL; + krb5_key_salt_tuple *ks = NULL; + size_t nks; + size_t i; + int a, j, keep; + unsigned int failed = 0; + + i = 0; + keep = 1; + if (opt->keepallold_flag) { + keep = 2; + i++; + } + if (opt->keepold_flag) { + keep = 1; + i++; + } + if (opt->pruneall_flag) { + keep = 0; + i++; + } + if (i > 1) { + fprintf(stderr, "use only one of --keepold, --keepallold, or --pruneall\n"); + return EINVAL; + } + + if ((ret = parse_enctypes(opt, &nks, &ks))) { + fprintf(stderr, "invalid enctype(s)\n"); + return ret; + } + + if((keytab = ktutil_open_keytab()) == NULL) { + free(ks); + return 1; + } + + if(opt->realm_string) + krb5_set_default_realm(context, opt->realm_string); + + for(a = 0; a < argc; a++){ + krb5_principal princ_ent; + kadm5_principal_ent_rec princ; + int mask = 0; + krb5_keyblock *keys; + int n_keys; + int created = 0; + krb5_keytab_entry entry; + + ret = krb5_parse_name(context, argv[a], &princ_ent); + if (ret) { + krb5_warn(context, ret, "can't parse principal %s", argv[a]); + failed++; + continue; + } + memset(&princ, 0, sizeof(princ)); + princ.principal = princ_ent; + mask |= KADM5_PRINCIPAL; + princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; + mask |= KADM5_ATTRIBUTES; + princ.princ_expire_time = 0; + mask |= KADM5_PRINC_EXPIRE_TIME; + + if(kadm_handle == NULL) { + const char *r; + if(opt->realm_string != NULL) + r = opt->realm_string; + else + r = krb5_principal_get_realm(context, princ_ent); + kadm_handle = open_kadmin_connection(opt->principal_string, + r, + opt->admin_server_string, + opt->server_port_integer); + if(kadm_handle == NULL) + break; + } + + ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123"); + if(ret == 0) + created = 1; + else if(ret != KADM5_DUP) { + krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks, + &keys, &n_keys); + if (ret) { + krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + + ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, + KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); + if (ret) { + krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]); + for (j = 0; j < n_keys; j++) + krb5_free_keyblock_contents(context, &keys[j]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX)) + krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]); + princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); + mask = KADM5_ATTRIBUTES; + if(created) { + princ.kvno = 1; + mask |= KADM5_KVNO; + } + ret = kadm5_modify_principal(kadm_handle, &princ, mask); + if (ret) { + krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]); + for (j = 0; j < n_keys; j++) + krb5_free_keyblock_contents(context, &keys[j]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + for(j = 0; j < n_keys; j++) { + entry.principal = princ_ent; + entry.vno = princ.kvno; + entry.keyblock = keys[j]; + entry.timestamp = time (NULL); + ret = krb5_kt_add_entry(context, keytab, &entry); + if (ret) + krb5_warn(context, ret, "krb5_kt_add_entry"); + krb5_free_keyblock_contents(context, &keys[j]); + } + + kadm5_free_principal_ent(kadm_handle, &princ); + krb5_free_principal(context, princ_ent); + } + if (kadm_handle) + kadm5_destroy(kadm_handle); + krb5_kt_close(context, keytab); + free(ks); + return ret != 0 || failed > 0; +} diff --git a/third_party/heimdal/admin/ktutil-commands.in b/third_party/heimdal/admin/ktutil-commands.in new file mode 100644 index 0000000..2b771e9 --- /dev/null +++ b/third_party/heimdal/admin/ktutil-commands.in @@ -0,0 +1,299 @@ +/* + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $Id$ */ + +command = { + name = "add" + option = { + long = "principal" + short = "p" + type = "string" + help = "principal to add" + argument = "principal" + default = "" + } + option = { + long = "kvno" + short = "V" + type = "integer" + help = "key version number" + default = "-1" + } + option = { + long = "enctype" + short = "e" + type = "string" + argument = "enctype" + help = "encryption type(s)" + } + option = { + long = "password" + short = "w" + type = "string" + help = "password for key" + } + option = { + long = "salt" + short = "s" + type = "-flag" + help = "use unsalted keys" + default = "1" + } + option = { + long = "random" + short = "r" + type = "flag" + help = "generate random key" + } + option = { + long = "keepold" + type = "flag" + help = "keep old keys/password needed to decrypt extant tickets (default)" + } + option = { + long = "keepallold" + type = "flag" + help = "keep all old keys/password" + } + option = { + long = "pruneall" + type = "flag" + help = "delete all old keys" + } + option = { + long = "hex" + short = "H" + type = "flag" + help = "password is a hexadecimal string" + } + function = "kt_add" + help = "Adds a key to a keytab." + max_args = "0" +} +command = { + name = "change" + option = { + long = "realm" + short = "r" + type = "string" + argument = "realm" + help = "realm to use" + } + option = { + long = "enctype" + short = "e" + type = "string" + argument = "enctype" + help = "encryption type(s)" + } + option = { + long = "keepold" + type = "flag" + help = "keep old keys/password needed to decrypt extant tickets (default)" + } + option = { + long = "keepallold" + type = "flag" + help = "keep all old keys/password" + } + option = { + long = "pruneall" + type = "flag" + help = "delete all old keys" + } + option = { + long = "admin-server" + short = "a" + type = "string" + argument = "host" + help = "server to contact" + } + option = { + long = "server-port" + short = "s" + type = "integer" + argument = "port number" + help = "port number on server" + } + function = "kt_change" + argument = "[principal...]" + help = "Change keys for specified principals (default all)." +} +command = { + name = "copy" + function = "kt_copy" + argument = "source destination" + min_args = "2" + max_args = "2" + help = "Copies one keytab to another." +} +command = { + name = "get" + option = { + long = "principal" + short = "p" + type = "string" + help = "admin principal" + argument = "principal" + } + option = { + long = "enctypes" + short = "e" + type = "strings" + help = "encryption types to use" + argument = "enctype" + } + option = { + long = "keepold" + type = "flag" + help = "keep old keys/password needed to decrypt extant tickets (default)" + } + option = { + long = "keepallold" + type = "flag" + help = "keep all old keys/password" + } + option = { + long = "pruneall" + type = "flag" + help = "delete all old keys" + } + option = { + long = "realm" + short = "r" + type = "string" + argument = "realm" + help = "realm to use" + } + option = { + long = "admin-server" + short = "a" + type = "string" + argument = "host" + help = "server to contact" + } + option = { + long = "server-port" + short = "s" + type = "integer" + argument = "port number" + help = "port number on server" + } + function = "kt_get" + min_args = "1" + argument = "principal..." + help = "Change keys for specified principals, and add them to the keytab." +} +command = { + name = "list" + option = { + long = "keys" + type = "flag" + help = "show key values" + } + option = { + long = "timestamp" + type = "flag" + help = "show timestamps" + } + max_args = "0" + function = "kt_list" + help = "Show contents of keytab." +} +command = { + name = "purge" + option = { + long = "age" + type = "string" + help = "age to retiere" + default = "1 week"; + argument = "time" + } + max_args = "0" + function = "kt_purge" + help = "Remove superceded keys from keytab." +} +command = { + name = "remove" + name = "delete" + option = { + long = "principal" + short = "p" + type = "string" + help = "principal to remove" + argument = "principal" + } + option = { + long = "kvno" + short = "V" + type = "integer" + help = "key version to remove" + argument = "kvno" + default = "0" + } + option = { + long = "enctype" + short = "e" + type = "string" + help = "enctype to remove" + argument = "enctype" + } + max_args = "0" + function = "kt_remove" + help = "Remove keys from keytab." +} +command = { + name = "rename" + function = "kt_rename" + argument = "from to" + min_args = "2" + max_args = "2" + help = "Renames an entry in the keytab." + option = { + long = "delete" + type = "-flag" + help = "don't delete orignal entry" + } +} +command = { + name = "destroy" + function = "kt_destroy" + max_args = "0" + help = "Destroy (remove) the keytab." +} +command = { + name = "help" + argument = "command" + max_args = "1" + function = "help" +} diff --git a/third_party/heimdal/admin/ktutil-version.rc b/third_party/heimdal/admin/ktutil-version.rc new file mode 100644 index 0000000..e0e91c5 --- /dev/null +++ b/third_party/heimdal/admin/ktutil-version.rc @@ -0,0 +1,36 @@ +/*********************************************************************** + * Copyright (c) 2010, Secure Endpoints Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + **********************************************************************/ + +#define RC_FILE_TYPE VFT_APP +#define RC_FILE_DESC_0409 "Kerberos Keytab Tool" +#define RC_FILE_ORIG_0409 "ktutil.exe" + +#include "../windows/version.rc" diff --git a/third_party/heimdal/admin/ktutil.1 b/third_party/heimdal/admin/ktutil.1 new file mode 100644 index 0000000..125b5e8 --- /dev/null +++ b/third_party/heimdal/admin/ktutil.1 @@ -0,0 +1,128 @@ +.\" Copyright (c) 1997-2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd April 14, 2005 +.Dt KTUTIL 1 +.Os HEIMDAL +.Sh NAME +.Nm ktutil +.Nd manage Kerberos keytabs +.Sh SYNOPSIS +.Nm +.Oo Fl k Ar keytab \*(Ba Xo +.Fl Fl keytab= Ns Ar keytab +.Xc +.Oc +.Op Fl v | Fl Fl verbose +.Op Fl Fl version +.Op Fl h | Fl Fl help +.Ar command +.Op Ar args +.Sh DESCRIPTION +.Nm +is a program for managing keytabs. +Supported options: +.Bl -tag -width Ds +.It Fl v , Fl Fl verbose +Verbose output. +.El +.Pp +.Ar command +can be one of the following: +.Bl -tag -width srvconvert +.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ +Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \ +Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ +Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \ +Oo Fl Fl password= Ns Ar password Oc Oo Fl r Oc Oo Fl Fl random Oc \ +Oo Fl s Oc Oo Fl Fl no-salt Oc Oo Fl H Oc Op Fl Fl hex +Adds a key to the keytab. Options that are not specified will be +prompted for. This requires that you know the password or the hex key of the +principal to add; if what you really want is to add a new principal to +the keytab, you should consider the +.Ar get +command, which talks to the kadmin server. +.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \ +Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ +Oo Fl Fl enctype= Ns Ar enctype Oc \ +Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \ +Oo Fl Fl s Ar port Oc Op Fl Fl server-port= Ns Ar port +Update one or several keys to new versions. By default, use the admin +server for the realm of a keytab entry. Otherwise it will use the +values specified by the options. +.Pp +If no principals are given, all the ones in the keytab are updated. +.It copy Ar keytab-src Ar keytab-dest +Copies all the entries from +.Ar keytab-src +to +.Ar keytab-dest . +.It get Oo Fl p Ar admin principal Oc \ +Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \ +Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ +Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \ +Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \ +Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \ +Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ... +For each +.Ar principal , +generate a new key for it (creating it if it doesn't already exist), +and put that key in the keytab. +.Pp +If no +.Ar realm +is specified, the realm to operate on is taken from the first +principal. +.It list Oo Fl Fl keys Oc Op Fl Fl timestamp +List the keys stored in the keytab. +.It remove Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ +Oo Fl V kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \ +Oo Fl Fl enctype= Ns Ar enctype Oc +Removes the specified key or keys. Not specifying a +.Ar kvno +removes keys with any version number. Not specifying an +.Ar enctype +removes keys of any type. +.It rename Ar from-principal Ar to-principal +Renames all entries in the keytab that match the +.Ar from-principal +to +.Ar to-principal . +.It purge Op Fl Fl age= Ns Ar age +Removes all old versions of a key for which there is a newer version +that is at least +.Ar age +(default one week) old. +.El +.Sh SEE ALSO +.Xr kadmin 1 diff --git a/third_party/heimdal/admin/ktutil.c b/third_party/heimdal/admin/ktutil.c new file mode 100644 index 0000000..27d0d58 --- /dev/null +++ b/third_party/heimdal/admin/ktutil.c @@ -0,0 +1,177 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" +#include + +RCSID("$Id$"); + +static int help_flag; +static int version_flag; +int verbose_flag; +char *keytab_string; +static char keytab_buf[256]; + +static struct getargs args[] = { + { + "version", + 0, + arg_flag, + &version_flag, + NULL, + NULL + }, + { + "help", + 'h', + arg_flag, + &help_flag, + NULL, + NULL + }, + { + "keytab", + 'k', + arg_string, + &keytab_string, + "keytab", + "keytab to operate on" + }, + { + "verbose", + 'v', + arg_flag, + &verbose_flag, + "verbose", + "run verbosely" + } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +krb5_context context; + +krb5_keytab +ktutil_open_keytab(void) +{ + krb5_error_code ret; + krb5_keytab keytab; + if (keytab_string == NULL) { + ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); + if (ret) { + krb5_warn(context, ret, "krb5_kt_default_name"); + return NULL; + } + keytab_string = keytab_buf; + } + ret = krb5_kt_resolve(context, keytab_string, &keytab); + if (ret) { + krb5_warn(context, ret, "resolving keytab %s", keytab_string); + return NULL; + } + if (verbose_flag) + fprintf (stderr, "Using keytab %s\n", keytab_string); + + return keytab; +} + +int +help(void *opt, int argc, char **argv) +{ + if(argc == 0) { + sl_help(commands, 1, argv - 1 /* XXX */); + } else { + SL_cmd *c = sl_match (commands, argv[0], 0); + if(c == NULL) { + fprintf (stderr, "No such command: %s. " + "Try \"help\" for a list of commands\n", + argv[0]); + } else { + if(c->func) { + char shelp[] = "--help"; + char *fake[3]; + fake[0] = argv[0]; + fake[1] = shelp; + fake[2] = NULL; + (*c->func)(2, fake); + fprintf(stderr, "\n"); + } + if(c->help && *c->help) + fprintf (stderr, "%s\n", c->help); + if((++c)->name && c->func == NULL) { + int f = 0; + fprintf (stderr, "Synonyms:"); + while (c->name && c->func == NULL) { + fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name); + f = 1; + } + fprintf (stderr, "\n"); + } + } + } + return 0; +} + +static void +usage(int status) +{ + arg_printusage(args, num_args, NULL, "command"); + exit(status); +} + +int +main(int argc, char **argv) +{ + int optidx = 0; + krb5_error_code ret; + setprogname(argv[0]); + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + if(getarg(args, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + argc -= optidx; + argv += optidx; + if(argc == 0) + usage(1); + ret = sl_command(commands, argc, argv); + if(ret == -1) + krb5_warnx (context, "unrecognized command: %s", argv[0]); + return ret; +} diff --git a/third_party/heimdal/admin/ktutil_locl.h b/third_party/heimdal/admin/ktutil_locl.h new file mode 100644 index 0000000..9ecee31 --- /dev/null +++ b/third_party/heimdal/admin/ktutil_locl.h @@ -0,0 +1,74 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * $Id$ + */ + +#ifndef __KTUTIL_LOCL_H__ +#define __KTUTIL_LOCL_H__ + +#include + +#include +#include +#include +#include +#ifdef HAVE_FCNTL_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#include +#include + +#include "crypto-headers.h" +#include +#include +#include + +#include +#include +#include + +extern krb5_context context; + +extern int verbose_flag; +extern char *keytab_string; + +krb5_keytab ktutil_open_keytab(void); + +#include "ktutil-commands.h" + +#endif /* __KTUTIL_LOCL_H__ */ diff --git a/third_party/heimdal/admin/list.c b/third_party/heimdal/admin/list.c new file mode 100644 index 0000000..31be546 --- /dev/null +++ b/third_party/heimdal/admin/list.c @@ -0,0 +1,172 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" +#include + +RCSID("$Id$"); + +static int +do_list(struct list_options *opt, const char *keytab_str) +{ + krb5_error_code ret; + krb5_keytab keytab; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + rtbl_t table; + + /* XXX specialcase the ANY type */ + if(strncasecmp(keytab_str, "ANY:", 4) == 0) { + int flag = 0; + char buf[1024]; + keytab_str += 4; + ret = 0; + while (strsep_copy((const char**)&keytab_str, ",", + buf, sizeof(buf)) != -1) { + if(flag) + printf("\n"); + if(do_list(opt, buf)) + ret = 1; + flag = 1; + } + return ret; + } + + ret = krb5_kt_resolve(context, keytab_str, &keytab); + if (ret) { + krb5_warn(context, ret, "resolving keytab %s", keytab_str); + return ret; + } + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret) { + krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_str); + krb5_kt_close(context, keytab); + return ret; + } + + printf ("%s:\n\n", keytab_str); + + table = rtbl_create(); + rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT); + rtbl_add_column_by_id(table, 1, "Type", 0); + rtbl_add_column_by_id(table, 2, "Principal", 0); + if (opt->timestamp_flag) + rtbl_add_column_by_id(table, 3, "Date", 0); + if(opt->keys_flag) + rtbl_add_column_by_id(table, 4, "Key", 0); + rtbl_add_column_by_id(table, 5, "Aliases", 0); + rtbl_set_separator(table, " "); + + while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){ + char buf[1024], *s; + + snprintf(buf, sizeof(buf), "%d", entry.vno); + rtbl_add_column_entry_by_id(table, 0, buf); + + ret = krb5_enctype_to_string(context, + entry.keyblock.keytype, &s); + if (ret != 0) { + snprintf(buf, sizeof(buf), "unknown (%d)", entry.keyblock.keytype); + rtbl_add_column_entry_by_id(table, 1, buf); + } else { + rtbl_add_column_entry_by_id(table, 1, s); + free(s); + } + + krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf)); + rtbl_add_column_entry_by_id(table, 2, buf); + + if (opt->timestamp_flag) { + krb5_format_time(context, entry.timestamp, buf, + sizeof(buf), FALSE); + rtbl_add_column_entry_by_id(table, 3, buf); + } + if(opt->keys_flag) { + size_t i; + s = malloc(2 * entry.keyblock.keyvalue.length + 1); + if (s == NULL) { + krb5_warnx(context, "malloc failed"); + ret = ENOMEM; + goto out; + } + for(i = 0; i < entry.keyblock.keyvalue.length; i++) + snprintf(s + 2 * i, 3, "%02x", + ((unsigned char*)entry.keyblock.keyvalue.data)[i]); + rtbl_add_column_entry_by_id(table, 4, s); + free(s); + } + if (entry.aliases) { + unsigned int i; + struct rk_strpool *p = NULL; + + for (i = 0; i< entry.aliases->len; i++) { + krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf)); + p = rk_strpoolprintf(p, "%s%s", buf, + i + 1 < entry.aliases->len ? ", " : ""); + + } + rtbl_add_column_entry_by_id(table, 5, (s = rk_strpoolcollect(p))); + free(s); + } + + krb5_kt_free_entry(context, &entry); + } + ret = krb5_kt_end_seq_get(context, keytab, &cursor); + rtbl_format(table, stdout); + +out: + rtbl_destroy(table); + + krb5_kt_close(context, keytab); + return ret; +} + +int +kt_list(struct list_options *opt, int argc, char **argv) +{ + krb5_error_code ret; + char kt[1024]; + + if(verbose_flag) + opt->timestamp_flag = 1; + + if (keytab_string == NULL) { + if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) { + krb5_warn(context, ret, "getting default keytab name"); + return 1; + } + keytab_string = kt; + } + return do_list(opt, keytab_string) != 0; +} diff --git a/third_party/heimdal/admin/purge.c b/third_party/heimdal/admin/purge.c new file mode 100644 index 0000000..b4667b3 --- /dev/null +++ b/third_party/heimdal/admin/purge.c @@ -0,0 +1,172 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +/* + * keep track of the highest version for every principal. + */ + +struct e { + krb5_principal principal; + int max_vno; + time_t timestamp; + struct e *next; +}; + +static struct e * +get_entry (krb5_principal princ, struct e *head) +{ + struct e *e; + + for (e = head; e != NULL; e = e->next) + if (krb5_principal_compare (context, princ, e->principal)) + return e; + return NULL; +} + +static void +add_entry (krb5_principal princ, int vno, time_t timestamp, struct e **head) +{ + krb5_error_code ret; + struct e *e; + + e = get_entry (princ, *head); + if (e != NULL) { + if(e->max_vno < vno) { + e->max_vno = vno; + e->timestamp = timestamp; + } + return; + } + e = malloc (sizeof (*e)); + if (e == NULL) + krb5_errx (context, 1, "malloc: out of memory"); + ret = krb5_copy_principal (context, princ, &e->principal); + if (ret) + krb5_err (context, 1, ret, "krb5_copy_principal"); + e->max_vno = vno; + e->timestamp = timestamp; + e->next = *head; + *head = e; +} + +static void +delete_list (struct e *head) +{ + while (head != NULL) { + struct e *next = head->next; + krb5_free_principal (context, head->principal); + free (head); + head = next; + } +} + +/* + * Remove all entries that have newer versions and that are older + * than `age' + */ + +int +kt_purge(struct purge_options *opt, int argc, char **argv) +{ + krb5_error_code ret = 0; + krb5_kt_cursor cursor; + krb5_keytab keytab; + krb5_keytab_entry entry; + int age; + struct e *head = NULL; + time_t judgement_day; + + age = parse_time(opt->age_string, "s"); + if(age < 0) { + krb5_warnx(context, "unparasable time `%s'", opt->age_string); + return 1; + } + + if((keytab = ktutil_open_keytab()) == NULL) + return 1; + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret){ + krb5_warn(context, ret, "%s", keytab_string); + goto out; + } + + while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) { + add_entry (entry.principal, entry.vno, entry.timestamp, &head); + krb5_kt_free_entry(context, &entry); + } + krb5_kt_end_seq_get(context, keytab, &cursor); + + judgement_day = time (NULL); + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret){ + krb5_warn(context, ret, "%s", keytab_string); + goto out; + } + + while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0) { + struct e *e = get_entry (entry.principal, head); + + if (e == NULL) { + krb5_warnx (context, "ignoring extra entry"); + continue; + } + + if (entry.vno < e->max_vno + && judgement_day - e->timestamp > age) { + if (verbose_flag) { + char *name_str; + + krb5_unparse_name (context, entry.principal, &name_str); + printf ("removing %s vno %d\n", name_str, entry.vno); + free (name_str); + } + ret = krb5_kt_remove_entry (context, keytab, &entry); + if (ret) + krb5_warn (context, ret, "remove"); + } + krb5_kt_free_entry(context, &entry); + } + ret = krb5_kt_end_seq_get(context, keytab, &cursor); + + delete_list (head); + + out: + krb5_kt_close (context, keytab); + return ret != 0; +} diff --git a/third_party/heimdal/admin/remove.c b/third_party/heimdal/admin/remove.c new file mode 100644 index 0000000..7c30d88 --- /dev/null +++ b/third_party/heimdal/admin/remove.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +int +kt_remove(struct remove_options *opt, int argc, char **argv) +{ + krb5_error_code ret = 0; + krb5_keytab_entry entry; + krb5_keytab keytab; + krb5_principal principal = NULL; + krb5_enctype enctype = 0; + + if(opt->principal_string) { + ret = krb5_parse_name(context, opt->principal_string, &principal); + if(ret) { + krb5_warn(context, ret, "%s", opt->principal_string); + return 1; + } + } + if(opt->enctype_string) { + ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); + if(ret) { + int t; + if(sscanf(opt->enctype_string, "%d", &t) == 1) + enctype = t; + else { + krb5_warn(context, ret, "%s", opt->enctype_string); + if(principal) + krb5_free_principal(context, principal); + return 1; + } + } + } + if (!principal && !enctype && !opt->kvno_integer) { + krb5_warnx(context, + "You must give at least one of " + "principal, enctype or kvno."); + ret = EINVAL; + goto out; + } + + if((keytab = ktutil_open_keytab()) == NULL) { + ret = 1; + goto out; + } + + entry.principal = principal; + entry.keyblock.keytype = enctype; + entry.vno = opt->kvno_integer; + ret = krb5_kt_remove_entry(context, keytab, &entry); + krb5_kt_close(context, keytab); + if(ret) + krb5_warn(context, ret, "remove"); + out: + if(principal) + krb5_free_principal(context, principal); + return ret != 0; +} + diff --git a/third_party/heimdal/admin/rename.c b/third_party/heimdal/admin/rename.c new file mode 100644 index 0000000..390776d --- /dev/null +++ b/third_party/heimdal/admin/rename.c @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2001-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "ktutil_locl.h" + +RCSID("$Id$"); + +int +kt_rename(struct rename_options *opt, int argc, char **argv) +{ + krb5_error_code ret = 0; + krb5_keytab_entry entry; + krb5_keytab keytab; + krb5_kt_cursor cursor; + krb5_principal from_princ, to_princ; + + ret = krb5_parse_name(context, argv[0], &from_princ); + if(ret != 0) { + krb5_warn(context, ret, "%s", argv[0]); + return 1; + } + + ret = krb5_parse_name(context, argv[1], &to_princ); + if(ret != 0) { + krb5_free_principal(context, from_princ); + krb5_warn(context, ret, "%s", argv[1]); + return 1; + } + + if((keytab = ktutil_open_keytab()) == NULL) { + krb5_free_principal(context, from_princ); + krb5_free_principal(context, to_princ); + return 1; + } + + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(ret) { + krb5_kt_close(context, keytab); + krb5_free_principal(context, from_princ); + krb5_free_principal(context, to_princ); + return 1; + } + while(1) { + ret = krb5_kt_next_entry(context, keytab, &entry, &cursor); + if(ret != 0) { + if(ret != KRB5_CC_END && ret != KRB5_KT_END) + krb5_warn(context, ret, "getting entry from keytab"); + else + ret = 0; + break; + } + if(krb5_principal_compare(context, entry.principal, from_princ)) { + krb5_free_principal(context, entry.principal); + entry.principal = to_princ; + ret = krb5_kt_add_entry(context, keytab, &entry); + if(ret) { + entry.principal = NULL; + krb5_kt_free_entry(context, &entry); + krb5_warn(context, ret, "adding entry"); + break; + } + if (opt->delete_flag) { + entry.principal = from_princ; + ret = krb5_kt_remove_entry(context, keytab, &entry); + if(ret) { + entry.principal = NULL; + krb5_kt_free_entry(context, &entry); + krb5_warn(context, ret, "removing entry"); + break; + } + } + entry.principal = NULL; + } + krb5_kt_free_entry(context, &entry); + } + krb5_kt_end_seq_get(context, keytab, &cursor); + + krb5_free_principal(context, from_princ); + krb5_free_principal(context, to_princ); + + return ret != 0; +} + diff --git a/third_party/heimdal/appl/Makefile.am b/third_party/heimdal/appl/Makefile.am new file mode 100644 index 0000000..ec896ff --- /dev/null +++ b/third_party/heimdal/appl/Makefile.am @@ -0,0 +1,23 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +if OTP +dir_otp = otp +endif +if DCE +dir_dce = dceutils +endif +if !NO_AFS +dir_afsutil = afsutil +endif +SUBDIRS = \ + $(dir_afsutil) \ + dbutils \ + $(dir_otp) \ + gssmask \ + test \ + kf \ + $(dir_dce) + +EXTRA_DIST = NTMakefile diff --git a/third_party/heimdal/appl/NTMakefile b/third_party/heimdal/appl/NTMakefile new file mode 100644 index 0000000..6bae479 --- /dev/null +++ b/third_party/heimdal/appl/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl + +!include ../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/afsutil/ChangeLog b/third_party/heimdal/appl/afsutil/ChangeLog new file mode 100644 index 0000000..9825c55 --- /dev/null +++ b/third_party/heimdal/appl/afsutil/ChangeLog @@ -0,0 +1,125 @@ +2007-04-11 Love Hörnquist Åstrand + + * pagsh.1,afslog.1: - options must be lexicographically ordered; + again, options without arguments must be placed before options + with arguments. - manual page cross references are done using + the macro `.Xr', not the macro `.Nm' (used for command names + instead). + + From Igor Sobrado. + +2006-10-07 Love Hörnquist Åstrand + + * Makefile.am: Add man_MANS to EXTRA_DIST + +2006-01-03 Love Hörnquist Åstrand + + * afslog.1: Document options to allow select principal or + credential cache when doing afslog. + + * afslog.c: Add options to allow select principal or credential + cache when doing afslog. + +2005-02-12 Love Hörnquist Åstrand + + * Makefile.am: man_MANS += pagsh.1 + + * pagsh.c: add --cache-type that allows the user to control the + resulting credential cache type, inherit the type from the + invoking process + + * pagsh.1: manpage for pagsh + +2004-09-03 Love Hörnquist Åstrand + + * afslog.c: use negative string help string for arg_negative_flag + Pointed out by Harald Barth + +2004-07-27 Love Hörnquist Åstrand + + * pagsh.c: use setprogname, if we stripped off -c, try use the + fallback code + +2003-10-14 Johan Danielsson + + * pagsh.c: mkstemp formats must end in exactly six X's + +2003-07-15 Love Hörnquist Åstrand + + * afslog.c (do_afslog): is cell is unset, set it "" + for error printing + + * pagsh.c: unconditionally set KRBTKFILE + +2003-04-23 Love Hörnquist Åstrand + + * afslog.c (log_func): drop the error number + +2003-04-14 Love Hörnquist Åstrand + + * afslog.c: set kafs log function if verbose is turned on + +2003-03-18 Love Hörnquist Åstrand + + * Makefile.am (LDADD): use LIB_kafs + + * afslog.1: --no-v4, --no-v5 + + * Makefile.am: always build afsutils now + + * afslog.c: make build without KRB4 + +2002-11-26 Johan Danielsson + + * afslog.c: remove plural form in help string + + * Makefile.am: add afslog manpage + + * afslog.1: manpage + + * afslog.c: try more files when trying to expand a cell name + + * afslog.c: create a list of cells to get tokens for, before + actually doing anything, and try to get tokens via krb4 if krb5 + fails, and give it a chance to work with krb4-only; also some bug + fixes, partially from Tomas Olsson. + +2002-08-23 Assar Westerlund + + * pagsh.c: make it handle --version/--help + +2001-05-17 Assar Westerlund + + * afslog.c (main): call free_getarg_strings + +2000-12-31 Assar Westerlund + + * afslog.c (main): handle krb5_init_context failure consistently + +2000-12-25 Assar Westerlund + + * afslog.c: clarify usage strings + +1999-08-04 Assar Westerlund + + * pagsh.c (main): use mkstemp to generate temporary file names. + From Miroslav Ruda + +1999-07-04 Assar Westerlund + + * afslog.c (expand_cell_name): terminate on #. From Miroslav Ruda + + +1999-06-27 Assar Westerlund + + * Makefile.am (bin_PROGRAMS): only include pagsh if KRB4 + +1999-06-26 Assar Westerlund + + * Makefile.am: add pagsh + + * pagsh.c: new file. contributed by Miroslav Ruda + +Sat Mar 27 12:49:43 1999 Johan Danielsson + + * afslog.c: cleanup option parsing diff --git a/third_party/heimdal/appl/afsutil/Makefile.am b/third_party/heimdal/appl/afsutil/Makefile.am new file mode 100644 index 0000000..705bdf1 --- /dev/null +++ b/third_party/heimdal/appl/afsutil/Makefile.am @@ -0,0 +1,19 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +bin_PROGRAMS = afslog pagsh + +afslog_SOURCES = afslog.c + +pagsh_SOURCES = pagsh.c + +man_MANS = afslog.1 pagsh.1 + +LDADD = $(LIB_kafs) \ + $(top_builddir)/lib/krb5/libkrb5.la \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_hcrypto) \ + $(LIB_roken) + +EXTRA_DIST = NTMakefile $(man_MANS) diff --git a/third_party/heimdal/appl/afsutil/NTMakefile b/third_party/heimdal/appl/afsutil/NTMakefile new file mode 100644 index 0000000..f1f696c --- /dev/null +++ b/third_party/heimdal/appl/afsutil/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\afsutil + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/afsutil/afslog.1 b/third_party/heimdal/appl/afsutil/afslog.1 new file mode 100644 index 0000000..779d9cd --- /dev/null +++ b/third_party/heimdal/appl/afsutil/afslog.1 @@ -0,0 +1,147 @@ +.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd November 26, 2002 +.Dt AFSLOG 1 +.Os HEIMDAL +.Sh NAME +.Nm afslog +.Nd obtain AFS tokens +.Sh SYNOPSIS +.Nm +.Op Fl h | Fl Fl help +.Op Fl Fl no-v5 +.Op Fl u | Fl Fl unlog +.Op Fl v | Fl Fl verbose +.Op Fl Fl version +.Oo Fl c Ar cell \*(Ba Xo +.Fl Fl cell= Ns Ar cell +.Xc +.Oc +.Oo Fl k Ar realm \*(Ba Xo +.Fl Fl realm= Ns Ar realm +.Xc +.Oc +.Oo Fl P Ar principal \*(Ba Xo +.Fl Fl principal= Ns Ar principal +.Xc +.Oc +.Bk -words +.Oo Fl p Ar path \*(Ba Xo +.Fl Fl file= Ns Ar path +.Xc +.Oc +.Ek +.Op Ar cell | path ... +.Sh DESCRIPTION +.Nm +obtains AFS tokens for a number of cells. What cells to get tokens for +can either be specified as an explicit list, as file paths to get +tokens for, or be left unspecified, in which case +.Nm +will use whatever magic +.Xr krb_afslog 3 +decides upon. +.Pp +Supported options: +.Bl -tag -width Ds +.It Fl Fl no-v5 +This makes +.Nm +not try using Kerberos 5. +.It Xo +.Fl P Ar principal , +.Fl Fl principal Ar principal +.Xc +select what Kerberos 5 principal to use. +.It Fl Fl cache Ar cache +select what Kerberos 5 credential cache to use. +.Fl Fl principal +overrides this option. +.It Xo +.Fl u , +.Fl Fl unlog +.Xc +Destroy tokens instead of obtaining new. If this is specified, all +other options are ignored (except for +.Fl Fl help +and +.Fl Fl version ) . +.It Xo +.Fl v , +.Fl Fl verbose +.Xc +Adds more verbosity for what is actually going on. +.It Xo +.Fl c Ar cell, +.Fl Fl cell= Ns Ar cell +.Xc +This specified one or more cell names to get tokens for. +.It Xo +.Fl k Ar realm , +.Fl Fl realm= Ns Ar realm +.Xc +This is the Kerberos realm the AFS servers live in, this should +normally not be specified. +.It Xo +.Fl p Ar path , +.Fl Fl file= Ns Ar path +.Xc +This specified one or more file paths for which tokens should be +obtained. +.El +.Pp +Instead of using +.Fl c +and +.Fl p , +you may also pass a list of cells and file paths after any other +options. These arguments are considered files if they are either +the strings +.Do . Dc +or +.Dq .. +or they contain a slash, or if there exists a file by that name. +.Sh EXAMPLES +Assuming that there is no file called +.Dq openafs.org +in the current directory, and that +.Pa /afs/openafs.org +points to that cell, the follwing should be identical: +.Bd -literal -offset indent +$ afslog -c openafs.org +$ afslog openafs.org +$ afslog /afs/openafs.org/some/file +.Ed +.Sh SEE ALSO +.Xr krb_afslog 3 diff --git a/third_party/heimdal/appl/afsutil/afslog.c b/third_party/heimdal/appl/afsutil/afslog.c new file mode 100644 index 0000000..05078ee --- /dev/null +++ b/third_party/heimdal/appl/afsutil/afslog.c @@ -0,0 +1,303 @@ +/* + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +RCSID("$Id$"); +#endif +#include +#ifdef KRB5 +#include +#endif +#include +#include +#include +#include + +static int help_flag; +static int version_flag; +static getarg_strings cells; +static char *realm; +static getarg_strings files; +static int unlog_flag; +static int verbose; +#ifdef KRB5 +static char *client_string; +static char *cache_string; +static int use_krb5 = 1; +#endif + +struct getargs args[] = { + { "cell", 'c', arg_strings, &cells, "cells to get tokens for", "cell" }, + { "file", 'p', arg_strings, &files, "files to get tokens for", "path" }, + { "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" }, + { "unlog", 'u', arg_flag, &unlog_flag, "remove tokens", NULL }, +#ifdef KRB5 + { "principal",'P',arg_string,&client_string,"principal to use","principal"}, + { "cache", 0, arg_string, &cache_string, "ccache to use", "cache"}, + { "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5", + NULL }, +#endif + { "verbose",'v', arg_flag, &verbose, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +#ifdef KRB5 +krb5_context context; +krb5_ccache id; +#endif + +static const char * +expand_one_file(FILE *f, const char *cell) +{ + static char buf[1024]; + char *p; + + while (fgets (buf, sizeof(buf), f) != NULL) { + if(buf[0] == '>') { + for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++) + ; + *p = '\0'; + if(strncmp(buf + 1, cell, strlen(cell)) == 0) + return buf + 1; + } + buf[0] = '\0'; + } + return NULL; +} + +static const char * +expand_cell_name(const char *cell) +{ + FILE *f; + const char *c; + const char **fn, *fns[] = { _PATH_CELLSERVDB, + _PATH_ARLA_CELLSERVDB, + _PATH_OPENAFS_DEBIAN_CELLSERVDB, + _PATH_ARLA_DEBIAN_CELLSERVDB, + NULL }; + for(fn = fns; *fn; fn++) { + f = fopen(*fn, "r"); + if(f == NULL) + continue; + c = expand_one_file(f, cell); + fclose(f); + if(c) + return c; + } + return NULL; +} + +static void +usage(int ecode) +{ + arg_printusage(args, num_args, NULL, "[cell|path]..."); + exit(ecode); +} + +struct cell_list { + char *cell; + struct cell_list *next; +} *cell_list; + +static int +afslog_cell(const char *cell, int expand) +{ + struct cell_list *p, **q; + const char *c = cell; + if(expand){ + c = expand_cell_name(cell); + if(c == NULL){ + warnx("No cell matching \"%s\" found.", cell); + return -1; + } + if(verbose && strcmp(c, cell) != 0) + warnx("Cell \"%s\" expanded to \"%s\"", cell, c); + } + /* add to list of cells to get tokens for, and also remove + duplicates; the actual afslog takes place later */ + for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next) + if(strcmp(p->cell, c) == 0) + return 0; + p = malloc(sizeof(*p)); + if(p == NULL) + return -1; + p->cell = strdup(c); + if(p->cell == NULL) { + free(p); + return -1; + } + p->next = NULL; + *q = p; + return 0; +} + +static int +afslog_file(const char *path) +{ + char cell[64]; + if(k_afs_cell_of_file(path, cell, sizeof(cell))){ + warnx("No cell found for file \"%s\".", path); + return -1; + } + if(verbose) + warnx("File \"%s\" lives in cell \"%s\"", path, cell); + return afslog_cell(cell, 0); +} + +static int +do_afslog(const char *cell) +{ + int k5ret; + + k5ret = 0; + +#ifdef KRB5 + if(context != NULL && id != NULL && use_krb5) { + k5ret = krb5_afslog(context, id, cell, realm); + if(k5ret == 0) + return 0; + } +#endif + if (cell == NULL) + cell = ""; +#ifdef KRB5 + if (k5ret) + krb5_warn(context, k5ret, "krb5_afslog(%s)", cell); +#endif + if (k5ret) + return 1; + return 0; +} + +static void +log_func(void *ctx, const char *str) +{ + fprintf(stderr, "%s\n", str); +} + +int +main(int argc, char **argv) +{ + int optidx = 0; + int i; + int num; + int ret = 0; + int failed = 0; + struct cell_list *p; + + setprogname(argv[0]); + + if(getarg(args, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(!k_hasafs()) + errx(1, "AFS does not seem to be present on this machine"); + + if(unlog_flag){ + k_unlog(); + exit(0); + } +#ifdef KRB5 + ret = krb5_init_context(&context); + if (ret) { + context = NULL; + } else { + if (client_string) { + krb5_principal client; + + ret = krb5_parse_name(context, client_string, &client); + if (ret == 0) + ret = krb5_cc_cache_match(context, client, &id); + if (ret) + id = NULL; + } + if (id == NULL && cache_string) { + if(krb5_cc_resolve(context, cache_string, &id) != 0) { + krb5_warnx(context, "failed to open kerberos 5 cache '%s'", + cache_string); + id = NULL; + } + } + if (id == NULL) + if(krb5_cc_default(context, &id) != 0) + id = NULL; + } +#endif + + if (verbose) + kafs_set_verbose(log_func, NULL); + + num = 0; + for(i = 0; i < files.num_strings; i++){ + afslog_file(files.strings[i]); + num++; + } + free_getarg_strings (&files); + for(i = 0; i < cells.num_strings; i++){ + afslog_cell(cells.strings[i], 1); + num++; + } + free_getarg_strings (&cells); + for(i = optidx; i < argc; i++){ + num++; + if(strcmp(argv[i], ".") == 0 || + strcmp(argv[i], "..") == 0 || + strchr(argv[i], '/') || + access(argv[i], F_OK) == 0) + afslog_file(argv[i]); + else + afslog_cell(argv[i], 1); + } + if(num == 0) { + if(do_afslog(NULL)) + failed++; + } else + for(p = cell_list; p; p = p->next) { + if(verbose) + warnx("Getting tokens for cell \"%s\"", p->cell); + if(do_afslog(p->cell)) + failed++; + } + + return failed; +} diff --git a/third_party/heimdal/appl/afsutil/pagsh.1 b/third_party/heimdal/appl/afsutil/pagsh.1 new file mode 100644 index 0000000..3c1fd96 --- /dev/null +++ b/third_party/heimdal/appl/afsutil/pagsh.1 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd February 12, 2005 +.Dt PAGSH 1 +.Os +.Sh NAME +.Nm pagsh +.Nd creates a new credential cache sandbox +.Sh SYNOPSIS +.Nm +.Op Fl c Ar command-string +.Op Fl h | Fl Fl help +.Op Fl Fl version +.Op Fl Fl cache-type= Ns Ar string +.Ar command [args...] +.Sh DESCRIPTION +Supported options: +.Bl -tag -width Ds +.It Xo +.Fl c Ar command-string +Executes command(s) contained in +.Ar command-string . +.Xc +.It Xo +.Fl Fl cache-type= Ns Ar string +.Xc +.It Xo +.Fl h , +.Fl Fl help +.Xc +.It Xo +.Fl Fl version +.Xc +.El +.Pp +.Nm +creates a new credential cache sandbox for the user to live in. +If AFS is installed on the computer, the user is put in a newly +created Process Authentication Group (PAG). +.Pp +For Kerberos 5, the credential cache type that is used is the same as +the credential cache type that was used at the time of +.Nm +invocation. +The credential cache type can be controlled by the option +.Fl Fl cache-type . +.Sh EXAMPLES +Create a new sandbox where new credentials can be used, while the old +credentials can be used by other processes. +.Bd -literal -offset indent +$ klist +Credentials cache: FILE:/tmp/krb5cc_913 + Principal: lha@E.KTH.SE + + Issued Expires Principal +Feb 12 10:08:31 Feb 12 20:06:36 krbtgt/E.KTH.SE@E.KTH.SE +$ pagsh +$ klist +klist: No ticket file: /tmp/krb5cc_03014a +.Ed +.Sh SEE ALSO +.Xr afslog 1 , +.Xr kinit 1 diff --git a/third_party/heimdal/appl/afsutil/pagsh.c b/third_party/heimdal/appl/afsutil/pagsh.c new file mode 100644 index 0000000..377ac61 --- /dev/null +++ b/third_party/heimdal/appl/afsutil/pagsh.c @@ -0,0 +1,213 @@ +/* + * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +RCSID("$Id$"); + +#include +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#include +#ifdef HAVE_FCNTL_H +#include +#endif +#ifdef HAVE_PWD_H +#include +#endif + +#ifdef KRB5 +#include +#endif +#include + +#include +#include +#include + +#ifndef TKT_ROOT +#define TKT_ROOT "/tmp/tkt" +#endif + +static int help_flag; +static int version_flag; +static int c_flag; +#ifdef KRB5 +static char *typename_arg; +#endif + +struct getargs getargs[] = { + { NULL, 'c', arg_flag, &c_flag, NULL, NULL }, +#ifdef KRB5 + { "cache-type", 0, arg_string, &typename_arg, NULL, NULL }, +#endif + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, +}; + +static int num_args = sizeof(getargs) / sizeof(getargs[0]); + +static void +usage(int ecode) +{ + arg_printusage(getargs, num_args, NULL, "command [args...]"); + exit(ecode); +} + +/* + * Run command with a new ticket file / credentials cache / token + */ + +int +main(int argc, char **argv) +{ + int f; + char tf[1024]; + char shellbuf[MAX_PATH]; + char *p; + + char *path; + char **args; + unsigned int i; + int optidx = 0; + + setprogname(argv[0]); + if(getarg(getargs, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + +#ifdef KRB5 + { + krb5_error_code ret; + krb5_context context; + krb5_ccache id; + const char *name; + + ret = krb5_init_context(&context); + if (ret) /* XXX should this really call exit ? */ + errx(1, "no kerberos 5 support"); + + ret = krb5_cc_new_unique(context, typename_arg, NULL, &id); + if (ret) + krb5_err(context, 1, ret, "Failed generating credential cache"); + + name = krb5_cc_get_name(context, id); + if (name == NULL) + krb5_errx(context, 1, "Generated credential cache have no name"); + + snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name); + + ret = krb5_cc_close(context, id); + if (ret) + krb5_err(context, 1, ret, "Failed closing credential cache"); + + krb5_free_context(context); + + esetenv("KRB5CCNAME", tf, 1); + } +#endif + + snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT); + f = mkstemp (tf); + if (f < 0) + err(1, "mkstemp failed"); + close (f); + unlink (tf); + esetenv("KRBTKFILE", tf, 1); + + i = 0; + + args = (char **) malloc((argc + 10)*sizeof(char *)); + if (args == NULL) + errx (1, "Out of memory allocating %lu bytes", + (unsigned long)((argc + 10)*sizeof(char *))); + + if(*argv == NULL) { + if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL) + path = strdup(shellbuf); + else + path = strdup("/bin/sh"); + } else { + path = strdup(*argv++); + } + if (path == NULL) + errx (1, "Out of memory copying path"); + + p=strrchr(path, '/'); + if(p) + args[i] = strdup(p+1); + else + args[i] = strdup(path); + + if (args[i++] == NULL) + errx (1, "Out of memory copying arguments"); + + while(*argv) + args[i++] = *argv++; + + args[i++] = NULL; + + if(k_hasafs()) + k_setpag(); + + unsetenv("PAGPID"); + execvp(path, args); + if (errno == ENOENT || c_flag) { + char **sh_args = malloc ((i + 2) * sizeof(char *)); + unsigned int j; + + if (sh_args == NULL) + errx (1, "Out of memory copying sh arguments"); + for (j = 1; j < i; ++j) + sh_args[j + 2] = args[j]; + sh_args[0] = "sh"; + sh_args[1] = "-c"; + sh_args[2] = path; + execv ("/bin/sh", sh_args); + } + err (1, "execvp"); +} diff --git a/third_party/heimdal/appl/dbutils/Makefile.am b/third_party/heimdal/appl/dbutils/Makefile.am new file mode 100644 index 0000000..a1fc384 --- /dev/null +++ b/third_party/heimdal/appl/dbutils/Makefile.am @@ -0,0 +1,13 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +bin_PROGRAMS = bsearch + +bsearch_SOURCES = bsearch.c + +man_MANS = bsearch.1 + +EXTRA_DIST = NTMakefile $(man_MANS) + +LDADD = $(LIB_roken) $(LIB_vers) $(LIB_heimbase) diff --git a/third_party/heimdal/appl/dbutils/NTMakefile b/third_party/heimdal/appl/dbutils/NTMakefile new file mode 100644 index 0000000..73ea816 --- /dev/null +++ b/third_party/heimdal/appl/dbutils/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\dbutils + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/dbutils/bsearch.1 b/third_party/heimdal/appl/dbutils/bsearch.1 new file mode 100644 index 0000000..0ea919c --- /dev/null +++ b/third_party/heimdal/appl/dbutils/bsearch.1 @@ -0,0 +1,115 @@ +.\" +.\" Copyright (c) 2011, Secure Endpoints Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" - Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" - Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd November 30, 2011 +.Dt BSEARCH 1 +.Os KTH-KRB +.Sh NAME +.Nm bsearch +.Nd manages one-time passwords +.Sh SYNOPSIS +.Nm bsearch +.Op Fl KVvh +.Op Fl b Ar block-size +.Op Fl m Ar max-cache-size +.Ar file +.Ar [key ...] +.Sh DESCRIPTION +The +.Nm +program performs binary searches of +.Ar file +which must be a sorted flat text file. +.Pp +Each line is a record. Each record starts with a key +that is optionally followed by whitespace and a value. +Whitespace may be quoted with a backslash, but newline +and carriage-return characters must be quoted in some +other manner (e.g., as backslash-n and backslash-r). +Escapes are not interpreted nor removed. +.Pp +If no key arguments are given on the comman-line, then +keys will be read from standard input. +.Pp +By default only values are printed to standard output. +Use the -K option to also print keys. The exit status +will be non-zero if any key lookups fail. +.Pp +Options are: +.Bl -tag -width Ds +.It Fl K +Print keys. +.It Fl V +Don't print values. +.It Fl h +Print usage and exit. +.It Fl v +Print statistic and debug information to standard +error. +.Ar file +A sorted flat text file. NOTE: use the "C" locale for +sorting this file, as in "LC_ALL=C sort -u -o file +file". +.It Fl h +For getting a help message. +.It Fl m +Set +.Ar max-cache-size +as the maximum cache size. If the +.Ar file +is smaller than this size then the whole file will be +read into memory, else the program will read blocks. +Defaults to 1MB. +.It Fl b +Set +.Ar block-size +as the block size for block-wise I/O. This must be a +power of 2, must be no smaller than 512 and no larger +than 1MB. Defaults to the +.Ar file's +filesystem's preferred blocksize. +.El +.Sh EXAMPLES +.Bd -literal -offset indent +$ env LC_ALL=C sort -o /tmp/words /usr/share/dict/words +$ bsearch -Kv /tmp/words day +Using whole-file method +Key day found at offset 327695 in 12 loops and 0 reads +day +$ +.Ed +.Sh NOTES +.Pp +Records must not be longer than one block's size. +.Pp +Flat text files must be sorted in the "C" locale. In +some systems the default locale may result in +case-insensitive sorting by the sort command. +.Sh SEE ALSO +.Xr sort 1 diff --git a/third_party/heimdal/appl/dbutils/bsearch.c b/third_party/heimdal/appl/dbutils/bsearch.c new file mode 100644 index 0000000..da37251 --- /dev/null +++ b/third_party/heimdal/appl/dbutils/bsearch.c @@ -0,0 +1,205 @@ +/* + * Copyright (c) 2011, Secure Endpoints Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int help_flag; +int version_flag; +int verbose_flag; +int print_keys_flag; +int no_values_flag; +int block_size_int; +int max_size_int; + +struct getargs args[] = { + { "print-keys", 'K', arg_flag, &print_keys_flag, + "print keys", NULL }, + { "no-values", 'V', arg_flag, &no_values_flag, + "don't print values", NULL }, + { "verbose", 'v', arg_flag, &verbose_flag, + "print statistics and informative messages", NULL }, + { "help", 'h', arg_flag, &help_flag, + "print usage message", NULL }, + { "block-size", 'b', arg_integer, &block_size_int, + "block size", "integer" }, + { "max-cache-size", 'm', arg_integer, &max_size_int, + "maximum cache size", "integer" }, + { "version", '\0', arg_flag, &version_flag, NULL, NULL } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int status) +{ + arg_printusage(args, num_args, NULL, "file [key ...]"); + exit(status); +} + +#define MAX_BLOCK_SIZE (1024 * 1024) +#define DEFAULT_MAX_FILE_SIZE (1024 * 1024) + +int +main(int argc, char **argv) +{ + char keybuf[1024]; + char *fname; + char *key = keybuf; + char *value; + char *p; + bsearch_file_handle bfh = NULL; + size_t num; + size_t loc; /* index where record is located or to be inserted */ + size_t loops; /* number of loops/comparisons needed for lookup */ + size_t reads = 0; /* number of reads needed for a lookup */ + size_t failures = 0; /* number of lookup failures -- for exit status */ + size_t block_size = 0; + size_t max_size = 0; + int optidx = 0; + int blockwise; + int ret = 0; + + setprogname(argv[0]); + if (getarg(args, num_args, argc, argv, &optidx)) + usage(1); + + if (version_flag) { + print_version(NULL); + return 0; + } + + if (help_flag) + usage(0); + + if (block_size_int != 0 && block_size_int < 512) { + fprintf(stderr, "Invalid block size: too small\n"); + return 1; + } + if (block_size_int > 0) { + /* Check that block_size is a power of 2 */ + num = block_size_int; + while (num) { + if ((num % 2) && (num >> 1)) { + fprintf(stderr, "Invalid block size: must be power " + "of two\n"); + return 1; + } + num >>= 1; + } + if (block_size_int > MAX_BLOCK_SIZE) + fprintf(stderr, "Invalid block size: too large\n"); + block_size = block_size_int; + } + if (max_size_int < 0) + usage(1); + max_size = max_size_int; + + argc -= optind; + argv += optind; + + if (argc == 0) + usage(1); + + fname = argv[0]; + argc--; + argv++; + + ret = _bsearch_file_open(fname, max_size, block_size, &bfh, &reads); + if (ret != 0) { + perror("bsearch_file_open"); + return 1; + } + + _bsearch_file_info(bfh, &block_size, &max_size, &blockwise); + if (verbose_flag && blockwise) { + fprintf(stderr, "Using block-wise method with block size %lu and " + "cache size %lu\n", + (long unsigned)block_size, (long unsigned)max_size); + } else if (verbose_flag) { + fprintf(stderr, "Using whole-file method\n"); + } + + for (;;) { + loops = 0; /* reset stats */ + /* Eww */ + if (argc) { + key = *(argv++); + if (!key) + break; + } else { + if (!fgets(keybuf, sizeof (keybuf), stdin)) + break; + p = strchr(key, '\n'); + if (!p) + break; + *p = '\0'; + if (!*key) + continue; + } + ret = _bsearch_file(bfh, key, &value, &loc, &loops, &reads); + if (ret != 0) { + if (ret > 0) { + fprintf(stderr, "Error: %s\n", strerror(ret)); + _bsearch_file_close(&bfh); + return 1; + } + if (verbose_flag) + fprintf(stderr, "Key %s not found in %lu loops and %lu reads; " + "insert at %lu\n", key, (long unsigned)loops, + (long unsigned)reads, (long unsigned)loc); + failures++; + continue; + } + if (verbose_flag) + fprintf(stderr, "Key %s found at offset %lu in %lu loops and " + "%lu reads\n", key, (long unsigned)loc, + (long unsigned)loops, (long unsigned)reads); + if (print_keys_flag && !no_values_flag && value) + printf("%s %s\n", key, value); + else if (print_keys_flag) + printf("%s\n", key); + else if (no_values_flag && value) + printf("%s\n", value); + free(value); + } + if (failures) + return 2; + _bsearch_file_close(&bfh); + return 0; +} diff --git a/third_party/heimdal/appl/dceutils/ChangeLog b/third_party/heimdal/appl/dceutils/ChangeLog new file mode 100644 index 0000000..f583aeb --- /dev/null +++ b/third_party/heimdal/appl/dceutils/ChangeLog @@ -0,0 +1,39 @@ +2007-12-13 Love Hörnquist Åstrand + + * Makefile.am: Add missing files, from Buchan Milne. + +2006-08-08 Love Hörnquist Åstrand + + * k5dcecon.c: Check for seteuid failure, prompted by MIT advisory. + +2005-04-06 Love Hörnquist Åstrand + + * testpag.c: use NULL as last argument to execl, not 0 + +2002-08-12 Johan Danielsson + + * Makefile.am: rename dpagaix_LDFLAGS etc to appease automake + +2001-08-24 Assar Westerlund + + * Makefile.am (dpagaix): make sure of using $(EXEEXT) just to + please automake (this is aix-only code) + +2001-02-07 Assar Westerlund + + * Makefile.am (dpagaix): needs to be linked with ld, add an + explicit command for it. from Ake Sandgren + +2000-10-02 Assar Westerlund + + * Makefile.am: link with roken on everything except irix, where + apperently it fails. reported by Ake Sandgren + +2000-07-17 Johan Danielsson + + * Makefile.am: set compiler flags + +2000-07-01 Assar Westerlund + + * imported stuff from Ake Sandgren + diff --git a/third_party/heimdal/appl/dceutils/Makefile.am b/third_party/heimdal/appl/dceutils/Makefile.am new file mode 100644 index 0000000..6fa9d1a --- /dev/null +++ b/third_party/heimdal/appl/dceutils/Makefile.am @@ -0,0 +1,37 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + + +DFSPROGS = k5dcecon +if AIX +AIX_DFSPROGS = dpagaix +endif + +libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS) + +dpagaix_CFLAGS = $(dpagaix_cflags) +dpagaix_LDFLAGS = $(dpagaix_ldflags) +dpagaix_LDADD = $(dpagaix_ldadd) + +dpagaix$(EXEEXT): $(dpagaix_OBJECTS) + ld -edpagaix -o dpagaix$(EXEEXT) $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp + +LIB_dce = -ldce + +k5dcecon_SOURCES = k5dcecon.c k5dce.h + +dpagaix_SOURCES = dpagaix.c + +EXTRA_DIST = \ + NTMakefile \ + dfspag.exp \ + README.dcedfs \ + README.original \ + testpag.c + +if IRIX +LDADD = $(LIB_dce) +else +LDADD = $(LIB_roken) $(LIB_dce) +endif diff --git a/third_party/heimdal/appl/dceutils/NTMakefile b/third_party/heimdal/appl/dceutils/NTMakefile new file mode 100644 index 0000000..eb27eb4 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\dceutils + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/dceutils/README.dcedfs b/third_party/heimdal/appl/dceutils/README.dcedfs new file mode 100644 index 0000000..5849ad6 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/README.dcedfs @@ -0,0 +1,59 @@ +This is a set of patches and files to get a DFS ticket from a k5 ticket. +This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original +for more info) + +The files in dce are; +testpag: for testing if this is at all possible. +k5dfspag: included in libkrb5 +k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile. +dpagaix: An AIX syscall stub. +README.original: Original README file from Doug Engert + + +Certain applications (rshd/telnetd) have been patched to call the +functions in k5dfspag when the situation is right. They are ifdef +with DCE. The patches are also originally from Doug but they +where against MIT krb5 code and have been merged into heimdal by me. +I will try to fix ftpd soon... + +There is also an ifdefs for DCE && AIX that can be used to make AIX +use DCE for getting group/passwd entries. This is needed if one is running +with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be +more or less clear to people doing this...) I have forced this on for now. + +k5dfspag.c is in lib/krb5 +k5dfspag.c is dependent on DCE only. +It is also POSIX systems only. There are defines for the location of +k5dcecon and dpagaix that needs a correct configure setting. + +k5dcecon needs no special things for the compile except whatever is needed +on the target system to compile dce programs. +(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later) + +k5dcecon wants the following libs (on aix 4.3): +-ldce (and setenv from somewhere) + +dpagaix is only needed on AIX (see k5dfspag.c). +dpagaix needs dfspag.exp and is linked with +ld -edpagaix -o dpagaix dpagaix.o dfspag.exp + + +Hope to get this into heimdal soon :-) although I know that you will have to +change some things to get it cleanly into configure. Since I don't know the +structure of the code (heimdal), nor enough of configure, good enough I +just won't try it myself. + +One more thing, to get this to work one has to put fcache_version = x in +krb5.conf where x = whatever the DCE implementation understands, (usually +1 or 2). +Thanks for adding that... + + +Åke Sandgren (ake@hpc2n.umu.se) +HPC2N +Umeå University +Sweden + +PS +I have now added patches for configure.in and some Makefile.am's to get this +all cleanly (I hope) into heimdal. diff --git a/third_party/heimdal/appl/dceutils/README.original b/third_party/heimdal/appl/dceutils/README.original new file mode 100644 index 0000000..0887023 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/README.original @@ -0,0 +1,335 @@ +KERBEROS and DCE INTEROPERABILITY ROUTINES + +WHAT'S NEW + +When k5dcecon was examining the ticket caches looking to +update one with a newer TGT, it might update the wrong +one for the correct user. This problem was reported by PNNL, +and is now fixed. + +Any Kerberized application can now use a forwarded TGT to establish a +DCE context, or can use a previously established DCE context. This is +both a functional improvement and a performance improvement. + +BACKGROUND + +The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a +number of ways. This is possible because: + + o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4 + or so, with additional changes. + + o The DCE security server can act as a K5 KDC, as defined in RFC 1510 + and responds on port 88. + + o On the clients, DCE and Kerberos use the same format for the ticket + cache, and then can share it. The KRB5CCNAME environment variable points + at the cache. + + o On the clients, DCE and Kerberos use the same format for the srvtab + file. DCE refers to is a /krb5/v5srvtab and Kerberos as + /etc/krb5.keytab. They can be symlinked. + + o MIT has added many options to the krb5.conf configuration file + which allows newer features of Release 1.0 to be turned off to match + the earlier version of Kerberos upon which DCE is based. + + o DCE will accept a externally obtained Kerberos TGT in place of a + password when establishing a DCE context. + +There are some areas where they differ, including the following: + + o Administration of the database and the keytab files is done by the + DCE routines, rather the the Kerberos kadmin. + + o User password changes must be done using the DCE commands. Kpasswd + does not work. (But there are mods to Kerberos to use the v5passwd + with DCE. + + o DCE goes beyond authentication only, and provides authorization via + the PAC, and the dce-ptgt tickets stored in the cache. Thus a + Kerberos KDC can not act as a DCE security server. + + o A DCE cell and Kerberos realm can cross-realm authenticate, but + there can be no intermediate realms. (There are other problems + in this area as well. But directly connected realms/cells do work.) + + o You can't link a module with the DCE library and the Kerberos + library. They have conflicting routines, static data and structures. + +One of the main features of DCE is the Distributed File System +DFS. Access to DFS requires authentication and authorization, and when +one uses a Kerberized network utility such as telnet, a forwarded +Kerberos ticket can be used to establish the DCE context to allow +access to DFS. + + +NEW TO THIS RELEASE + +This release introduces sharing of a DCE context, and PAG, and allows +any Kerberized application to establish or share the context. This is +made possible by using an undocumented feature of DCE which is on at +least the Transarc and IBM releases of DCE 1.1. + +I am in the process of trying to get this contributed to the general +DCE 1.2.2 release as a patch, so it could be included in other vendors +products. HP has expressed interest in doing this, as well as the +OpenGroup if the modification is contributed. You can help by +requesting Transarc and/or IBM to submit this modification to the +OpenGroup and ask your vendor to adopt this modification. + +The feature is a modification to the setpag() system call which will +allow an authorized process to set the PAG to a specific value, and +thus allow unrelated processes to share the same PAG. + +This then allows the Kerberized daemons such as kshd, to exec a DCE +module which established the DCE context. Kshd then sets the +KRB5CCNAME environment variable and then issues the setpag() to use +this context. This solves the linking problem. This is done via the +k5dfspag.c routine. + +The k5dfspag.c code is compiled with the lib/krb5/os routines and +included in the libkrb5. A daemon calls krb5_dfs_pag after the +krb5_kuserok has determined that the Kerberos principal and local +userid pair are acceptable. This should be done early so as to give +the daemon access to the home directory which may be located on DFS. +If the .k5login file is used by krb5_kuserok it will need to be +accessed by the daemon and will need special ACL handling. + +The krb5_dfs_pag routine will exec the k5dcecon module to do all the +real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set +the PAG for the current process to the returned PAG value. It will +also set the KRB5CCNAME environment as well. Under DCE the PAG value +is the nnnnnnn part of the name of the cache: +FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. + +The k5dcecon routine will attempt to use TGT which may have been +forwarded, to convert it to a DCE context. If there is no TGT, an +attempt will be made to join an existing PAG for the local userid, and +Kerberos principal. If there are existing PAGs, and a forwarded TGT, +k5dcecon will check the lifetime of the forwarded TGT, and if it is +less than the lifetime of the PAG, it will just join the PAG. If it +is greater, it will refresh the PAG using the forwarded TGT. +This approach has the advantage of not requiring many new tickets from +having to be obtained, and allows one to refresh a DCE context, or use +an already established context. + +If the system also has AFS, the AFS krb5_afs_pag should be called +after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may +have changed, such as if a DFS PAG has been joined. The AFS code does +not have the capability to join an existing AFS PAG, but can use the +same cache which might already had a +afsx/@ service ticket. + + +WHAT'S IN THIS RELEASE + +The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to +be slipped in between telnetd or klogind and login.krb5. They would +use a forwarded Kerberos ticket to establish a DCE context. They are +the older programs which are included here. They work on all DCE +platforms, and don't take advantage of the undocumented setpag +feature. (A version of k5dcelogin is being included with DCE 1.2.2) + +K5dcecon is the new program which can be used to create, update or +join a DCE context. k5dcecon returns KRB5CCNAME string which contains +the PAG. + +k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel +1 and added to the libkrb5. It will exec k5dcecon and upon return set +the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd, +ftpd are available to use the k5dfspag. + +Testpag.c is a test programs to see if the PAG can be set. + +The cpwkey.c routine can be used to change a key in the DCE registry, +by adding the key directly, or by setting the salt/pepper and password +or by providing the key and the pepper. This could be useful when +coping keys from a K4 or AFS database to DCE. It can also be used when +setting a DCE to K5 cross-cell key. This program is a test program +For mass inserts, it should be rewritten to read from stdin. + +K5dcelogin can also be called directly, much like dce_login. +I use the following commands in effect do the same thing as dce_login +and get a forwardable ticket, DCE context and an AFS token: + + #!/bin/csh + # simulate a dce_login using krb5 kinit and k5dcelogin + # + setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$ + /krb5/bin/kinit -f + exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh + #exec /krb5/sbin/k5dcelogin /bin/csh + +This could be useful in a mixed cell where "AS_REQ" messages are +handled by a K5 KDC, but DCE RPCs are handled by the DCE security +server. + +TESTING THE SETPAG + +The krb5_dfs_pag routine relies on an undocumented feature which is +in the AIX and Transarc Solaris ports of DCE and has been recently +added to the SGI version. To test if this feature is present +on some other DFS implementation use the testpag routine. + +The testpag routine attempts to set a PAG value to one you supply. It +uses the afs_syscall with the afs_setpag, and passes the supplied +PAG value as the next parameter. On an unmodifed system, this +will be ignored, and a new will be set. You should also check that +if run as a user, you cannot join a PAG owned by another user. +When run as root, any PAG should be usable. + +On a machine with DFS running, do a dce_login to get a DCE context and +PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It +should look like an 8 char hex value, which may be 41ffxxxx on some +systems. + +Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where +nnnnnnnn is the PAG obtained for the above name. + +It should look like this example on an AIX 4.1.4 system: + + pembroke# ./testpag -n 63dc9997 + calling k5dcepag newpag=63dc9997 + PAG returned = 63dc9997 + +You will be running under a new shell with the PAG and KRB5CCNAME set. +If the PAG returned is the same as the newpag, then it worked. You can +further verify this by doing a DCE klist, cd to DFS and a DCE klist +again. The klist should show some tickets for DFS servers. + +If the PAG returned is not the same, and repeated attempts show a +returned PAG decremented by 1 from the previous returned PAG, then +this system does not have the modification For example: + + # ./testpag -n 41fffff9 + calling k5dcepag newpag=41fffff9 + PAG returned = 41fffff8 + # ./testpag -n 41fffff9 + calling k5dcepag newpag=41fffff9 + PAG returned = 41fffff7 + +In this case the syscall is ignoring the newpag parameter. + +Running it with -n 0 should get the next PAG value with or without +this modification. + +If the DFS kernel extensions are not installed, you would get +something like this: + + caliban.ctd.anl.gov% ./testpag -n 012345678 + calling k5dcepag newpag=012345678 + Setpag failed with a system error + PAG returned = ffffffff + Not a good pag value + +If you DFS implementation does not have this modification, you could +attempt to install it yourself. But this requires source and requires +modifications to the kernel extensions. At the end of this note is an +untested sample using the DCE 1.2.2 source code. You can also contact +your system vendor and ask for this modification. + +UNICOS has a similar function setppag(newpag) which can be used to set +the PAG of the parent. Contact me if you are interested. + +HOW TO INSTALL + +Examine the k5dfspag.c file to make sure the DFS syscalls are correct +for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h +on Solaris for example. + +You should build the testpag routine and make sure it works before +adding all the other mods. If it fails you can still use the klogind +and telnetd with the k5prelogin and k5dcelogin code. + +If you intend to install with a prefix other than /krb5, change: +DPAGAIX and K5DCECON in k5dfspag.c; the three references in +k5prelogin.c; and the DESTDIR in the Makefile. + +Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG +and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE +related changes and the calls to krb5_dfs_pag. + +Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. + +Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. + +Configure and Build the Kerberos v5. + +Modify the k5dce Makefile for your system. + +Build the k5dcecon and related programs. + +Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX. + +The makefile can also build k5dcelogin and k5prelogin. The install +can install k5dcelogin, k5prelogin and update the links for login.krb5 +-> k5prelogin and moving login.krb5 to login.k5. If you will be using +the k5dcecon/k5dfspag with the Kerberos mods, you don't need +k5prelogin, or the links changed, and may not need k5dcelogin. + +Note that Transarc has obfuscated the entries to the lib, and +the 1.0.3a is different from the 1.1. You may need to build two +versions of the k5dcelogin and/or k5dcecon one for each. + +AIX ONLY + +The dpagaix routine is needed for AIX because of the way they do the +syscalls. + +The following fix.aix.libdce.mk is not needed if dce 2.1.0.21 +has been installed. This PTF exposed the needed entrypoints. + +The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required +external entry points to the libdce.a. These are needed by k5dcecon +and k5dcelogin. A bug report was submitted to IBM on this, and it was +rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not +be needed with 1.2.2 + +Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the +makefile to its own directory. It will create a new libdce.a which you +need to copy back to /usr/lib/libdce.a You will need to reboot the +machine. See the /usr/lpp/dce/examples/inst/README.AIX for a similar +procedure. IBM was not responsive in a request to have these added. + +UNTESTED KERNEL EXTENSION FOR SETPAG + +*** src/file/osi/,osi_pag.c Wed Oct 2 13:03:05 1996 +--- src/file/osi/osi_pag.c Mon Jul 28 13:53:13 1997 +*************** +*** 293,298 **** +--- 293,302 ---- + int code; + + osi_MakePreemptionRight(); ++ /* allow sharing of a PAG by non child processes DEE- 6/6/97 */ ++ if (unused && osi_GetUID(osi_getucred()) == 0) { ++ newpag = unused; ++ } else { + osi_mutex_enter(&osi_pagLock); + now = osi_Time(); + soonest = osi_firstPagTime + +*************** +*** 309,314 **** +--- 313,319 ---- + } + osi_mutex_exit(&osi_pagLock); + newpag = osi_genpag(); ++ } + osi_pcred_lock(p); + credp = crcopy(osi_getucred()); + code = osi_SetPagInCred(credp, newpag); + +Created 07/08/96 +Modified 09/30/96 +Modified 11/19/96 +Modified 12/19/96 +Modified 06/20/97 +Modified 07/28/97 +Modified 02/18/98 + + Douglas E. Engert + Argonne National Laboratory + 9700 South Cass Avenue + Argonne, Illinois 60439 + (630) 252-5444 diff --git a/third_party/heimdal/appl/dceutils/dfspag.exp b/third_party/heimdal/appl/dceutils/dfspag.exp new file mode 100644 index 0000000..ed39788 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/dfspag.exp @@ -0,0 +1,3 @@ +#!/unix +* kernel extentions used to get the pag +kafs_syscall syscall diff --git a/third_party/heimdal/appl/dceutils/dpagaix.c b/third_party/heimdal/appl/dceutils/dpagaix.c new file mode 100644 index 0000000..304a9a2 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/dpagaix.c @@ -0,0 +1,23 @@ +/* + * dpagaix.c + * On AIX we need to get the kernel extentions + * with the DFS kafs_syscall in it. + * We might be running on a system + * where DFS is not active. + * So we use this dummy routine which + * might not load to do the dirty work + * + * DCE does this with the /usr/lib/drivers/dfsloadobj + * + */ + + int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6) + int parm1; + int parm2; + int parm3; + int parm4; + int parm5; + int parm6; + { + return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6)); + } diff --git a/third_party/heimdal/appl/dceutils/k5dce.h b/third_party/heimdal/appl/dceutils/k5dce.h new file mode 100644 index 0000000..dd32865 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/k5dce.h @@ -0,0 +1,165 @@ +/* dummy K5 routines which are needed to get this to + * compile without having access ti the DCE versions + * of the header files. + * Thiis is very crude, and OSF needs to expose the K5 + * API. + */ + +#ifdef sun +/* Transarc obfuscates these routines */ +#ifdef DCE_1_1 + +#define krb5_init_ets _dce_PkjKqOaklP +#define krb5_copy_creds _dce_LuFxPiITzD +#define krb5_unparse_name _dce_LWHtAuNgRV +#define krb5_get_default_realm _dce_vDruhprWGh +#define krb5_build_principal _dce_qwAalSzTtF +#define krb5_build_principal_ext _dce_vhafIQlejW +#define krb5_build_principal_va _dce_alsqToMmuJ +#define krb5_cc_default _dce_KZRshhTXhE +#define krb5_cc_default_name _dce_bzJVAjHXVQ +#define sec_login_krb5_add_cred _dce_ePDtOJTZvU + +#else /* DCE 1.0.3a */ + +#define krb5_init_ets _dce_BmLRpOVsBo +#define krb5_copy_creds _dce_VGwSEBNwaf +#define krb5_unparse_name _dce_PgAOkJoMXA +#define krb5_get_default_realm _dce_plVOzStKyK +#define krb5_build_principal _dce_uAKSsluIFy +#define krb5_build_principal_ext _dce_tRMpPiRada +#define krb5_build_principal_va _dce_SxnLejZemH +#define krb5_cc_default _dce_SeKosWFnsv +#define krb5_cc_default_name _dce_qJeaphJWVc +#define sec_login_krb5_add_cred _dce_uHwRasumsN + +#endif +#endif + +/* Define the bare minimum k5 structures which are needed + * by this program. Since the krb5 includes are not supplied + * with DCE, these were based on the MIT Kerberos 5 beta 3 + * which should match the DCE as of 1.0.3 at least. + * The tricky one is the krb5_creds, since one is allocated + * by this program, and it needs access to the client principal + * in it. + * Note that there are no function prototypes, so there is no + * compile time checking. + * DEE 07/11/95 + */ +#define NPROTOTYPE(x) () +typedef int krb5_int32; /* assuming all DCE systems are 32 bit */ +typedef short krb5short; /* assuming short is 16 bit */ +typedef krb5_int32 krb5_error_code; +typedef unsigned char krb5_octet; +typedef krb5_octet krb5_boolean; +typedef krb5short krb5_keytype; /* in k5.2 it's a short */ +typedef krb5_int32 krb5_flags; +typedef krb5_int32 krb5_timestamp; /* is a time_t in krb5.h */ + +typedef char * krb5_pointer; /* pointer to unexposed data */ + +typedef struct _krb5_ccache { + struct _krb5_cc_ops *ops; + krb5_pointer data; +} *krb5_ccache; + +typedef struct _krb5_cc_ops { + char *prefix; + char *(*get_name) NPROTOTYPE((krb5_ccache)); + krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *)); + krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *)); + krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal)); + krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache)); + krb5_error_code (*close) NPROTOTYPE((krb5_ccache)); + krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *)); + krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags, + krb5_creds *, krb5_creds *)); + krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache, + krb5_principal *)); + krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache, + krb5_cc_cursor *)); + krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *, + krb5_creds *)); + krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *)); + krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags, + krb5_creds *)); + krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags)); +} krb5_cc_ops; + +typedef struct _krb5_keyblock { + krb5_keytype keytype; + int length; + krb5_octet *contents; +} krb5_keyblock; + +typedef struct _krb5_ticket_times { + krb5_timestamp authtime; + krb5_timestamp starttime; + krb5_timestamp endtime; + krb5_timestamp renew_till; +} krb5_ticket_times; + +typedef krb5_pointer krb5_cc_cursor; + +typedef struct _krb5_data { + int length; + char *data; +} krb5_data; + +typedef struct _krb5_authdata { + int ad_type; + int length; + krb5_octet *contents; +} krb5_authdata; + +typedef struct _krb5_creds { + krb5_pointer client; + krb5_pointer server; + krb5_keyblock keyblock; + krb5_ticket_times times; + krb5_boolean is_skey; + krb5_flags ticket_flags; + krb5_pointer **addresses; + krb5_data ticket; + krb5_data second_ticket; + krb5_pointer **authdata; +} krb5_creds; + +typedef krb5_pointer krb5_principal; + +#define KRB5_CC_END 336760974 +#define KRB5_TC_OPENCLOSE 0x00000001 + +/* Ticket flags */ +/* flags are 32 bits; each host is responsible to put the 4 bytes + representing these bits into net order before transmission */ +/* #define TKT_FLG_RESERVED 0x80000000 */ +#define TKT_FLG_FORWARDABLE 0x40000000 +#define TKT_FLG_FORWARDED 0x20000000 +#define TKT_FLG_PROXIABLE 0x10000000 +#define TKT_FLG_PROXY 0x08000000 +#define TKT_FLG_MAY_POSTDATE 0x04000000 +#define TKT_FLG_POSTDATED 0x02000000 +#define TKT_FLG_INVALID 0x01000000 +#define TKT_FLG_RENEWABLE 0x00800000 +#define TKT_FLG_INITIAL 0x00400000 +#define TKT_FLG_PRE_AUTH 0x00200000 +#define TKT_FLG_HW_AUTH 0x00100000 +#ifdef PK_INIT +#define TKT_FLG_PUBKEY_PREAUTH 0x00080000 +#define TKT_FLG_DIGSIGN_PREAUTH 0x00040000 +#define TKT_FLG_PRIVKEY_PREAUTH 0x00020000 +#endif + + +#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal) +#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags) +#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache) +#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor) +#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds) +#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache) +#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor) + +/* end of k5 dummy typedefs */ + diff --git a/third_party/heimdal/appl/dceutils/k5dcecon.c b/third_party/heimdal/appl/dceutils/k5dcecon.c new file mode 100644 index 0000000..c905625 --- /dev/null +++ b/third_party/heimdal/appl/dceutils/k5dcecon.c @@ -0,0 +1,792 @@ +/* + * (c) Copyright 1995 HEWLETT-PACKARD COMPANY + * + * To anyone who acknowledges that this file is provided + * "AS IS" without any express or implied warranty: + * permission to use, copy, modify, and distribute this + * file for any purpose is hereby granted without fee, + * provided that the above copyright notice and this + * notice appears in all copies, and that the name of + * Hewlett-Packard Company not be used in advertising or + * publicity pertaining to distribution of the software + * without specific, written prior permission. Hewlett- + * Packard Company makes no representations about the + * suitability of this software for any purpose. + * + */ +/* + * k5dcecon - Program to convert a K5 TGT to a DCE context, + * for use with DFS and its PAG. + * + * The program is designed to be called as a sub process, + * and return via stdout the name of the cache which implies + * the PAG which should be used. This program itself does not + * use the cache or PAG itself, so the PAG in the kernel for + * this program may not be set. + * + * The calling program can then use the name of the cache + * to set the KRB5CCNAME and PAG for itself and its children. + * + * If no ticket was passed, an attemplt to join an existing + * PAG will be made. + * + * If a forwarded K5 TGT is passed in, either a new DCE + * context will be created, or an existing one will be updated. + * If the same ticket was already used to create an existing + * context, it will be joined instead. + * + * Parts of this program are based on k5dceauth,c which was + * given to me by HP and by the k5dcelogin.c which I developed. + * A slightly different version of k5dcelogin.c, was added to + * DCE 1.2.2 + * + * D. E. Engert 6/17/97 ANL + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include "k5dce.h" + +#include +#include +#include + +/* #define DEBUG */ +#if defined(DEBUG) +#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr) +#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr) +#else +#define DEEDEBUG(A) +#define DEEDEBUG2(A,B) +#endif + +#ifdef __hpux +#define seteuid(A) setresuid(-1,A,-1) +#endif + + +int k5dcecreate (uid_t, char *, char*, krb5_creds **); +int k5dcecon (uid_t, char *, char *); +int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **); +int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **); +int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags); + + +char *progname = "k5dcecon"; +static time_t now; + +#ifdef notdef +#ifdef _AIX +/*---------------------------------------------*/ + /* AIX with DCE 1.1 does not have the com_err in the libdce.a + * do a half hearted job of substituting for it. + */ +void com_err(char *p1, int code, ...) +{ + int lst; + dce_error_string_t err_string; + dce_error_inq_text(code, err_string, &lst); + fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string ); +} + +/*---------------------------------------------*/ +void krb5_init_ets() +{ + +} +#endif +#endif + + +/*------------------------------------------------*/ +/* find a cache to use for our new pag */ +/* Since there is no simple way to determine which + * caches are associated with a pag, we will have + * do look around and see what makes most sense on + * different systems. + * on a Solaris system, and in the DCE source, + * the pags always start with a 41. + * this is not true on the IBM, where there does not + * appear to be any pattern. + * + * But since we are always certifing our creds when + * they are received, we can us that fact, and look + * at the first word of the associated data file + * to see that it has a "5". If not don't use. + */ + +int k5dcesession(luid, pname, tgt, ppag, tflags) + uid_t luid; + char *pname; + krb5_creds **tgt; + int *ppag; + krb5_flags tflags; +{ + DIR *dirp; + struct dirent *direntp; + off_t size; + krb5_timestamp endtime; + int better = 0; + krb5_creds *xtgt; + + char prev_name[17] = ""; + krb5_timestamp prev_endtime; + off_t prev_size; + u_long prev_pag = 0; + + char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/"; + + error_status_t st; + sec_login_handle_t lcontext = 0; + dce_error_string_t err_string; + int lst; + + DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags); + + dirp = opendir("/opt/dcelocal/var/security/creds/"); + if (dirp == NULL) { + return 1; + } + + while ( (direntp = readdir( dirp )) != NULL ) { + +/* + * (but root has the ffffffff which we are not interested in) + */ + if (strncmp(direntp->d_name,"dcecred_",8) == 0 && + (strlen(direntp->d_name) == 16)) { + + /* looks like a cache name, lets do the stat, etc */ + + strcpy(ccname+38,direntp->d_name); + if (!k5dcematch(luid, pname, ccname, &size, &xtgt)) { + + /* it's one of our caches, see if it is better + * i.e. the endtime is farther, and if the endtimes + * are the same, take the larger, as he who has the + * most tickets wins. + * it must also had the same set of flags at least + * i.e. if the forwarded TGT is forwardable, this one must + * be as well. + */ + + DEEDEBUG2("Cache:%s",direntp->d_name); + DEEDEBUG2(" size:%d",size); + DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags); + DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime)); + + if ((xtgt->ticket_flags & tflags) == tflags ) { + if (prev_name[0]) { + if (xtgt->times.endtime > prev_endtime) { + better = 1; + } else if ((xtgt->times.endtime = prev_endtime) + && (size > prev_size)){ + better = 1; + } + } else { /* the first */ + if (xtgt->times.endtime >= now) { + better = 1; + } + } + if (better) { + strcpy(prev_name, direntp->d_name); + prev_endtime = xtgt->times.endtime; + prev_size = size; + sscanf(prev_name+8,"%8X",&prev_pag); + *tgt = xtgt; + better = 0; + } + } + } + } + } + (void)closedir( dirp ); + + if (!prev_name[0]) + return 1; /* failed to find one */ + + DEEDEBUG2("Best: %s\n",prev_name); + + if (ppag) + *ppag = prev_pag; + + strcpy(ccname+38,prev_name); + setenv("KRB5CCNAME",ccname,1); + + return(0); +} + + +/*----------------------------------------------*/ +/* see if this cache is for this this principal */ + +int k5dcematch(luid, pname, ccname, sizep, tgt) + uid_t luid; + char *pname; + char *ccname; + off_t *sizep; /* size of the file */ + krb5_creds **tgt; +{ + + krb5_ccache cache; + struct stat stbuf; + char ccdata[256]; + int fd; + int status; + + /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */ + + if (strncmp(ccname,"FILE:",5) == 0) { + + strcpy(ccdata,ccname+5); + strcat(ccdata,".data"); + + /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */ + + if (stat(ccdata, &stbuf)) + return(1); + + if (stbuf.st_uid != luid) + return(1); + + if ((fd = open(ccdata,O_RDONLY)) == -1) + return(1); + + if ((read(fd,&status,4)) != 4) { + close(fd); + return(1); + } + + /* DEEDEBUG2(".data file status = %d\n", status); */ + + if (status != 5) + return(1); + + if (stat(ccname+5, &stbuf)) + return(1); + + if (stbuf.st_uid != luid) + return(1); + + *sizep = stbuf.st_size; + } + + return(k5dcegettgt(&cache, ccname, pname, tgt)); +} + + +/*----------------------------------------*/ +/* k5dcegettgt - get the tgt from a cache */ + +int k5dcegettgt(pcache, ccname, pname, tgt) + krb5_ccache *pcache; + char *ccname; + char *pname; + krb5_creds **tgt; + +{ + krb5_ccache cache; + krb5_cc_cursor cur; + krb5_creds creds; + int code; + int found = 1; + krb5_principal princ; + char *kusername; + krb5_flags flags; + char *sname, *realm, *tgtname = NULL; + + /* Since DCE does not expose much of the Kerberos interface, + * we will have to use what we can. This means setting the + * KRB5CCNAME for each file we want to test + * We will also not worry about freeing extra cache structures + * as this this routine is also not exposed, and this should not + * effect this module. + * We should also free the creds contents, but that is not exposed + * either. + */ + + setenv("KRB5CCNAME",ccname,1); + cache = NULL; + *tgt = NULL; + + if (code = krb5_cc_default(pcache)) { + com_err(progname, code, "while getting ccache"); + goto return2; + } + + DEEDEBUG("Got cache\n"); + flags = 0; + if (code = krb5_cc_set_flags(*pcache, flags)) { + com_err(progname, code,"While setting flags"); + goto return2; + } + DEEDEBUG("Set flags\n"); + if (code = krb5_cc_get_principal(*pcache, &princ)) { + com_err(progname, code, "While getting princ"); + goto return1; + } + DEEDEBUG("Got principal\n"); + if (code = krb5_unparse_name(princ, &kusername)) { + com_err(progname, code, "While unparsing principal"); + goto return1; + } + + DEEDEBUG2("Unparsed to \"%s\"\n", kusername); + DEEDEBUG2("pname is \"%s\"\n", pname); + if (strcmp(kusername, pname) != 0) { + DEEDEBUG("Principals not equal\n"); + goto return1; + } + DEEDEBUG("Principals equal\n"); + + realm = strchr(pname,'@'); + realm++; + + if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) { + fprintf(stderr,"Malloc failed for tgtname\n"); + goto return1; + } + + strcpy(tgtname,"krbtgt/"); + strcat(tgtname,realm); + strcat(tgtname,"@"); + strcat(tgtname,realm); + + DEEDEBUG2("Getting tgt %s\n", tgtname); + if (code = krb5_cc_start_seq_get(*pcache, &cur)) { + com_err(progname, code, "while starting to retrieve tickets"); + goto return1; + } + + while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) { + krb5_creds *cred = &creds; + + if (code = krb5_unparse_name(cred->server, &sname)) { + com_err(progname, code, "while unparsing server name"); + continue; + } + + if (strncmp(sname, tgtname, strlen(tgtname)) == 0) { + DEEDEBUG("FOUND\n"); + if (code = krb5_copy_creds(&creds, tgt)) { + com_err(progname, code, "while copying TGT"); + goto return1; + } + found = 0; + break; + } + /* we should do a krb5_free_cred_contents(creds); */ + } + + if (code = krb5_cc_end_seq_get(*pcache, &cur)) { + com_err(progname, code, "while finishing retrieval"); + goto return2; + } + +return1: + flags = KRB5_TC_OPENCLOSE; + krb5_cc_set_flags(*pcache, flags); /* force a close */ + +return2: + if (tgtname) + free(tgtname); + + return(found); +} + + +/*------------------------------------------*/ +/* Convert a forwarded TGT to a DCE context */ +int k5dcecon(luid, luser, pname) + uid_t luid; + char *luser; + char *pname; +{ + + krb5_creds *ftgt = NULL; + krb5_creds *tgt = NULL; + unsigned32 dfspag; + boolean32 reset_passwd = 0; + int lst; + dce_error_string_t err_string; + char *shell_prog; + krb5_ccache fcache; + char *ccname; + char *kusername; + char *urealm; + char *cp; + int pag; + int code; + krb5_timestamp endtime; + + + /* If there is no cache to be converted, we should not be here */ + + if ((ccname = getenv("KRB5CCNAME")) == NULL) { + DEEDEBUG("No KRB5CCNAME\n"); + return(1); + } + + if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) { + fprintf(stderr, "%s: Did not find TGT\n", progname); + return(1); + } + + + DEEDEBUG2("flags=%x\n",ftgt->ticket_flags); + if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){ + fprintf(stderr,"Ticket not forwardable\n"); + return(0); /* but OK to continue */ + } + + setenv("KRB5CCNAME","",1); + +#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \ + | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \ + | TKT_FLG_PRE_AUTH) + + if (!k5dcesession(luid, pname, &tgt, &pag, + (ftgt->ticket_flags & TKT_ACCEPTABLE))) { + if (ftgt->times.endtime > tgt->times.endtime) { + DEEDEBUG("Updating existing cache\n"); + return(k5dceupdate(&ftgt, pag)); + } else { + DEEDEBUG("Using existing cache\n"); + return(0); /* use the original one */ + } + } + /* see if the tgts match up */ + + if ((code = k5dcecreate(luid, luser, pname, &ftgt))) { + return (code); + } + + /* + * Destroy the Kerberos5 cred cache file. + * but don't care about the return code. + */ + + DEEDEBUG("Destroying the old cache\n"); + if ((code = krb5_cc_destroy(fcache))) { + com_err(progname, code, "while destroying Kerberos5 ccache"); + } + return (0); +} + + +/*--------------------------------------------------*/ +/* k5dceupdate - update the cache with a new TGT */ +/* Assumed that the KRB5CCNAME has been set */ + +int k5dceupdate(krbtgt, pag) + krb5_creds **krbtgt; + int pag; +{ + + krb5_ccache ccache; + int code; + + if (code = krb5_cc_default(&ccache)) { + com_err(progname, code, "while opening cache for update"); + return(2); + } + + if (code = ccache->ops->init(ccache,(*krbtgt)->client)) { + com_err(progname, code, "while reinitilizing cache"); + return(3); + } + + /* krb5_cc_store_cred */ + if (code = ccache->ops->store(ccache, *krbtgt)) { + com_err(progname, code, "while updating cache"); + return(2); + } + + sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime); + return(0); +} +/*--------------------------------------------------*/ +/* k5dcecreate - create a new DCE context */ + +int k5dcecreate(luid, luser, pname, krbtgt) + uid_t luid; + char *luser; + char *pname; + krb5_creds **krbtgt; +{ + + char *cp; + char *urealm; + char *username; + char *defrealm; + uid_t uid; + + error_status_t st; + sec_login_handle_t lcontext = 0; + sec_login_auth_src_t auth_src = 0; + boolean32 reset_passwd = 0; + int lst; + dce_error_string_t err_string; + + setenv("KRB5CCNAME","",1); /* make sure it not misused */ + + uid = getuid(); + DEEDEBUG2("uid=%d\n",uid); + + /* if run as root, change to user, so as to have the + * cache created for the local user even if cross-cell + * If run as a user, let standard file protection work. + */ + + if (uid == 0) { + if (seteuid(luid) < 0) + goto abort; + } + + cp = strchr(pname,'@'); + *cp = '\0'; + urealm = ++cp; + + DEEDEBUG2("basename=%s\n",cp); + DEEDEBUG2("realm=%s\n",urealm); + + /* now build the username as a single string or a /.../cell/user + * if this is a cross cell + */ + + if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) { + fprintf(stderr,"Malloc failed for username\n"); + goto abort; + } + if (krb5_get_default_realm(&defrealm)) { + DEEDEBUG("krb5_get_default_realm failed\n"); + goto abort; + } + + + if (strcmp(urealm,defrealm) == 0) { + strcpy(username,pname); + } else { + strcpy(username,"/.../"); + strcat(username,urealm); + strcat(username,"/"); + strcat(username,pname); + } + + /* + * Setup a DCE login context + */ + + if (sec_login_setup_identity((unsigned_char_p_t)username, + (sec_login_external_tgt|sec_login_proxy_cred), + &lcontext, &st)) { + /* + * Add our TGT. + */ + DEEDEBUG("Adding our new TGT\n"); + sec_login_krb5_add_cred(lcontext, *krbtgt, &st); + if (st) { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Error while adding credentials for %s because %s\n", + username, err_string); + goto abort; + } + DEEDEBUG("validating and certifying\n"); + /* + * Now "validate" and certify the identity, + * usually we would pass a password here, but... + * sec_login_valid_and_cert_ident + * sec_login_validate_identity + */ + + if (sec_login_validate_identity(lcontext, 0, &reset_passwd, + &auth_src, &st)) { + DEEDEBUG2("validate_identity st=%d\n",st); + if (st) { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, "Validation error for %s because %s\n", + username, err_string); + goto abort; + } + if (!sec_login_certify_identity(lcontext,&st)) { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Credentials not certified because %s\n",err_string); + } + if (reset_passwd) { + fprintf(stderr, + "Password must be changed for %s\n", username); + } + if (auth_src == sec_login_auth_src_local) { + fprintf(stderr, + "Credentials obtained from local registry for %s\n", + username); + } + if (auth_src == sec_login_auth_src_overridden) { + fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username); + goto abort; + + } + /* + * Actually create the cred files. + */ + DEEDEBUG("Ceating new cred files.\n"); + sec_login_set_context(lcontext, &st); + if (st) { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Unable to set context for %s because %s\n", + username, err_string); + goto abort; + } + + /* + * Now free up the local context and leave the + * network context with its pag + */ +#if 0 + sec_login_release_context(&lcontext, &st); + if (st) { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Unable to release context for %s because %s\n", + username, err_string); + goto abort; + } +#endif + } + else { + DEEDEBUG2("validate failed %d\n",st); + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Unable to validate %s because %s\n", username, + err_string); + goto abort; + } + } + else { + dce_error_inq_text(st, err_string, &lst); + fprintf(stderr, + "Unable to setup login entry for %s because %s\n", + username, err_string); + goto abort; + } + + done: + /* if we were root, get back to root */ + + DEEDEBUG2("sec_login_inq_pag %8.8x\n", + sec_login_inq_pag(lcontext, &st)); + + if (uid == 0) { + seteuid(0); + } + + DEEDEBUG("completed\n"); + return(0); + + abort: + if (uid == 0) { + seteuid(0); + } + + DEEDEBUG("Aborting\n"); + return(2); +} + + + +/*-------------------------------------------------*/ +main(argc, argv) + int argc; + char *argv[]; +{ + int status; + extern int optind; + extern char *optarg; + int rv; + + char *lusername = NULL; + char *pname = NULL; + int fflag = 0; + struct passwd *pw; + uid_t luid; + uid_t myuid; + char *ccname; + krb5_creds *tgt = NULL; + +#ifdef DEBUG + close(2); + open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND, 0600); +#endif + + if (myuid = getuid()) { + DEEDEBUG2("UID = %d\n",myuid); + exit(33); /* must be root to run this, get out now */ + } + + while ((rv = getopt(argc,argv,"l:p:fs")) != -1) { + DEEDEBUG2("Arg = %c\n", rv); + switch(rv) { + case 'l': /* user name */ + lusername = optarg; + DEEDEBUG2("Optarg = %s\n", optarg); + break; + case 'p': /* principal name */ + pname = optarg; + DEEDEBUG2("Optarg = %s\n", optarg); + break; + case 'f': /* convert a forwarded TGT to a context */ + fflag++; + break; + case 's': /* old test parameter, ignore it */ + break; + } + } + + setlocale(LC_ALL, ""); + krb5_init_ets(); + time(&now); /* set time to check expired tickets */ + + /* if lusername == NULL, Then user is passed as the USER= variable */ + + if (!lusername) { + lusername = getenv("USER"); + if (!lusername) { + fprintf(stderr, "USER not in environment\n"); + return(3); + } + } + + if ((pw = getpwnam(lusername)) == NULL) { + fprintf(stderr, "Who are you?\n"); + return(44); + } + + luid = pw->pw_uid; + + if (fflag) { + status = k5dcecon(luid, lusername, pname); + } else { + status = k5dcesession(luid, pname, &tgt, NULL, 0); + } + + if (!status) { + printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */ + DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME")); + } + + DEEDEBUG2("Returning status %d\n",status); + return (status); +} diff --git a/third_party/heimdal/appl/dceutils/testpag.c b/third_party/heimdal/appl/dceutils/testpag.c new file mode 100644 index 0000000..8c9bf4a --- /dev/null +++ b/third_party/heimdal/appl/dceutils/testpag.c @@ -0,0 +1,150 @@ +/* Test the k5dcepag routine by setting a pag, and + * and execing a shell under this pag. + * + * This allows you to join a PAG which was created + * earlier by some other means. + * for example k5dcecon + * + * Must be run as root for testing only. + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#define POSIX_SETJMP +#define POSIX_SIGNALS + +#ifdef POSIX_SIGNALS +typedef struct sigaction handler; +#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \ + (H).sa_flags=0, \ + (H).sa_handler=(F)) +#define handler_swap(S,NEW,OLD) sigaction(S, &NEW, &OLD) +#define handler_set(S,OLD) sigaction(S, &OLD, NULL) +#else +typedef sigtype (*handler)(); +#define handler_init(H,F) ((H) = (F)) +#define handler_swap(S,NEW,OLD) ((OLD) = signal ((S), (NEW))) + +#define handler_set(S,OLD) (signal ((S), (OLD))) +#endif + +typedef void sigtype; + +/* + * We could include the dcedfs/syscall.h which should have these + * numbers, but it has extra baggage. So for + * simplicity sake now, we define these here. + */ + + +#define AFSCALL_SETPAG 2 +#define AFSCALL_GETPAG 11 + +#if defined(sun) +#define AFS_SYSCALL 72 + +#elif defined(hpux) +/* assume HPUX 10 + or is it 50 */ +#define AFS_SYSCALL 326 + +#elif defined(_AIX) +#define DPAGAIX "dpagaix" +/* #define DPAGAIX "/krb5/sbin/dpagaix" */ + +#elif defined(sgi) || defined(_sgi) +#define AFS_SYSCALL 206+1000 + +#else +#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL) +#endif + +static sigjmp_buf setpag_buf; + +static sigtype mysig() +{ + siglongjmp(setpag_buf, 1); +} + + +int krb5_dfs_newpag(new_pag) + int new_pag; +{ + handler sa1, osa1; + handler sa2, osa2; + int pag = -1; + + handler_init (sa1, mysig); + handler_init (sa2, mysig); + handler_swap (SIGSYS, sa1, osa1); + handler_swap (SIGSEGV, sa2, osa2); + + if (sigsetjmp(setpag_buf, 1) == 0) { +#if defined(_AIX) + int (*dpagaix)(int, int, int, int, int, int); + + if (dpagaix = load(DPAGAIX, 0, 0)) + pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); +#else + pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0); +#endif + handler_set (SIGSYS, osa1); + handler_set (SIGSEGV, osa2); + return(pag); + } + + fprintf(stderr,"Setpag failed with a system error\n"); + /* syscall failed! return 0 */ + handler_set (SIGSYS, osa1); + handler_set (SIGSEGV, osa2); + return(-1); +} + +main(argc, argv) + int argc; + char *argv[]; +{ + extern int optind; + extern char *optarg; + int rv; + int rc; + unsigned int pag; + unsigned int newpag = 0; + char ccname[256]; + int nflag = 0; + + while((rv = getopt(argc,argv,"n:")) != -1) { + switch(rv) { + case 'n': + nflag++; + sscanf(optarg,"%8x",&newpag); + break; + default: + printf("Usage: k5dcepagt -n pag \n"); + exit(1); + } + } + + if (nflag) { + fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag); + pag = krb5_dfs_newpag(newpag); + + fprintf (stderr,"PAG returned = %8.8x\n",pag); + if ((pag != 0) && (pag != -1)) { + sprintf (ccname, + "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", + pag); + esetenv("KRB5CCNAME",ccname,1); + execl("/bin/csh", "csh", NULL); + } + else { + fprintf(stderr," Not a good pag value\n"); + } + } +} diff --git a/third_party/heimdal/appl/gssmask/Makefile.am b/third_party/heimdal/appl/gssmask/Makefile.am new file mode 100644 index 0000000..55673a0 --- /dev/null +++ b/third_party/heimdal/appl/gssmask/Makefile.am @@ -0,0 +1,13 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +noinst_PROGRAMS = gssmask gssmaestro + +gssmask_SOURCES = gssmask.c common.c common.h protocol.h + +gssmaestro_SOURCES = gssmaestro.c common.c common.h protocol.h + +LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LIB_roken) $(top_builddir)/lib/krb5/libkrb5.la + +EXTRA_DIST = NTMakefile diff --git a/third_party/heimdal/appl/gssmask/NTMakefile b/third_party/heimdal/appl/gssmask/NTMakefile new file mode 100644 index 0000000..4ad1dc4 --- /dev/null +++ b/third_party/heimdal/appl/gssmask/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\gssmask + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/gssmask/common.c b/third_party/heimdal/appl/gssmask/common.c new file mode 100644 index 0000000..8d7d8fa --- /dev/null +++ b/third_party/heimdal/appl/gssmask/common.c @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +RCSID("$Id$"); + +krb5_error_code +store_string(krb5_storage *sp, const char *str) +{ + size_t len = strlen(str) + 1; + krb5_error_code ret; + + ret = krb5_store_int32(sp, len); + if (ret) + return ret; + ret = krb5_storage_write(sp, str, len); + if (ret != len) + return EINVAL; + return 0; +} + +static void +add_list(char ****list, size_t *listlen, char **str, size_t len) +{ + size_t i; + *list = erealloc(*list, sizeof(**list) * (*listlen + 1)); + + (*list)[*listlen] = ecalloc(len, sizeof(**list)); + for (i = 0; i < len; i++) + (*list)[*listlen][i] = str[i]; + (*listlen)++; +} + +static void +permute(char ****list, size_t *listlen, + char **str, const int start, const int len) +{ + int i, j; + +#define SWAP(s,i,j) { char *t = str[i]; str[i] = str[j]; str[j] = t; } + + for (i = start; i < len - 1; i++) { + for (j = i+1; j < len; j++) { + SWAP(str,i,j); + permute(list, listlen, str, i+1, len); + SWAP(str,i,j); + } + } + add_list(list, listlen, str, len); +} + +char *** +permutate_all(struct getarg_strings *strings, size_t *size) +{ + char **list, ***all = NULL; + int i; + + *size = 0; + + list = ecalloc(strings->num_strings, sizeof(*list)); + for (i = 0; i < strings->num_strings; i++) + list[i] = strings->strings[i]; + + permute(&all, size, list, 0, strings->num_strings); + free(list); + return all; +} diff --git a/third_party/heimdal/appl/gssmask/common.h b/third_party/heimdal/appl/gssmask/common.h new file mode 100644 index 0000000..96d10ff --- /dev/null +++ b/third_party/heimdal/appl/gssmask/common.h @@ -0,0 +1,114 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#ifdef HAVE_SYS_UTSNAME_H +#include +#endif + +#ifdef HAVE_SYS_WAIT_H +#include +#endif + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "protocol.h" + +/* + * pthread support is disable because the pthread + * test have no "application pthread libflags" variable, + * when this is fixed pthread support can be enabled again. + */ +#undef ENABLE_PTHREAD_SUPPORT + +krb5_error_code store_string(krb5_storage *, const char *); + + +#define ret16(_client, num) \ + do { \ + if (krb5_ret_int16((_client)->sock, &(num)) != 0) \ + errx(1, "krb5_ret_int16 " #num); \ + } while(0) + +#define ret32(_client, num) \ + do { \ + if (krb5_ret_int32((_client)->sock, &(num)) != 0) \ + errx(1, "krb5_ret_int32 " #num); \ + } while(0) + +#define retdata(_client, data) \ + do { \ + if (krb5_ret_data((_client)->sock, &(data)) != 0) \ + errx(1, "krb5_ret_data " #data); \ + } while(0) + +#define retstring(_client, data) \ + do { \ + if (krb5_ret_string((_client)->sock, &(data)) != 0) \ + errx(1, "krb5_ret_data " #data); \ + } while(0) + + +#define put32(_client, num) \ + do { \ + if (krb5_store_int32((_client)->sock, num) != 0) \ + errx(1, "krb5_store_int32 " #num); \ + } while(0) + +#define putdata(_client, data) \ + do { \ + if (krb5_store_data((_client)->sock, data) != 0) \ + errx(1, "krb5_store_data " #data); \ + } while(0) + +#define putstring(_client, str) \ + do { \ + if (store_string((_client)->sock, str) != 0) \ + errx(1, "krb5_store_str " #str); \ + } while(0) + +char *** permutate_all(struct getarg_strings *, size_t *); diff --git a/third_party/heimdal/appl/gssmask/gssmaestro.c b/third_party/heimdal/appl/gssmask/gssmaestro.c new file mode 100644 index 0000000..9ccf1de --- /dev/null +++ b/third_party/heimdal/appl/gssmask/gssmaestro.c @@ -0,0 +1,962 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +RCSID("$Id$"); + +static FILE *logfile; + +/* + * + */ + +struct client { + char *name; + struct sockaddr *sa; + socklen_t salen; + krb5_storage *sock; + int32_t capabilities; + char *target_name; + char *moniker; + krb5_storage *logsock; + int have_log; +#ifdef ENABLE_PTHREAD_SUPPORT + pthread_t thr; +#else + pid_t child; +#endif +}; + +static struct client **clients; +static int num_clients; + +static int +init_sec_context(struct client *client, + int32_t *hContext, int32_t *hCred, + int32_t flags, + const char *targetname, + const krb5_data *itoken, krb5_data *otoken) +{ + int32_t val; + krb5_data_zero(otoken); + put32(client, eInitContext); + put32(client, *hContext); + put32(client, *hCred); + put32(client, flags); + putstring(client, targetname); + putdata(client, *itoken); + ret32(client, *hContext); + ret32(client, val); + retdata(client, *otoken); + return val; +} + +static int +accept_sec_context(struct client *client, + int32_t *hContext, + int32_t flags, + const krb5_data *itoken, + krb5_data *otoken, + int32_t *hDelegCred) +{ + int32_t val; + krb5_data_zero(otoken); + put32(client, eAcceptContext); + put32(client, *hContext); + put32(client, flags); + putdata(client, *itoken); + ret32(client, *hContext); + ret32(client, val); + retdata(client, *otoken); + ret32(client, *hDelegCred); + return val; +} + +static int +acquire_cred(struct client *client, + const char *username, + const char *password, + int32_t flags, + int32_t *hCred) +{ + int32_t val; + put32(client, eAcquireCreds); + putstring(client, username); + putstring(client, password); + put32(client, flags); + ret32(client, val); + ret32(client, *hCred); + return val; +} + +static int +toast_resource(struct client *client, + int32_t hCred) +{ + int32_t val; + put32(client, eToastResource); + put32(client, hCred); + ret32(client, val); + return val; +} + +static int +goodbye(struct client *client) +{ + put32(client, eGoodBye); + return GSMERR_OK; +} + +static int +get_targetname(struct client *client, + char **target) +{ + put32(client, eGetTargetName); + retstring(client, *target); + return GSMERR_OK; +} + +static int32_t +encrypt_token(struct client *client, int32_t hContext, int32_t flags, + krb5_data *in, krb5_data *out) +{ + int32_t val; + put32(client, eEncrypt); + put32(client, hContext); + put32(client, flags); + put32(client, 0); + putdata(client, *in); + ret32(client, val); + retdata(client, *out); + return val; +} + +static int32_t +decrypt_token(struct client *client, int32_t hContext, int flags, + krb5_data *in, krb5_data *out) +{ + int32_t val; + put32(client, eDecrypt); + put32(client, hContext); + put32(client, flags); + put32(client, 0); + putdata(client, *in); + ret32(client, val); + retdata(client, *out); + return val; +} + +static int32_t +wrap_token_ext(struct client *client, int32_t hContext, int32_t flags, + int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer, + krb5_data *out) +{ + int32_t val; + put32(client, eWrapExt); + put32(client, hContext); + put32(client, flags); + put32(client, bflags); + putdata(client, *header); + putdata(client, *in); + putdata(client, *trailer); + ret32(client, val); + retdata(client, *out); + return val; +} + +static int32_t +unwrap_token_ext(struct client *client, int32_t hContext, int32_t flags, + int32_t bflags, krb5_data *header, krb5_data *in, krb5_data *trailer, + krb5_data *out) +{ + int32_t val; + put32(client, eUnwrapExt); + put32(client, hContext); + put32(client, flags); + put32(client, bflags); + putdata(client, *header); + putdata(client, *in); + putdata(client, *trailer); + ret32(client, val); + retdata(client, *out); + return val; +} + +static int32_t +get_mic(struct client *client, int32_t hContext, + krb5_data *in, krb5_data *mic) +{ + int32_t val; + put32(client, eSign); + put32(client, hContext); + put32(client, 0); + put32(client, 0); + putdata(client, *in); + ret32(client, val); + retdata(client, *mic); + return val; +} + +static int32_t +verify_mic(struct client *client, int32_t hContext, + krb5_data *in, krb5_data *mic) +{ + int32_t val; + put32(client, eVerify); + put32(client, hContext); + put32(client, 0); + put32(client, 0); + putdata(client, *in); + putdata(client, *mic); + ret32(client, val); + return val; +} + + +static int32_t +get_version_capa(struct client *client, + int32_t *version, int32_t *capa, + char **version_str) +{ + put32(client, eGetVersionAndCapabilities); + ret32(client, *version); + ret32(client, *capa); + retstring(client, *version_str); + return GSMERR_OK; +} + +static int32_t +get_moniker(struct client *client, + char **moniker) +{ + put32(client, eGetMoniker); + retstring(client, *moniker); + return GSMERR_OK; +} + +static int +wait_log(struct client *c) +{ + int32_t port; + struct sockaddr_storage sast; + socklen_t salen = sizeof(sast); + krb5_socket_t sock, sock2; + int ret; + + memset(&sast, 0, sizeof(sast)); + + assert(sizeof(sast) >= c->salen); + + sock = socket(c->sa->sa_family, SOCK_STREAM, 0); + if (sock == rk_INVALID_SOCKET) + err(1, "failed to build socket for %s's logging port", c->moniker); + + sast.ss_family = c->sa->sa_family; + ret = bind(sock, (struct sockaddr *)&sast, c->salen); + if (ret < 0) + err(1, "failed to bind %s's logging port", c->moniker); + + if (listen(sock, SOMAXCONN) < 0) + err(1, "failed to listen %s's logging port", c->moniker); + + salen = sizeof(sast); + ret = getsockname(sock, (struct sockaddr *)&sast, &salen); + if (ret < 0) + err(1, "failed to get address of local socket for %s", c->moniker); + + port = socket_get_port((struct sockaddr *)&sast); + + put32(c, eSetLoggingSocket); + put32(c, ntohs(port)); + + salen = sizeof(sast); + sock2 = accept(sock, (struct sockaddr *)&sast, &salen); + if (sock2 == rk_INVALID_SOCKET) + err(1, "failed to accept local socket for %s", c->moniker); + rk_closesocket(sock); + + return sock2; +} + + + + +static int +build_context(struct client *ipeer, struct client *apeer, + int32_t flags, int32_t hCred, + int32_t *iContext, int32_t *aContext, int32_t *hDelegCred) +{ + int32_t val = GSMERR_ERROR, ic = 0, ac = 0, deleg = 0; + krb5_data itoken, otoken; + int iDone = 0, aDone = 0; + int step = 0; + int first_call = 0x80; + + if (apeer->target_name == NULL) + errx(1, "apeer %s have no target name", apeer->name); + + krb5_data_zero(&itoken); + + while (!iDone || !aDone) { + + if (iDone) { + warnx("iPeer already done, aPeer want extra rtt"); + val = GSMERR_ERROR; + goto out; + } + + val = init_sec_context(ipeer, &ic, &hCred, flags|first_call, + apeer->target_name, &itoken, &otoken); + step++; + switch(val) { + case GSMERR_OK: + iDone = 1; + if (aDone) + continue; + break; + case GSMERR_CONTINUE_NEEDED: + break; + default: + warnx("iPeer %s failed with %d (step %d)", + ipeer->name, (int)val, step); + goto out; + } + + if (aDone) { + warnx("aPeer already done, iPeer want extra rtt"); + val = GSMERR_ERROR; + goto out; + } + + val = accept_sec_context(apeer, &ac, flags|first_call, + &otoken, &itoken, &deleg); + step++; + switch(val) { + case GSMERR_OK: + aDone = 1; + if (iDone) + continue; + break; + case GSMERR_CONTINUE_NEEDED: + break; + default: + warnx("aPeer %s failed with %d (step %d)", + apeer->name, (int)val, step); + val = GSMERR_ERROR; + goto out; + } + first_call = 0; + val = GSMERR_OK; + } + + if (iContext == NULL || val != GSMERR_OK) { + if (ic) + toast_resource(ipeer, ic); + if (iContext) + *iContext = 0; + } else + *iContext = ic; + + if (aContext == NULL || val != GSMERR_OK) { + if (ac) + toast_resource(apeer, ac); + if (aContext) + *aContext = 0; + } else + *aContext = ac; + + if (hDelegCred == NULL || val != GSMERR_OK) { + if (deleg) + toast_resource(apeer, deleg); + if (hDelegCred) + *hDelegCred = 0; + } else + *hDelegCred = deleg; + +out: + return val; +} + +static void +test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2) +{ + krb5_data msg, mic; + int32_t val; + + msg.data = "foo"; + msg.length = 3; + + krb5_data_zero(&mic); + + val = get_mic(c1, hc1, &msg, &mic); + if (val) + errx(1, "get_mic failed to host: %s", c1->moniker); + val = verify_mic(c2, hc2, &msg, &mic); + if (val) + errx(1, "verify_mic failed to host: %s", c2->moniker); + + krb5_data_free(&mic); +} + +static int32_t +test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, + int conf) +{ + krb5_data msg, wrapped, out; + int32_t val; + + msg.data = "foo"; + msg.length = 3; + + krb5_data_zero(&wrapped); + krb5_data_zero(&out); + + val = encrypt_token(c1, hc1, conf, &msg, &wrapped); + if (val) { + warnx("encrypt_token failed to host: %s", c1->moniker); + return val; + } + val = decrypt_token(c2, hc2, conf, &wrapped, &out); + if (val) { + krb5_data_free(&wrapped); + warnx("decrypt_token failed to host: %s", c2->moniker); + return val; + } + + if (msg.length != out.length) { + warnx("decrypted'ed token have wrong length (%lu != %lu)", + (unsigned long)msg.length, (unsigned long)out.length); + val = GSMERR_ERROR; + } else if (memcmp(msg.data, out.data, msg.length) != 0) { + warnx("decryptd'ed token have wrong data"); + val = GSMERR_ERROR; + } + + krb5_data_free(&wrapped); + krb5_data_free(&out); + return val; +} + +static int32_t +test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, + int conf, int bflags) +{ + krb5_data header, msg, trailer, wrapped, out; + int32_t val; + + header.data = "header"; + header.length = sizeof("header") - 1; + + msg.data = "0123456789abcdef"; /* padded for most enctypes */ + msg.length = sizeof("0123456789abcdef") - 1; + + trailer.data = "trailer"; + trailer.length = 7; + + krb5_data_zero(&wrapped); + krb5_data_zero(&out); + + val = wrap_token_ext(c1, hc1, conf, bflags, &header, &msg, &trailer, &wrapped); + if (val) { + warnx("encrypt_token failed to host: %s", c1->moniker); + return val; + } + val = unwrap_token_ext(c2, hc2, conf, bflags, &header, &wrapped, &trailer, &out); + if (val) { + krb5_data_free(&wrapped); + warnx("decrypt_token failed to host: %s", c2->moniker); + return val; + } + + if (msg.length != out.length) { + warnx("decrypted'ed token have wrong length (%lu != %lu)", + (unsigned long)msg.length, (unsigned long)out.length); + val = GSMERR_ERROR; + } else if (memcmp(msg.data, out.data, msg.length) != 0) { + warnx("decryptd'ed token have wrong data"); + val = GSMERR_ERROR; + } + + krb5_data_free(&wrapped); + krb5_data_free(&out); + return val; +} + + +static int32_t +test_token(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2, int wrap_ext) +{ + int32_t val; + int i; + + for (i = 0; i < 10; i++) { + /* mic */ + test_mic(c1, hc1, c2, hc2); + test_mic(c2, hc2, c1, hc1); + + /* wrap */ + val = test_wrap(c1, hc1, c2, hc2, 0); + if (val) return val; + val = test_wrap(c2, hc2, c1, hc1, 0); + if (val) return val; + + val = test_wrap(c1, hc1, c2, hc2, 1); + if (val) return val; + val = test_wrap(c2, hc2, c1, hc1, 1); + if (val) return val; + + if (wrap_ext) { + /* wrap ext */ + val = test_wrap_ext(c1, hc1, c2, hc2, 1, 0); + if (val) return val; + val = test_wrap_ext(c2, hc2, c1, hc1, 1, 0); + if (val) return val; + + val = test_wrap_ext(c1, hc1, c2, hc2, 1, 1); + if (val) return val; + val = test_wrap_ext(c2, hc2, c1, hc1, 1, 1); + if (val) return val; + + val = test_wrap_ext(c1, hc1, c2, hc2, 0, 0); + if (val) return val; + val = test_wrap_ext(c2, hc2, c1, hc1, 0, 0); + if (val) return val; + + val = test_wrap_ext(c1, hc1, c2, hc2, 0, 1); + if (val) return val; + val = test_wrap_ext(c2, hc2, c1, hc1, 0, 1); + if (val) return val; + } + } + return GSMERR_OK; +} + +static int +log_function(void *ptr) +{ + struct client *c = ptr; + int32_t cmd, line; + char *file = NULL, *string = NULL; + + while (1) { + if (krb5_ret_int32(c->logsock, &cmd)) + goto out; + + switch (cmd) { + case eLogSetMoniker: + if (krb5_ret_string(c->logsock, &file)) + goto out; + break; + case eLogInfo: + case eLogFailure: + if (krb5_ret_string(c->logsock, &file)) + goto out; + if (krb5_ret_int32(c->logsock, &line)) + goto out; + if (krb5_ret_string(c->logsock, &string)) + goto out; + printf("%s:%lu: %s\n", + file, (unsigned long)line, string); + fprintf(logfile, "%s:%lu: %s\n", + file, (unsigned long)line, string); + fflush(logfile); + if (krb5_store_int32(c->logsock, 0)) + goto out; + break; + default: + errx(1, "client send bad log command: %d", (int)cmd); + } + } +out: + free(file); + free(string); + + return 0; +} + +static void +connect_client(const char *slave) +{ + char *name, *port; + struct client *c = ecalloc(1, sizeof(*c)); + struct addrinfo hints, *res0, *res; + int ret; + krb5_socket_t sock; + + name = estrdup(slave); + port = strchr(name, ':'); + if (port == NULL) + errx(1, "port missing from %s", name); + *port++ = 0; + + c->name = estrdup(slave); + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + + ret = getaddrinfo(name, port, &hints, &res0); + if (ret) + errx(1, "error resolving %s", name); + + for (res = res0, sock = rk_INVALID_SOCKET; res; res = res->ai_next) { + sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (sock == rk_INVALID_SOCKET) + continue; + if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { + rk_closesocket(sock); + sock = rk_INVALID_SOCKET; + continue; + } + c->sa = ecalloc(1, res->ai_addrlen); + memcpy(c->sa, res->ai_addr, res->ai_addrlen); + c->salen = res->ai_addrlen; + break; /* okay we got one */ + } + if (sock == rk_INVALID_SOCKET) + err(1, "connect to host: %s", name); + freeaddrinfo(res0); + + c->sock = krb5_storage_from_socket(sock); + rk_closesocket(sock); + if (c->sock == NULL) + errx(1, "krb5_storage_from_fd"); + + { + int32_t version; + char *str = NULL; + get_version_capa(c, &version, &c->capabilities, &str); + if (str) { + free(str); + } + if (c->capabilities & HAS_MONIKER) + get_moniker(c, &c->moniker); + else + c->moniker = c->name; + if (c->capabilities & ISSERVER) + get_targetname(c, &c->target_name); + } + + if (logfile) { + printf("starting log socket to client %s\n", c->moniker); + + sock = wait_log(c); + + c->logsock = krb5_storage_from_socket(sock); + rk_closesocket(sock); + if (c->logsock == NULL) + errx(1, "failed to create log krb5_storage"); +#ifdef ENABLE_PTHREAD_SUPPORT + pthread_create(&c->thr, NULL, log_function, c); +#else + c->child = fork(); + if (c->child == -1) + errx(1, "failed to fork"); + else if (c->child == 0) { + log_function(c); + fclose(logfile); + exit(0); + } +#endif + } + + + clients = erealloc(clients, (num_clients + 1) * sizeof(*clients)); + + clients[num_clients] = c; + num_clients++; + + free(name); +} + +static struct client * +get_client(const char *slave) +{ + size_t i; + for (i = 0; i < num_clients; i++) + if (strcmp(slave, clients[i]->name) == 0) + return clients[i]; + errx(1, "failed to find client %s", slave); +} + +/* + * + */ + +static int version_flag; +static int help_flag; +static int wrap_ext = 0; +static char *logfile_str; +static getarg_strings principals; +static getarg_strings slaves; + +struct getargs args[] = { + { "principals", 0, arg_strings, &principals, "Test principal", + NULL }, + { "slaves", 0, arg_strings, &slaves, "Slaves", + NULL }, + { "log-file", 0, arg_string, &logfile_str, "Logfile", + NULL }, + { "wrap-ext", 0, arg_flag, &wrap_ext, "test wrap extended", + NULL }, + { "version", 0, arg_flag, &version_flag, "Print version", + NULL }, + { "help", 0, arg_flag, &help_flag, NULL, + NULL } +}; + +static void +usage(int ret) +{ + arg_printusage (args, + sizeof(args) / sizeof(args[0]), + NULL, + ""); + exit (ret); +} + +int +main(int argc, char **argv) +{ + int optidx= 0; + char *user; + char *password; + char ***list, **p; + size_t num_list, i, j, k; + int failed = 0; + + setprogname (argv[0]); + + if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage (1); + + if (help_flag) + usage (0); + + if (version_flag) { + print_version (NULL); + return 0; + } + + if (optidx != argc) + usage (1); + + if (principals.num_strings == 0) + errx(1, "no principals"); + + user = estrdup(principals.strings[0]); + password = strchr(user, ':'); + if (password == NULL) + errx(1, "password missing from %s", user); + *password++ = 0; + + if (slaves.num_strings == 0) + errx(1, "no principals"); + + if (logfile_str) { + printf("open logfile %s\n", logfile_str); + logfile = fopen(logfile_str, "w+"); + if (logfile == NULL) + err(1, "failed to open: %s", logfile_str); + } + + /* + * + */ + + list = permutate_all(&slaves, &num_list); + + /* + * Set up connection to all clients + */ + + printf("Connecting to slaves\n"); + for (i = 0; i < slaves.num_strings; i++) + connect_client(slaves.strings[i]); + + /* + * Test acquire credentials + */ + + printf("Test acquire credentials\n"); + for (i = 0; i < slaves.num_strings; i++) { + int32_t hCred, val; + + val = acquire_cred(clients[i], user, password, 1, &hCred); + if (val != GSMERR_OK) { + warnx("Failed to acquire_cred on host %s: %d", + clients[i]->moniker, (int)val); + failed = 1; + } else + toast_resource(clients[i], hCred); + } + + if (failed) + goto out; + + /* + * First test if all slaves can build context to them-self. + */ + + printf("Self context tests\n"); + for (i = 0; i < num_clients; i++) { + int32_t hCred, val, delegCred; + int32_t clientC, serverC; + struct client *c = clients[i]; + + if (c->target_name == NULL) + continue; + + printf("%s connects to self using %s\n", + c->moniker, c->target_name); + + val = acquire_cred(c, user, password, 1, &hCred); + if (val != GSMERR_OK) + errx(1, "failed to acquire_cred: %d", (int)val); + + val = build_context(c, c, + GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG| + GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG| + GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG, + hCred, &clientC, &serverC, &delegCred); + if (val == GSMERR_OK) { + test_token(c, clientC, c, serverC, wrap_ext); + toast_resource(c, clientC); + toast_resource(c, serverC); + if (delegCred) + toast_resource(c, delegCred); + } else { + warnx("build_context failed: %d", (int)val); + } + /* + * + */ + + val = build_context(c, c, + GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG, + hCred, &clientC, &serverC, &delegCred); + if (val == GSMERR_OK) { + test_token(c, clientC, c, serverC, wrap_ext); + toast_resource(c, clientC); + toast_resource(c, serverC); + if (delegCred) + toast_resource(c, delegCred); + } else { + warnx("build_context failed: %d", (int)val); + } + + toast_resource(c, hCred); + } + /* + * Build contexts though all entries in each lists, including the + * step from the last entry to the first, ie treat the list as a + * circle. + * + * Only follow the delegated credential, but test "all" + * flags. (XXX only do deleg|mutual right now. + */ + + printf("\"All\" permutation tests\n"); + + for (i = 0; i < num_list; i++) { + int32_t hCred, val, delegCred = 0; + int32_t clientC = 0, serverC = 0; + struct client *client, *server; + + p = list[i]; + + client = get_client(p[0]); + + val = acquire_cred(client, user, password, 1, &hCred); + if (val != GSMERR_OK) + errx(1, "failed to acquire_cred: %d", (int)val); + + for (j = 1; j < num_clients + 1; j++) { + server = get_client(p[j % num_clients]); + + if (server->target_name == NULL) + break; + + for (k = 1; k < j; k++) + printf("\t"); + printf("%s -> %s\n", client->moniker, server->moniker); + + val = build_context(client, server, + GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG| + GSS_C_INTEG_FLAG|GSS_C_CONF_FLAG| + GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG, + hCred, &clientC, &serverC, &delegCred); + if (val != GSMERR_OK) { + warnx("build_context failed: %d", (int)val); + break; + } + + val = test_token(client, clientC, server, serverC, wrap_ext); + if (val) + break; + + toast_resource(client, clientC); + toast_resource(server, serverC); + if (!delegCred) { + warnx("no delegated cred on %s", server->moniker); + break; + } + toast_resource(client, hCred); + hCred = delegCred; + client = server; + } + if (hCred) + toast_resource(client, hCred); + } + + /* + * Close all connections to clients + */ + +out: + printf("sending goodbye and waiting for log sockets\n"); + for (i = 0; i < num_clients; i++) { + goodbye(clients[i]); + if (clients[i]->logsock) { +#ifdef ENABLE_PTHREAD_SUPPORT + pthread_join(&clients[i]->thr, NULL); +#else + waitpid(clients[i]->child, NULL, 0); +#endif + } + } + + printf("done\n"); + + return 0; +} diff --git a/third_party/heimdal/appl/gssmask/gssmask.c b/third_party/heimdal/appl/gssmask/gssmask.c new file mode 100644 index 0000000..44b59fe --- /dev/null +++ b/third_party/heimdal/appl/gssmask/gssmask.c @@ -0,0 +1,1268 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "common.h" +RCSID("$Id$"); + +/* + * + */ + +enum handle_type { handle_context, handle_cred }; + +struct handle { + int32_t idx; + enum handle_type type; + void *ptr; + struct handle *next; +}; + +struct client { + krb5_storage *sock; + krb5_storage *logging; + char *moniker; + int32_t nHandle; + struct handle *handles; + struct sockaddr_storage sa; + socklen_t salen; + char servername[MAXHOSTNAMELEN]; +}; + +FILE *logfile; +static char *targetname; +krb5_context context; + +/* + * + */ + +static void +logmessage(struct client *c, const char *file, unsigned int lineno, + int level, const char *fmt, ...) +{ + char *message; + va_list ap; + int32_t ackid; + int ret; + + va_start(ap, fmt); + ret = vasprintf(&message, fmt, ap); + va_end(ap); + if (ret == -1) + errx(1, "out of memory"); + + if (logfile) + fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message); + + if (c->logging) { + if (krb5_store_int32(c->logging, eLogInfo) != 0) + errx(1, "krb5_store_int32: log level"); + if (krb5_store_string(c->logging, file) != 0) + errx(1, "krb5_store_string: filename"); + if (krb5_store_int32(c->logging, lineno) != 0) + errx(1, "krb5_store_string: filename"); + if (krb5_store_string(c->logging, message) != 0) + errx(1, "krb5_store_string: message"); + if (krb5_ret_int32(c->logging, &ackid) != 0) + errx(1, "krb5_ret_int32: ackid"); + } + free(message); +} + +/* + * + */ + +static int32_t +add_handle(struct client *c, enum handle_type type, void *data) +{ + struct handle *h; + + h = ecalloc(1, sizeof(*h)); + + h->idx = ++c->nHandle; + h->type = type; + h->ptr = data; + h->next = c->handles; + c->handles = h; + + return h->idx; +} + +static void +del_handle(struct handle **h, int32_t idx) +{ + OM_uint32 min_stat; + + if (idx == 0) + return; + + while (*h) { + if ((*h)->idx == idx) { + struct handle *p = *h; + *h = (*h)->next; + switch(p->type) { + case handle_context: { + gss_ctx_id_t c = p->ptr; + gss_delete_sec_context(&min_stat, &c, NULL); + break; } + case handle_cred: { + gss_cred_id_t c = p->ptr; + gss_release_cred(&min_stat, &c); + break; } + } + free(p); + return; + } + h = &((*h)->next); + } + errx(1, "tried to delete an unexisting handle"); +} + +static void * +find_handle(struct handle *h, int32_t idx, enum handle_type type) +{ + if (idx == 0) + return NULL; + + while (h) { + if (h->idx == idx) { + if (type == h->type) + return h->ptr; + errx(1, "monger switched type on handle!"); + } + h = h->next; + } + return NULL; +} + + +static int32_t +convert_gss_to_gsm(OM_uint32 maj_stat) +{ + switch(maj_stat) { + case 0: + return GSMERR_OK; + case GSS_S_CONTINUE_NEEDED: + return GSMERR_CONTINUE_NEEDED; + case GSS_S_DEFECTIVE_TOKEN: + return GSMERR_INVALID_TOKEN; + case GSS_S_BAD_MIC: + return GSMERR_AP_MODIFIED; + default: + return GSMERR_ERROR; + } +} + +static int32_t +convert_krb5_to_gsm(krb5_error_code ret) +{ + switch(ret) { + case 0: + return GSMERR_OK; + default: + return GSMERR_ERROR; + } +} + +/* + * + */ + +static int32_t +acquire_cred(struct client *c, + krb5_principal principal, + krb5_get_init_creds_opt *opt, + int32_t *handle) +{ + krb5_error_code ret; + krb5_creds cred; + krb5_ccache id; + gss_cred_id_t gcred; + OM_uint32 maj_stat, min_stat; + + *handle = 0; + + krb5_get_init_creds_opt_set_forwardable (opt, 1); + krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30); + + memset(&cred, 0, sizeof(cred)); + + ret = krb5_get_init_creds_password (context, + &cred, + principal, + NULL, + NULL, + NULL, + 0, + NULL, + opt); + if (ret) { + logmessage(c, __FILE__, __LINE__, 0, + "krb5_get_init_creds failed: %d", ret); + return convert_krb5_to_gsm(ret); + } + + ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_initialize (context, id, cred.client); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_initialize"); + + ret = krb5_cc_store_cred (context, id, &cred); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_store_cred"); + + krb5_free_cred_contents (context, &cred); + + maj_stat = gss_krb5_import_cred(&min_stat, + id, + NULL, + NULL, + &gcred); + krb5_cc_close(context, id); + if (maj_stat) { + logmessage(c, __FILE__, __LINE__, 0, + "krb5 import creds failed with: %d", maj_stat); + return convert_gss_to_gsm(maj_stat); + } + + *handle = add_handle(c, handle_cred, gcred); + + return 0; +} + + +/* + * + */ + +#define HandleOP(h) \ +handle##h(enum gssMaggotOp op, struct client *c) + +/* + * + */ + +static int +HandleOP(GetVersionInfo) +{ + put32(c, GSSMAGGOTPROTOCOL); + errx(1, "GetVersionInfo"); +} + +static int +HandleOP(GoodBye) +{ + struct handle *h = c->handles; + unsigned int i = 0; + + while (h) { + h = h->next; + i++; + } + + if (i) + logmessage(c, __FILE__, __LINE__, 0, + "Did not toast all resources: %d", i); + return 1; +} + +static int +HandleOP(InitContext) +{ + OM_uint32 maj_stat, min_stat, ret_flags; + int32_t hContext, hCred, flags; + krb5_data target_name, in_token; + int32_t new_context_id = 0, gsm_error = 0; + krb5_data out_token = { 0 , NULL }; + + gss_ctx_id_t ctx; + gss_cred_id_t creds; + gss_name_t gss_target_name; + gss_buffer_desc input_token; + gss_buffer_desc output_token = {0, 0}; + gss_OID oid = GSS_C_NO_OID; + gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER; + + ret32(c, hContext); + ret32(c, hCred); + ret32(c, flags); + retdata(c, target_name); + retdata(c, in_token); + + logmessage(c, __FILE__, __LINE__, 0, + "targetname: <%.*s>", (int)target_name.length, + (char *)target_name.data); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + hContext = 0; + creds = find_handle(c->handles, hCred, handle_cred); + if (creds == NULL) + abort(); + + input_token.length = target_name.length; + input_token.value = target_name.data; + + maj_stat = gss_import_name(&min_stat, + &input_token, + GSS_KRB5_NT_PRINCIPAL_NAME, + &gss_target_name); + if (GSS_ERROR(maj_stat)) { + logmessage(c, __FILE__, __LINE__, 0, + "import name creds failed with: %d", maj_stat); + gsm_error = convert_gss_to_gsm(maj_stat); + goto out; + } + + /* oid from flags */ + + if (in_token.length) { + input_token.length = in_token.length; + input_token.value = in_token.data; + input_token_ptr = &input_token; + if (ctx == NULL) + krb5_errx(context, 1, "initcreds, context NULL, but not first req"); + } else { + input_token.length = 0; + input_token.value = NULL; + if (ctx) + krb5_errx(context, 1, "initcreds, context not NULL, but first req"); + } + + if ((flags & GSS_C_DELEG_FLAG) != 0) + logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating"); + if ((flags & GSS_C_DCE_STYLE) != 0) + logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style"); + + maj_stat = gss_init_sec_context(&min_stat, + creds, + &ctx, + gss_target_name, + oid, + flags & 0x7f, + 0, + NULL, + input_token_ptr, + NULL, + &output_token, + &ret_flags, + NULL); + if (GSS_ERROR(maj_stat)) { + if (hContext != 0) + del_handle(&c->handles, hContext); + new_context_id = 0; + logmessage(c, __FILE__, __LINE__, 0, + "gss_init_sec_context returns code: %d/%d", + maj_stat, min_stat); + } else { + if (input_token.length == 0) + new_context_id = add_handle(c, handle_context, ctx); + else + new_context_id = hContext; + } + + gsm_error = convert_gss_to_gsm(maj_stat); + + if (output_token.length) { + out_token.data = output_token.value; + out_token.length = output_token.length; + } + +out: + logmessage(c, __FILE__, __LINE__, 0, + "InitContext return code: %d", gsm_error); + + put32(c, new_context_id); + put32(c, gsm_error); + putdata(c, out_token); + + gss_release_name(&min_stat, &gss_target_name); + if (output_token.length) + gss_release_buffer(&min_stat, &output_token); + krb5_data_free(&in_token); + krb5_data_free(&target_name); + + return 0; +} + +static int +HandleOP(AcceptContext) +{ + OM_uint32 maj_stat, min_stat, ret_flags; + int32_t hContext, deleg_hcred, flags; + krb5_data in_token; + int32_t new_context_id = 0, gsm_error = 0; + krb5_data out_token = { 0 , NULL }; + + gss_ctx_id_t ctx; + gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; + gss_buffer_desc input_token, output_token; + + ret32(c, hContext); + ret32(c, flags); + retdata(c, in_token); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + hContext = 0; + + if (in_token.length) { + input_token.length = in_token.length; + input_token.value = in_token.data; + } else { + input_token.length = 0; + input_token.value = NULL; + } + + maj_stat = gss_accept_sec_context(&min_stat, + &ctx, + GSS_C_NO_CREDENTIAL, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + NULL, + NULL, + &output_token, + &ret_flags, + NULL, + &deleg_cred); + if (GSS_ERROR(maj_stat)) { + if (hContext != 0) + del_handle(&c->handles, hContext); + logmessage(c, __FILE__, __LINE__, 0, + "gss_accept_sec_context returns code: %d/%d", + maj_stat, min_stat); + new_context_id = 0; + } else { + if (hContext == 0) + new_context_id = add_handle(c, handle_context, ctx); + else + new_context_id = hContext; + } + if (output_token.length) { + out_token.data = output_token.value; + out_token.length = output_token.length; + } + if ((ret_flags & GSS_C_DCE_STYLE) != 0) + logmessage(c, __FILE__, __LINE__, 0, "accept_sec_context dce-style"); + if ((ret_flags & GSS_C_DELEG_FLAG) != 0) { + deleg_hcred = add_handle(c, handle_cred, deleg_cred); + logmessage(c, __FILE__, __LINE__, 0, + "accept_context delegated handle: %d", deleg_hcred); + } else { + gss_release_cred(&min_stat, &deleg_cred); + deleg_hcred = 0; + } + + + gsm_error = convert_gss_to_gsm(maj_stat); + + put32(c, new_context_id); + put32(c, gsm_error); + putdata(c, out_token); + put32(c, deleg_hcred); + + if (output_token.length) + gss_release_buffer(&min_stat, &output_token); + krb5_data_free(&in_token); + + return 0; +} + +static int +HandleOP(ToastResource) +{ + int32_t handle; + + ret32(c, handle); + logmessage(c, __FILE__, __LINE__, 0, "toasting %d", handle); + del_handle(&c->handles, handle); + put32(c, GSMERR_OK); + + return 0; +} + +static int +HandleOP(AcquireCreds) +{ + char *name, *password; + int32_t gsm_error, flags, handle = 0; + krb5_principal principal = NULL; + krb5_get_init_creds_opt *opt = NULL; + krb5_error_code ret; + + retstring(c, name); + retstring(c, password); + ret32(c, flags); + + logmessage(c, __FILE__, __LINE__, 0, + "username: %s password: %s", name, password); + + ret = krb5_parse_name(context, name, &principal); + if (ret) { + gsm_error = convert_krb5_to_gsm(ret); + goto out; + } + + ret = krb5_get_init_creds_opt_alloc (context, &opt); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); + + krb5_get_init_creds_opt_set_pa_password(context, opt, password, NULL); + + gsm_error = acquire_cred(c, principal, opt, &handle); + +out: + logmessage(c, __FILE__, __LINE__, 0, + "AcquireCreds handle: %d return code: %d", handle, gsm_error); + + if (opt) + krb5_get_init_creds_opt_free (context, opt); + if (principal) + krb5_free_principal(context, principal); + free(name); + free(password); + + put32(c, gsm_error); + put32(c, handle); + + return 0; +} + +static int +HandleOP(Sign) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, seqno; + krb5_data token; + gss_ctx_id_t ctx; + gss_buffer_desc input_token, output_token; + + ret32(c, hContext); + ret32(c, flags); + ret32(c, seqno); + retdata(c, token); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "sign: reference to unknown context"); + + input_token.length = token.length; + input_token.value = token.data; + + maj_stat = gss_get_mic(&min_stat, ctx, 0, &input_token, + &output_token); + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_get_mic failed"); + + krb5_data_free(&token); + + token.data = output_token.value; + token.length = output_token.length; + + put32(c, 0); /* XXX fix gsm_error */ + putdata(c, token); + + gss_release_buffer(&min_stat, &output_token); + + return 0; +} + +static int +HandleOP(Verify) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, seqno; + krb5_data msg, mic; + gss_ctx_id_t ctx; + gss_buffer_desc msg_token, mic_token; + gss_qop_t qop; + + ret32(c, hContext); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "verify: reference to unknown context"); + + ret32(c, flags); + ret32(c, seqno); + retdata(c, msg); + + msg_token.length = msg.length; + msg_token.value = msg.data; + + retdata(c, mic); + + mic_token.length = mic.length; + mic_token.value = mic.data; + + maj_stat = gss_verify_mic(&min_stat, ctx, &msg_token, + &mic_token, &qop); + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_verify_mic failed"); + + krb5_data_free(&mic); + krb5_data_free(&msg); + + put32(c, 0); /* XXX fix gsm_error */ + + return 0; +} + +static int +HandleOP(GetVersionAndCapabilities) +{ + int32_t cap = HAS_MONIKER; + char name[256] = "unknown", *str; + int ret; + + if (targetname) + cap |= ISSERVER; /* is server */ + +#ifdef HAVE_UNAME + { + struct utsname ut; + if (uname(&ut) == 0) { + snprintf(name, sizeof(name), "%s-%s-%s", + ut.sysname, ut.version, ut.machine); + } + } +#endif + + ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name); + if (ret == -1) + errx(1, "out of memory"); + + put32(c, GSSMAGGOTPROTOCOL); + put32(c, cap); + putstring(c, str); + free(str); + + return 0; +} + +static int +HandleOP(GetTargetName) +{ + if (targetname) + putstring(c, targetname); + else + putstring(c, ""); + return 0; +} + +static int +HandleOP(SetLoggingSocket) +{ + int32_t portnum; + krb5_socket_t sock; + int ret; + + ret32(c, portnum); + + logmessage(c, __FILE__, __LINE__, 0, + "logging port on peer is: %d", (int)portnum); + + socket_set_port((struct sockaddr *)(&c->sa), htons(portnum)); + + sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0); + if (sock == rk_INVALID_SOCKET) + return 0; + + ret = connect(sock, (struct sockaddr *)&c->sa, c->salen); + if (ret < 0) { + logmessage(c, __FILE__, __LINE__, 0, "failed connect to log port: %s", + strerror(errno)); + rk_closesocket(sock); + return 0; + } + + if (c->logging) + krb5_storage_free(c->logging); + c->logging = krb5_storage_from_socket(sock); + rk_closesocket(sock); + + krb5_store_int32(c->logging, eLogSetMoniker); + store_string(c->logging, c->moniker); + + logmessage(c, __FILE__, __LINE__, 0, "logging turned on"); + + return 0; +} + + +static int +HandleOP(ChangePassword) +{ + errx(1, "ChangePassword"); +} + +static int +HandleOP(SetPasswordSelf) +{ + errx(1, "SetPasswordSelf"); +} + +static int +HandleOP(Wrap) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, seqno; + krb5_data token; + gss_ctx_id_t ctx; + gss_buffer_desc input_token, output_token; + int conf_state; + + ret32(c, hContext); + ret32(c, flags); + ret32(c, seqno); + retdata(c, token); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "wrap: reference to unknown context"); + + input_token.length = token.length; + input_token.value = token.data; + + maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token, + &conf_state, &output_token); + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_wrap failed"); + + krb5_data_free(&token); + + token.data = output_token.value; + token.length = output_token.length; + + put32(c, 0); /* XXX fix gsm_error */ + putdata(c, token); + + gss_release_buffer(&min_stat, &output_token); + + return 0; +} + + +static int +HandleOP(Unwrap) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, seqno; + krb5_data token; + gss_ctx_id_t ctx; + gss_buffer_desc input_token, output_token; + int conf_state; + gss_qop_t qop_state; + + ret32(c, hContext); + ret32(c, flags); + ret32(c, seqno); + retdata(c, token); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "unwrap: reference to unknown context"); + + input_token.length = token.length; + input_token.value = token.data; + + maj_stat = gss_unwrap(&min_stat, ctx, &input_token, + &output_token, &conf_state, &qop_state); + + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); + + krb5_data_free(&token); + if (maj_stat == GSS_S_COMPLETE) { + token.data = output_token.value; + token.length = output_token.length; + } else { + token.data = NULL; + token.length = 0; + } + put32(c, 0); /* XXX fix gsm_error */ + putdata(c, token); + + if (maj_stat == GSS_S_COMPLETE) + gss_release_buffer(&min_stat, &output_token); + + return 0; +} + +static int +HandleOP(Encrypt) +{ + return handleWrap(op, c); +} + +static int +HandleOP(Decrypt) +{ + return handleUnwrap(op, c); +} + +static int +HandleOP(ConnectLoggingService2) +{ + errx(1, "ConnectLoggingService2"); +} + +static int +HandleOP(GetMoniker) +{ + putstring(c, c->moniker); + return 0; +} + +static int +HandleOP(CallExtension) +{ + errx(1, "CallExtension"); +} + +static int +HandleOP(AcquirePKInitCreds) +{ + int32_t flags; + krb5_data pfxdata; + char fn[] = "FILE:/tmp/pkcs12-creds-XXXXXXX"; + int fd; + + ret32(c, flags); + retdata(c, pfxdata); + + fd = mkstemp(fn + 5); + if (fd < 0) + errx(1, "mkstemp"); + + net_write(fd, pfxdata.data, pfxdata.length); + krb5_data_free(&pfxdata); + close(fd); + + put32(c, -1); /* hResource */ + put32(c, GSMERR_NOT_SUPPORTED); + return 0; +} + +static int +HandleOP(WrapExt) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, bflags; + krb5_data token, header, trailer; + gss_ctx_id_t ctx; + unsigned char *p; + int conf_state, iov_len; + gss_iov_buffer_desc iov[6]; + + ret32(c, hContext); + ret32(c, flags); + ret32(c, bflags); + retdata(c, header); + retdata(c, token); + retdata(c, trailer); + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "wrap: reference to unknown context"); + + memset(&iov, 0, sizeof(iov)); + + iov_len = sizeof(iov)/sizeof(iov[0]); + + if (bflags & WRAP_EXP_ONLY_HEADER) + iov_len -= 2; /* skip trailer and padding, aka dce-style */ + + iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; + if (header.length != 0) { + iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[1].buffer.length = header.length; + iov[1].buffer.value = header.data; + } else { + iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY; + } + iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[2].buffer.length = token.length; + iov[2].buffer.value = token.data; + if (trailer.length != 0) { + iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[3].buffer.length = trailer.length; + iov[3].buffer.value = trailer.data; + } else { + iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY; + } + iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; + iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; + + maj_stat = gss_wrap_iov_length(&min_stat, ctx, flags, 0, &conf_state, + iov, iov_len); + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_wrap_iov_length failed"); + + maj_stat = gss_wrap_iov(&min_stat, ctx, flags, 0, &conf_state, + iov, iov_len); + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_wrap_iov failed"); + + krb5_data_free(&token); + + token.length = iov[0].buffer.length + iov[2].buffer.length + iov[4].buffer.length + iov[5].buffer.length; + token.data = malloc(token.length); + + p = token.data; + memcpy(p, iov[0].buffer.value, iov[0].buffer.length); + p += iov[0].buffer.length; + memcpy(p, iov[2].buffer.value, iov[2].buffer.length); + p += iov[2].buffer.length; + memcpy(p, iov[4].buffer.value, iov[4].buffer.length); + p += iov[4].buffer.length; + memcpy(p, iov[5].buffer.value, iov[5].buffer.length); +#if 0 /* Would be needed to keep going, but presently unused */ + p += iov[5].buffer.length; +#endif + + gss_release_iov_buffer(NULL, iov, iov_len); + + put32(c, 0); /* XXX fix gsm_error */ + putdata(c, token); + + free(token.data); + + return 0; +} + + +static int +HandleOP(UnwrapExt) +{ + OM_uint32 maj_stat, min_stat; + int32_t hContext, flags, bflags; + krb5_data token, header, trailer; + gss_ctx_id_t ctx; + gss_iov_buffer_desc iov[3]; + int conf_state, iov_len; + gss_qop_t qop_state; + + ret32(c, hContext); + ret32(c, flags); + ret32(c, bflags); + retdata(c, header); + retdata(c, token); + retdata(c, trailer); + + iov_len = sizeof(iov)/sizeof(iov[0]); + + if (bflags & WRAP_EXP_ONLY_HEADER) + iov_len -= 1; /* skip trailer and padding, aka dce-style */ + + ctx = find_handle(c->handles, hContext, handle_context); + if (ctx == NULL) + errx(1, "unwrap: reference to unknown context"); + + if (header.length != 0) { + iov[0].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[0].buffer.length = header.length; + iov[0].buffer.value = header.data; + } else { + iov[0].type = GSS_IOV_BUFFER_TYPE_EMPTY; + } + iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; + iov[1].buffer.length = token.length; + iov[1].buffer.value = token.data; + + if (trailer.length != 0) { + iov[2].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; + iov[2].buffer.length = trailer.length; + iov[2].buffer.value = trailer.data; + } else { + iov[2].type = GSS_IOV_BUFFER_TYPE_EMPTY; + } + + maj_stat = gss_unwrap_iov(&min_stat, ctx, &conf_state, &qop_state, + iov, iov_len); + + if (maj_stat != GSS_S_COMPLETE) + errx(1, "gss_unwrap failed: %d/%d", maj_stat, min_stat); + + if (maj_stat == GSS_S_COMPLETE) { + token.data = iov[1].buffer.value; + token.length = iov[1].buffer.length; + } else { + token.data = NULL; + token.length = 0; + } + put32(c, 0); /* XXX fix gsm_error */ + putdata(c, token); + + return 0; +} + +/* + * + */ + +struct handler { + enum gssMaggotOp op; + const char *name; + int (*func)(enum gssMaggotOp, struct client *); +}; + +#define S(a) { e##a, #a, handle##a } + +struct handler handlers[] = { + S(GetVersionInfo), + S(GoodBye), + S(InitContext), + S(AcceptContext), + S(ToastResource), + S(AcquireCreds), + S(Encrypt), + S(Decrypt), + S(Sign), + S(Verify), + S(GetVersionAndCapabilities), + S(GetTargetName), + S(SetLoggingSocket), + S(ChangePassword), + S(SetPasswordSelf), + S(Wrap), + S(Unwrap), + S(ConnectLoggingService2), + S(GetMoniker), + S(CallExtension), + S(AcquirePKInitCreds), + S(WrapExt), + S(UnwrapExt), +}; + +#undef S + +/* + * + */ + +static struct handler * +find_op(int32_t op) +{ + int i; + + for (i = 0; i < sizeof(handlers)/sizeof(handlers[0]); i++) + if (handlers[i].op == op) + return &handlers[i]; + return NULL; +} + +static struct client * +create_client(krb5_socket_t sock, int port, const char *moniker) +{ + struct client *c; + int ret; + + c = ecalloc(1, sizeof(*c)); + + if (moniker) { + c->moniker = estrdup(moniker); + } else { + char hostname[MAXHOSTNAMELEN]; + gethostname(hostname, sizeof(hostname)); + ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port); + if (ret == -1) + c->moniker = NULL; + } + + if (!c->moniker) + errx(1, "out of memory"); + + { + c->salen = sizeof(c->sa); + getpeername(sock, (struct sockaddr *)&c->sa, &c->salen); + + getnameinfo((struct sockaddr *)&c->sa, c->salen, + c->servername, sizeof(c->servername), + NULL, 0, NI_NUMERICHOST); + } + + c->sock = krb5_storage_from_socket(sock); + if (c->sock == NULL) + errx(1, "krb5_storage_from_socket"); + + rk_closesocket(sock); + + return c; +} + +static void +free_client(struct client *c) +{ + while(c->handles) + del_handle(&c->handles, c->handles->idx); + + free(c->moniker); + krb5_storage_free(c->sock); + if (c->logging) + krb5_storage_free(c->logging); + free(c); +} + + +static void * +handleServer(void *ptr) +{ + struct handler *handler; + struct client *c; + int32_t op; + + c = (struct client *)ptr; + + + while(1) { + ret32(c, op); + + handler = find_op(op); + if (handler == NULL) { + logmessage(c, __FILE__, __LINE__, 0, + "op %d not supported", (int)op); + exit(1); + } + + logmessage(c, __FILE__, __LINE__, 0, + "---> Got op %s from server %s", + handler->name, c->servername); + + if ((handler->func)(handler->op, c)) + break; + } + + return NULL; +} + + +static char *port_str; +static int version_flag; +static int help_flag; +static char *logfile_str; +static char *moniker_str; + +static int port = 4711; + +struct getargs args[] = { + { "spn", 0, arg_string, &targetname, "This host's SPN", + "service/host@REALM" }, + { "port", 'p', arg_string, &port_str, "Use this port", + "number-of-service" }, + { "logfile", 0, arg_string, &logfile_str, "logfile", + "number-of-service" }, + { "moniker", 0, arg_string, &moniker_str, "nickname", + "name" }, + { "version", 0, arg_flag, &version_flag, "Print version", + NULL }, + { "help", 0, arg_flag, &help_flag, NULL, + NULL } +}; + +static void +usage(int ret) +{ + arg_printusage (args, + sizeof(args) / sizeof(args[0]), + NULL, + ""); + exit (ret); +} + +int +main(int argc, char **argv) +{ + int optidx = 0; + krb5_error_code ret; + + setprogname (argv[0]); + + if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage (1); + + if (help_flag) + usage (0); + + if (version_flag) { + print_version (NULL); + return 0; + } + + if (optidx != argc) + usage (1); + + if (port_str) { + char *ptr; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + errx (1, "Bad port `%s'", port_str); + } + + ret = krb5_init_context(&context); + if (ret) + errx(1, "Error initializing kerberos: %d", ret); + + { + const char *lf = logfile_str; + if (lf == NULL) + lf = "/dev/tty"; + + logfile = fopen(lf, "w"); + if (logfile == NULL) + err(1, "error opening %s", lf); + } + + mini_inetd(htons(port), NULL); + fprintf(logfile, "connected\n"); + + { + struct client *c; + + c = create_client(0, port, moniker_str); + /* close(0); */ + + handleServer(c); + + free_client(c); + } + + krb5_free_context(context); + + return 0; +} diff --git a/third_party/heimdal/appl/gssmask/protocol.h b/third_party/heimdal/appl/gssmask/protocol.h new file mode 100644 index 0000000..1e1f141 --- /dev/null +++ b/third_party/heimdal/appl/gssmask/protocol.h @@ -0,0 +1,317 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * $Id$ + */ + +/* missing from tests: + * - export context + * - import context + */ + +/* + * wire encodings: + * int16: number, 2 bytes, in network order + * int32: number, 4 bytes, in network order + * length-encoded: [int32 length, data of length bytes] + * string: [int32 length, string of length + 1 bytes, includes trailing '\0' ] + */ + +enum gssMaggotErrorCodes { + GSMERR_OK = 0, + GSMERR_ERROR, + GSMERR_CONTINUE_NEEDED, + GSMERR_INVALID_TOKEN, + GSMERR_AP_MODIFIED, + GSMERR_TEST_ISSUE, + GSMERR_NOT_SUPPORTED +}; + +/* + * input: + * int32: message OP (enum gssMaggotProtocol) + * ... + * + * return: -- on error + * int32: not support (GSMERR_NOT_SUPPORTED) + * + * return: -- on existing message OP + * int32: support (GSMERR_OK) -- only sent for extensions + * ... + */ + +#define GSSMAGGOTPROTOCOL 14 + +enum gssMaggotOp { + eGetVersionInfo = 0, + /* + * input: + * none + * return: + * int32: last version handled + */ + eGoodBye, + /* + * input: + * none + * return: + * close socket + */ + eInitContext, + /* + * input: + * int32: hContext + * int32: hCred + * int32: Flags + * the lowest 0x7f flags maps directly to GSS-API flags + * DELEGATE 0x001 + * MUTUAL_AUTH 0x002 + * REPLAY_DETECT 0x004 + * SEQUENCE_DETECT 0x008 + * CONFIDENTIALITY 0x010 + * INTEGRITY 0x020 + * ANONYMOUS 0x040 + * + * FIRST_CALL 0x080 + * + * NTLM 0x100 + * SPNEGO 0x200 + * length-encoded: targetname + * length-encoded: token + * return: + * int32: hNewContextId + * int32: gssapi status val + * length-encoded: output token + */ + eAcceptContext, + /* + * input: + * int32: hContext + * int32: Flags -- unused ? + * flags are same as flags for eInitContext + * length-encoded: token + * return: + * int32: hNewContextId + * int32: gssapi status val + * length-encoded: output token + * int32: delegation cred id + */ + eToastResource, + /* + * input: + * int32: hResource + * return: + * int32: gsm status val + */ + eAcquireCreds, + /* + * input: + * string: principal name + * string: password + * int32: flags + * FORWARDABLE 0x001 + * DEFAULT_CREDS 0x002 + * + * NTLM 0x100 + * SPNEGO 0x200 + * return: + * int32: gsm status val + * int32: hCred + */ + eEncrypt, + /* + * input: + * int32: hContext + * int32: flags + * int32: seqno -- unused + * length-encode: plaintext + * return: + * int32: gsm status val + * length-encode: ciphertext + */ + eDecrypt, + /* + * input: + * int32: hContext + * int32: flags + * int32: seqno -- unused + * length-encode: ciphertext + * return: + * int32: gsm status val + * length-encode: plaintext + */ + eSign, + /* message same as eEncrypt */ + eVerify, + /* + * input: + * int32: hContext + * int32: flags + * int32: seqno -- unused + * length-encode: message + * length-encode: signature + * return: + * int32: gsm status val + */ + eGetVersionAndCapabilities, + /* + * return: + * int32: protocol version + * int32: capability flags */ +#define ISSERVER 0x01 +#define ISKDC 0x02 +#define MS_KERBEROS 0x04 +#define LOGSERVER 0x08 +#define HAS_MONIKER 0x10 + /* string: version string + */ + eGetTargetName, + /* + * return: + * string: target principal name + */ + eSetLoggingSocket, + /* + * input: + * int32: hostPort + * return to the port on the host: + * int32: opcode - for example eLogSetMoniker + */ + eChangePassword, + /* here ended version 7 of the protocol */ + /* + * input: + * string: principal name + * string: old password + * string: new password + * return: + * int32: gsm status val + */ + eSetPasswordSelf, + /* same as eChangePassword */ + eWrap, + /* message same as eEncrypt */ + eUnwrap, + /* message same as eDecrypt */ + eConnectLoggingService2, + /* + * return1: + * int16: log port number + * int32: master log prototocol version (0) + * + * wait for master to connect on the master log socket + * + * return2: + * int32: gsm connection status + * int32: maggot log prototocol version (2) + */ + eGetMoniker, + /* + * return: + * string: moniker (Nickname the master can refer to maggot) + */ + eCallExtension, + /* + * input: + * string: extension name + * int32: message id + * return: + * int32: gsm status val + */ + eAcquirePKInitCreds, + /* + * input: + * int32: flags + * length-encode: certificate (pkcs12 data) + * return: + * int32: hResource + * int32: gsm status val (GSMERR_NOT_SUPPORTED) + */ + /* here ended version 7 of the protocol */ + eWrapExt, + /* + * input: + * int32: hContext + * int32: flags + * int32: bflags + * length-encode: protocol header + * length-encode: plaintext + * length-encode: protocol trailer + * return: + * int32: gsm status val + * length-encode: ciphertext + */ + eUnwrapExt, + /* + * input: + * int32: hContext + * int32: flags + * int32: bflags + * length-encode: protocol header + * length-encode: ciphertext + * length-encode: protocol trailer + * return: + * int32: gsm status val + * length-encode: plaintext + */ + /* here ended version 8 of the protocol */ + + eLastProtocolMessage +}; + +/* bflags */ +#define WRAP_EXP_ONLY_HEADER 1 + +enum gssMaggotLogOp{ + eLogInfo = 0, + /* + string: File + int32: Line + string: message + reply: + int32: ackid + */ + eLogFailure, + /* + string: File + int32: Line + string: message + reply: + int32: ackid + */ + eLogSetMoniker + /* + string: moniker + */ +}; diff --git a/third_party/heimdal/appl/kf/Makefile.am b/third_party/heimdal/appl/kf/Makefile.am new file mode 100644 index 0000000..0b38057 --- /dev/null +++ b/third_party/heimdal/appl/kf/Makefile.am @@ -0,0 +1,20 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +bin_PROGRAMS = kf + +libexec_PROGRAMS = kfd + +man_MANS = kf.1 kfd.8 + +kf_SOURCES = kf.c kf_locl.h + +kfd_SOURCES = kfd.c kf_locl.h + +LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ + $(LIB_hcrypto) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_roken) + +EXTRA_DIST = NTMakefile $(man_MANS) diff --git a/third_party/heimdal/appl/kf/NTMakefile b/third_party/heimdal/appl/kf/NTMakefile new file mode 100644 index 0000000..6ade4ab --- /dev/null +++ b/third_party/heimdal/appl/kf/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\kf + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/kf/kf.1 b/third_party/heimdal/appl/kf/kf.1 new file mode 100644 index 0000000..290e6bb --- /dev/null +++ b/third_party/heimdal/appl/kf/kf.1 @@ -0,0 +1,112 @@ +.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd July 2, 2000 +.Dt KF 1 +.Os +.Sh NAME +.Nm kf +.Nd securely forward tickets +.Sh SYNOPSIS +.Nm +.Oo +.Fl p Ar port | +.Fl Fl port Ns = Ns Ar port +.Oc +.Oo +.Fl l Ar login | +.Fl Fl login Ns = Ns Ar login +.Oc +.Oo +.Fl c Ar ccache | +.Fl Fl ccache Ns = Ns Ar ccache +.Oc +.Op Fl F | -forwardable +.Op Fl G | -no-forwardable +.Op Fl h | -help +.Op Fl Fl version +.Ar host ... +.Sh DESCRIPTION +The +.Nm +program forwards tickets to a remote host through an authenticated +and encrypted stream. +Options supported are: +.Bl -tag -width indent +.It Xo +.Fl p Ar port , +.Fl Fl port Ns = Ns Ar port +.Xc +port to connect to +.It Xo +.Fl l Ar login , +.Fl Fl login Ns = Ns Ar login +.Xc +remote login name +.It Xo +.Fl c Ar ccache , +.Fl Fl ccache Ns = Ns Ar ccache +.Xc +remote cred cache +.It Fl F , -forwardable +forward forwardable credentials +.It Fl G , -no-forwardable +do not forward forwardable credentials +.It Fl h , -help +.It Fl Fl version +.El +.Pp +.Nm +is useful when you do not want to enter your password on a remote host +but want to have your tickets one for example AFS. +.Pp +In order for +.Nm +to work you will need to acquire your initial ticket with forwardable +flag, i.e. +.Nm kinit Fl Fl forwardable . +.Pp +.Nm telnet +is able to forward tickets by itself. +.\".Sh ENVIRONMENT +.\".Sh FILES +.\".Sh EXAMPLES +.\".Sh DIAGNOSTICS +.Sh SEE ALSO +.Xr kinit 1 , +.Xr telnet 1 , +.Xr kfd 8 +.\".Sh STANDARDS +.\".Sh HISTORY +.\".Sh AUTHORS +.\".Sh BUGS diff --git a/third_party/heimdal/appl/kf/kf.c b/third_party/heimdal/appl/kf/kf.c new file mode 100644 index 0000000..fd4f174 --- /dev/null +++ b/third_party/heimdal/appl/kf/kf.c @@ -0,0 +1,349 @@ +/* + * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kf_locl.h" +RCSID("$Id$"); + +krb5_context context; +static int help_flag; +static int version_flag; +static char *port_str; +const char *service = KF_SERVICE; +const char *remote_name = NULL; +int forwardable = 0; +const char *ccache_name = NULL; + +static struct getargs args[] = { + { "port", 'p', arg_string, &port_str, "port to connect to", "port" }, + { "login", 'l',arg_string, &remote_name,"remote login name","login"}, + { "ccache", 'c',arg_string, &ccache_name, "remote cred cache","ccache"}, + { "forwardable",'F',arg_flag,&forwardable, + "Forward forwardable credentials", NULL }, + { "forwardable",'G',arg_negative_flag,&forwardable, + "Don't forward forwardable credentials", NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int code, struct getargs *inargs, int num_inargs) +{ + arg_printusage(inargs, num_inargs, NULL, "hosts"); + exit(code); +} + +static int +client_setup(krb5_context *ctx, int *argc, char **argv) +{ + int optidx = 0; + int port = 0; + int status; + + setprogname (argv[0]); + + status = krb5_init_context (ctx); + if (status) + errx(1, "krb5_init_context failed: %d", status); + + forwardable = krb5_config_get_bool (*ctx, NULL, + "libdefaults", + "forwardable", + NULL); + + if (getarg (args, num_args, *argc, argv, &optidx)) + usage(1, args, num_args); + + if(help_flag) + usage (0, args, num_args); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(port_str) { + struct servent *s = roken_getservbyname(port_str, "tcp"); + if(s) + port = s->s_port; + else { + char *ptr; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + errx (1, "Bad port `%s'", port_str); + port = htons(port); + } + } + + if (port == 0) + port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM); + + if(*argc - optidx < 1) + usage(1, args, num_args); + *argc = optidx; + + return port; +} + +/* + * forward creds to `hostname'/`service' over `sock' + * return 0 iff OK + */ + +static int +proto (int sock, const char *hostname, const char *svc, + char *message, size_t len) +{ + krb5_auth_context auth_context; + krb5_error_code status; + krb5_principal server; + krb5_data data; + krb5_data data_send; + + krb5_ccache ccache; + krb5_creds creds; + krb5_kdc_flags flags; + krb5_principal principal; + + status = krb5_auth_con_init (context, &auth_context); + if (status) { + krb5_warn (context, status, "krb5_auth_con_init"); + return 1; + } + + status = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &sock); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_auth_con_setaddr"); + return 1; + } + + status = krb5_sname_to_principal (context, + hostname, + svc, + KRB5_NT_SRV_HST, + &server); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_sname_to_principal"); + return 1; + } + + status = krb5_sendauth (context, + &auth_context, + &sock, + KF_VERSION_1, + NULL, + server, + AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn(context, status, "krb5_sendauth"); + return 1; + } + + if (ccache_name == NULL) + ccache_name = ""; + + data_send.data = (void *)remote_name; + data_send.length = strlen(remote_name) + 1; + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_write_message"); + return 1; + } + data_send.data = (void *)ccache_name; + data_send.length = strlen(ccache_name)+1; + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_write_message"); + return 1; + } + + memset (&creds, 0, sizeof(creds)); + + status = krb5_cc_default (context, &ccache); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_cc_default"); + return 1; + } + + status = krb5_cc_get_principal (context, ccache, &principal); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_cc_get_principal"); + return 1; + } + + creds.client = principal; + + status = krb5_make_principal (context, + &creds.server, + principal->realm, + KRB5_TGS_NAME, + principal->realm, + NULL); + + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_make_principal"); + return 1; + } + + creds.times.endtime = 0; + + flags.i = 0; + flags.b.forwarded = 1; + flags.b.forwardable = forwardable; + + status = krb5_get_forwarded_creds (context, + auth_context, + ccache, + flags.i, + hostname, + &creds, + &data); + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_get_forwarded_creds"); + return 1; + } + + status = krb5_write_priv_message(context, auth_context, &sock, &data); + + if (status) { + krb5_auth_con_free(context, auth_context); + krb5_warn (context, status, "krb5_mk_priv"); + return 1; + } + + krb5_data_free (&data); + + status = krb5_read_priv_message(context, auth_context, &sock, &data); + krb5_auth_con_free(context, auth_context); + if (status) { + krb5_warn (context, status, "krb5_mk_priv"); + return 1; + } + if(data.length >= len) { + krb5_warnx (context, "returned string is too long, truncating"); + memcpy(message, data.data, len); + message[len - 1] = '\0'; + } else { + memcpy(message, data.data, data.length); + message[data.length] = '\0'; + } + krb5_data_free (&data); + + return strcmp(message, "ok") != 0; +} + +static int +doit (const char *hostname, int port, const char *svc, + char *message, size_t len) +{ + struct addrinfo *ai, *a; + struct addrinfo hints; + int error; + char portstr[NI_MAXSERV]; + + memset (&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); + + error = getaddrinfo (hostname, portstr, &hints, &ai); + if (error) { + errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); + } + + for (a = ai; a != NULL; a = a->ai_next) { + int s; + + s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + if (s < 0) + continue; + if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { + warn ("connect(%s)", hostname); + close (s); + continue; + } + freeaddrinfo (ai); + error = proto(s, hostname, svc, message, len); + close(s); + return error; + } + warnx ("failed to contact %s", hostname); + freeaddrinfo (ai); + return 1; +} + +int +main(int argc, char **argv) +{ + char userbuf[128]; + int argcc,port,i; + int ret=0; + + argcc = argc; + port = client_setup(&context, &argcc, argv); + + if (remote_name == NULL) { + remote_name = roken_get_username(userbuf, sizeof(userbuf)); + if (remote_name == NULL) + errx (1, "who are you?"); + } + + for (i = argcc;i < argc; i++) { + char message[128]; + ret = doit (argv[i], port, service, message, sizeof(message)); + if(ret == 0) + warnx ("%s: ok", argv[i]); + else + warnx ("%s: failed: %s", argv[i], message); + } + return(ret); +} diff --git a/third_party/heimdal/appl/kf/kf_locl.h b/third_party/heimdal/appl/kf/kf_locl.h new file mode 100644 index 0000000..3ddee48 --- /dev/null +++ b/third_party/heimdal/appl/kf/kf_locl.h @@ -0,0 +1,81 @@ +/* + * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_NETINET_IN6_H +#include +#endif +#ifdef HAVE_NETINET6_IN6_H +#include +#endif + +#ifdef HAVE_PWD_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_SYS_PARAM_H +#include +#endif +#include +#include +#include +#include +#include + +#define KF_SERVICE "host" + +#define KF_PORT_NAME "kf" +#define KF_PORT_NUM 2110 +#define KF_VERSION_1 "KFWDV0.1" diff --git a/third_party/heimdal/appl/kf/kfd.8 b/third_party/heimdal/appl/kf/kfd.8 new file mode 100644 index 0000000..4b8b822 --- /dev/null +++ b/third_party/heimdal/appl/kf/kfd.8 @@ -0,0 +1,85 @@ +.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd July 2, 2000 +.Dt KFD 8 +.Os +.Sh NAME +.Nm kfd +.Nd receive forwarded tickets +.Sh SYNOPSIS +.Nm +.Oo +.Fl p Ar port | +.Fl Fl port Ns = Ns Ar port +.Oc +.Op Fl i | -inetd +.Oo +.Fl R Ar regpag | +.Fl Fl regpag Ns = Ns Ar regpag +.Oc +.Op Fl h | -help +.Op Fl Fl version +.Sh DESCRIPTION +This is the daemon for +.Xr kf 1 . +Supported options: +.Bl -tag -width indent +.It Xo +.Fl p Ar port , +.Fl Fl port Ns = Ns Ar port +.Xc +port to listen to +.It Fl i , -inetd +not started from inetd +.It Xo +.Fl R Ar regpag , +.Fl Fl regpag= Ns Ar regpag +.Xc +path to regpag binary +.El +.\".Sh ENVIRONMENT +.\".Sh FILES +.Sh EXAMPLES +Put the following in +.Pa /etc/inetd.conf : +.Bd -literal +kf stream tcp nowait root /usr/heimdal/libexec/kfd kfd +.Ed +.\".Sh DIAGNOSTICS +.Sh SEE ALSO +.Xr kf 1 +.\".Sh STANDARDS +.\".Sh HISTORY +.\".Sh AUTHORS +.\".Sh BUGS diff --git a/third_party/heimdal/appl/kf/kfd.c b/third_party/heimdal/appl/kf/kfd.c new file mode 100644 index 0000000..9099bab --- /dev/null +++ b/third_party/heimdal/appl/kf/kfd.c @@ -0,0 +1,311 @@ +/* + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kf_locl.h" +RCSID("$Id$"); + +krb5_context context; +char krb5_tkfile[MAXPATHLEN]; + +static int help_flag; +static int version_flag; +static char *port_str; +char *service = KF_SERVICE; +int do_inetd = 0; +static char *regpag_str=NULL; + +static struct getargs args[] = { + { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, + { "inetd",'i',arg_flag, &do_inetd, + "Not started from inetd", NULL }, + { "regpag",'R',arg_string,®pag_str,"path to regpag binary","regpag"}, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int code, struct getargs *inargs, int num_inargs) +{ + arg_printusage(inargs, num_inargs, NULL, ""); + exit(code); +} + +static int +server_setup(krb5_context *ctx, int argc, char **argv) +{ + int port = 0; + int local_argc; + + local_argc = krb5_program_setup(ctx, argc, argv, args, num_args, usage); + + if(help_flag) + (*usage)(0, args, num_args); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(port_str){ + struct servent *s = roken_getservbyname(port_str, "tcp"); + if(s) + port = s->s_port; + else { + char *ptr; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + errx (1, "Bad port `%s'", port_str); + port = htons(port); + } + } + + if (port == 0) + port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM); + + if(argv[local_argc] != NULL) + usage(1, args, num_args); + + return port; +} + +static int protocol_version; + +static krb5_boolean +kfd_match_version(const void *arg, const char *version) +{ + if(strcmp(version, KF_VERSION_1) == 0) { + protocol_version = 1; + return TRUE; + } else if (strlen(version) == 4 && + version[0] == '0' && + version[1] == '.' && + (version[2] == '4' || version[2] == '3') && + islower((unsigned char)version[3])) { + protocol_version = 0; + return TRUE; + } + return FALSE; +} + +static int +proto (int sock, const char *svc) +{ + krb5_auth_context auth_context; + krb5_error_code status; + krb5_principal server; + krb5_ticket *ticket; + char *name; + char ret_string[10]; + char hostname[MAXHOSTNAMELEN]; + krb5_data data; + krb5_data remotename; + krb5_data tk_file; + krb5_ccache ccache; + char ccname[MAXPATHLEN]; + struct passwd *pwd; + + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_init"); + + status = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &sock); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_setaddr"); + + if(gethostname (hostname, sizeof(hostname)) < 0) + krb5_err(context, 1, errno, "gethostname"); + + status = krb5_sname_to_principal (context, + hostname, + svc, + KRB5_NT_SRV_HST, + &server); + if (status) + krb5_err(context, 1, status, "krb5_sname_to_principal"); + + status = krb5_recvauth_match_version (context, + &auth_context, + &sock, + kfd_match_version, + NULL, + server, + 0, + NULL, + &ticket); + if (status) + krb5_err(context, 1, status, "krb5_recvauth"); + + status = krb5_unparse_name (context, + ticket->client, + &name); + if (status) + krb5_err(context, 1, status, "krb5_unparse_name"); + + if(protocol_version == 0) { + data.data = "old clnt"; /* XXX old clients only had room for + 10 bytes of message, and also + didn't show it to the user */ + data.length = strlen(data.data) + 1; + krb5_write_message(context, &sock, &data); + sleep(2); /* XXX give client time to finish */ + krb5_errx(context, 1, "old client; exiting"); + } + + status=krb5_read_priv_message (context, auth_context, + &sock, &remotename); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + status=krb5_read_priv_message (context, auth_context, + &sock, &tk_file); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + + krb5_data_zero (&data); + + if(((char*)remotename.data)[remotename.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + if(((char*)tk_file.data)[tk_file.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + + status = krb5_read_priv_message(context, auth_context, &sock, &data); + + if (status) { + krb5_err(context, 1, errno, "krb5_read_priv_message"); + goto out; + } + + pwd = getpwnam ((char *)(remotename.data)); + if (pwd == NULL) { + status=1; + krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); + goto out; + } + + if(!krb5_kuserok (context, + ticket->client, + (char *)(remotename.data))) { + status=1; + krb5_warnx(context, "krb5_kuserok: permission denied"); + goto out; + } + + if (setgid(pwd->pw_gid) < 0) { + krb5_warn(context, errno, "setgid"); + goto out; + } + if (setuid(pwd->pw_uid) < 0) { + krb5_warn(context, errno, "setuid"); + goto out; + } + + if (tk_file.length != 1) + snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data)); + else + snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%lu", + (unsigned long)pwd->pw_uid); + + status = krb5_cc_resolve (context, ccname, &ccache); + if (status) { + krb5_warn(context, status, "krb5_cc_resolve"); + goto out; + } + status = krb5_cc_initialize (context, ccache, ticket->client); + if (status) { + krb5_warn(context, status, "krb5_cc_initialize"); + goto out; + } + status = krb5_rd_cred2 (context, auth_context, ccache, &data); + krb5_cc_close (context, ccache); + if (status) { + krb5_warn(context, status, "krb5_rd_cred"); + goto out; + + } + strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); + krb5_warnx(context, "%s forwarded ticket to %s,%s", + name, + (char *)(remotename.data),ccname); + out: + if (status) { + strlcpy(ret_string, "no", sizeof(ret_string)); + krb5_warnx(context, "failed"); + } else { + strlcpy(ret_string, "ok", sizeof(ret_string)); + } + + krb5_data_free (&tk_file); + krb5_data_free (&remotename); + krb5_data_free (&data); + free(name); + + data.data = ret_string; + data.length = strlen(ret_string) + 1; + status = krb5_write_priv_message(context, auth_context, &sock, &data); + krb5_auth_con_free(context, auth_context); + + return status; +} + +static int +doit (int port, const char *svc) +{ + if (do_inetd) + mini_inetd(port, NULL); + return proto (STDIN_FILENO, svc); +} + +int +main(int argc, char **argv) +{ + int port; + int ret; + krb5_log_facility *fac; + + setprogname (argv[0]); + roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH); + port = server_setup(&context, argc, argv); + ret = krb5_openlog(context, "kfd", &fac); + if(ret) krb5_err(context, 1, ret, "krb5_openlog"); + ret = krb5_set_warn_dest(context, fac); + if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest"); + + ret = doit (port, service); + closelog(); + if (ret == 0 && regpag_str != NULL) + ret = execl(regpag_str, "regpag", "-t", krb5_tkfile, "-r", NULL); + return ret; +} diff --git a/third_party/heimdal/appl/otp/ChangeLog b/third_party/heimdal/appl/otp/ChangeLog new file mode 100644 index 0000000..76df17c --- /dev/null +++ b/third_party/heimdal/appl/otp/ChangeLog @@ -0,0 +1,58 @@ +2006-10-07 Love Hörnquist Åstrand + + * Makefile.am: Add man_MANS to EXTRA_DIST + +2005-05-29 Love Hörquist Åstrand + + * Makefile.am: add LIB_roken as a explit dependency + +2003-09-03 Love Hörquist Åstrand + + * otpprint.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * otp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + +2003-02-25 Love Hörquist Åstrand + + * otp.c: remove \n from errx, from NetBSD + +2000-11-29 Johan Danielsson + + * otpprint.1: sort parameters and close a list + + * otp.1: sort parameters and close a list + +1999-09-14 Assar Westerlund + + * otp.c (verify_user_otp): check return value from + des_read_pw_string + +Thu Apr 1 16:51:07 1999 Johan Danielsson + + * otpprint.c: use getarg + + * otp.c: use getarg + +Thu Mar 18 12:08:58 1999 Johan Danielsson + + * Makefile.am: include Makefile.am.common + +Thu Mar 4 19:45:40 1999 Johan Danielsson + + * Makefile.am: DESTDIR + +Sat Feb 27 19:44:25 1999 Johan Danielsson + + * Makefile.am: add + +Sun Nov 22 10:32:50 1998 Assar Westerlund + + * otpprint.c: more braces + + * Makefile.in (WFLAGS): set + +Sun Dec 21 09:31:30 1997 Assar Westerlund + + * otp.c (renew): don't set the OTP if the reading of the string + fails. + diff --git a/third_party/heimdal/appl/otp/Makefile.am b/third_party/heimdal/appl/otp/Makefile.am new file mode 100644 index 0000000..d8e5d51 --- /dev/null +++ b/third_party/heimdal/appl/otp/Makefile.am @@ -0,0 +1,15 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +bin_PROGRAMS = otp otpprint +bin_SUIDS = otp +otp_SOURCES = otp.c otp_locl.h +otp_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la +otpprint_SOURCES = otpprint.c otp_locl.h + +otpprint_LDADD = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la + +man_MANS = otp.1 otpprint.1 + +EXTRA_DIST = NTMakefile $(man_MANS) diff --git a/third_party/heimdal/appl/otp/NTMakefile b/third_party/heimdal/appl/otp/NTMakefile new file mode 100644 index 0000000..6256309 --- /dev/null +++ b/third_party/heimdal/appl/otp/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\otp + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/otp/otp.1 b/third_party/heimdal/appl/otp/otp.1 new file mode 100644 index 0000000..8676948 --- /dev/null +++ b/third_party/heimdal/appl/otp/otp.1 @@ -0,0 +1,90 @@ +.\" Copyright (c) 1996, 2000 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd November 17, 1996 +.Dt OTP 1 +.Os KTH-KRB +.Sh NAME +.Nm otp +.Nd manages one-time passwords +.Sh SYNOPSIS +.Nm otp +.Op Fl dhlor +.Op Fl f Ar algorithm +.Op Fl u Ar user +.Ar sequence-number +.Ar seed +.Sh DESCRIPTION +The +.Nm +program initializes and updates your current series of one-time +passwords (OTPs). +.Pp +Use this to set a new series of one-time passwords. Only perform this +on the console or over an encrypted link as you will have to supply +your pass-phrase. The other two parameters are +.Ar sequence-number +and +.Ar seed . +.Pp +Options are: +.Bl -tag -width Ds +.It Fl d +To delete a one-time password. +.It Fl f +Choose a different +.Ar algorithm +from the default md5. Pick any of: md4, md5, and sha. +.It Fl h +For getting a help message. +.It Fl l +List the current table of one-time passwords. +.It Fl o +To open (unlock) the otp-entry for a user. +.It Fl r +To renew a one-time password series. This operation can be performed +over an potentially eavesdropped link because you do not supply the +pass-phrase. First you need to supply the current one-time password +and then the new one corresponding to the supplied +.Ar sequence-number +and +.Ar seed . +.It Fl u +To choose a different +.Ar user +to set one-time passwords for. This only works when running +.Nm +as root. +.El +.Sh SEE ALSO +.Xr otpprint 1 diff --git a/third_party/heimdal/appl/otp/otp.c b/third_party/heimdal/appl/otp/otp.c new file mode 100644 index 0000000..deb7d30 --- /dev/null +++ b/third_party/heimdal/appl/otp/otp.c @@ -0,0 +1,371 @@ +/* + * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "otp_locl.h" +#include + +RCSID("$Id$"); + +static int listp; +static int deletep; +static int openp; +static int renewp; +static char* alg_string; +static char *user; +static int version_flag; +static int help_flag; + +struct getargs args[] = { + { "list", 'l', arg_flag, &listp, "list OTP status", NULL }, + { "delete", 'd', arg_flag, &deletep, "delete OTP", NULL }, + { "open", 'o', arg_flag, &openp, "open a locked OTP", NULL }, + { "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL }, + { "hash", 'f', arg_string, &alg_string, + "hash algorithm (md4, md5, or sha)", "algorithm"}, + { "user", 'u', arg_string, &user, + "user other than current user (root only)", "user" }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL } +}; + +int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int code) +{ + arg_printusage(args, num_args, NULL, "[num seed]"); + exit(code); +} + +/* + * Renew the OTP for a user. + * The pass-phrase is not required (RFC 1938/8.0) + */ + +static int +renew (int argc, char **argv, OtpAlgorithm *alg, char *inuser) +{ + OtpContext newctx, *ctx; + char prompt[128]; + char pw[64]; + void *dbm; + int ret; + + newctx.alg = alg; + newctx.user = inuser; + newctx.n = atoi (argv[0]); + strlcpy (newctx.seed, argv[1], sizeof(newctx.seed)); + strlwr(newctx.seed); + snprintf (prompt, sizeof(prompt), + "[ otp-%s %u %s ]", + newctx.alg->name, + newctx.n, + newctx.seed); + if (UI_UTIL_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 && + otp_parse (newctx.key, pw, alg) == 0) { + ctx = &newctx; + ret = 0; + } else + return 1; + + dbm = otp_db_open (); + if (dbm == NULL) { + warnx ("otp_db_open failed"); + return 1; + } + otp_put (dbm, ctx); + otp_db_close (dbm); + return ret; +} + +/* + * Return 0 if the user could enter the next OTP. + * I would rather have returned !=0 but it's shell-like here around. + */ + +static int +verify_user_otp(char *username) +{ + OtpContext ctx; + char passwd[OTP_MAX_PASSPHRASE + 1]; + char ss[256]; + char *prompt = NULL; + + if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) { + warnx("no otp challenge found for %s", username); + return 1; + } + + if (asprintf(&prompt, "%s's %s Password: ", username, ss) == -1 || + prompt == NULL) + err(1, "out of memory"); + if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) { + free(prompt); + return 1; + } + free(prompt); + return otp_verify_user (&ctx, passwd); +} + +/* + * Set the OTP for a user + */ + +static int +set (int argc, char **argv, OtpAlgorithm *alg, char *inuser) +{ + void *db; + OtpContext ctx; + char pw[OTP_MAX_PASSPHRASE + 1]; + int ret; + int i; + + ctx.alg = alg; + ctx.user = strdup (inuser); + if (ctx.user == NULL) + err (1, "out of memory"); + + ctx.n = atoi (argv[0]); + strlcpy (ctx.seed, argv[1], sizeof(ctx.seed)); + strlwr(ctx.seed); + do { + if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", + UI_UTIL_FLAG_VERIFY)) + return 1; + if (strlen (pw) < OTP_MIN_PASSPHRASE) + printf ("Too short pass-phrase. Use at least %d characters\n", + OTP_MIN_PASSPHRASE); + } while(strlen(pw) < OTP_MIN_PASSPHRASE); + ctx.alg->init (ctx.key, pw, ctx.seed); + for (i = 0; i < ctx.n; ++i) + ctx.alg->next (ctx.key); + db = otp_db_open (); + if(db == NULL) { + free (ctx.user); + err (1, "otp_db_open failed"); + } + ret = otp_put (db, &ctx); + otp_db_close (db); + free (ctx.user); + return ret; +} + +/* + * Delete otp of user from the database + */ + +static int +delete_otp (int argc, char **argv, char *inuser) +{ + void *db; + OtpContext ctx; + int ret; + + db = otp_db_open (); + if(db == NULL) + errx (1, "otp_db_open failed"); + + ctx.user = inuser; + ret = otp_delete(db, &ctx); + otp_db_close (db); + return ret; +} + +/* + * Tell whether the user has an otp + */ + +static int +has_an_otp(char *inuser) +{ + void *db; + OtpContext ctx; + int ret; + + db = otp_db_open (); + if(db == NULL) { + warnx ("otp_db_open failed"); + return 0; /* if no db no otp! */ + } + + ctx.user = inuser; + ret = otp_simple_get(db, &ctx); + + otp_db_close (db); + return !ret; +} + +/* + * Get and print out the otp entry for some user + */ + +static void +print_otp_entry_for_name (void *db, char *inuser) +{ + OtpContext ctx; + + ctx.user = inuser; + if (!otp_simple_get(db, &ctx)) { + fprintf(stdout, + "%s\totp-%s %d %s", + ctx.user, ctx.alg->name, ctx.n, ctx.seed); + if (ctx.lock_time) + fprintf(stdout, + "\tlocked since %s", + ctime(&ctx.lock_time)); + else + fprintf(stdout, "\n"); + } +} + +static int +open_otp (int argc, char **argv, char *inuser) +{ + void *db; + OtpContext ctx; + int ret; + + db = otp_db_open (); + if (db == NULL) + errx (1, "otp_db_open failed"); + + ctx.user = inuser; + ret = otp_simple_get (db, &ctx); + if (ret == 0) + ret = otp_put (db, &ctx); + otp_db_close (db); + return ret; +} + +/* + * Print otp entries for one or all users + */ + +static int +list_otps (int argc, char **argv, char *inuser) +{ + void *db; + struct passwd *pw; + + db = otp_db_open (); + if(db == NULL) + errx (1, "otp_db_open failed"); + + if (inuser) + print_otp_entry_for_name(db, inuser); + else + /* scans all users... so as to get a deterministic order */ + while ((pw = getpwent())) + print_otp_entry_for_name(db, pw->pw_name); + + otp_db_close (db); + return 0; +} + +int +main (int argc, char **argv) +{ + int defaultp = 0; + int uid = getuid(); + OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); + int optidx = 0; + char userbuf[128]; + + setprogname (argv[0]); + if(getarg(args, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(deletep && uid != 0) + errx (1, "Only root can delete OTPs"); + if(alg_string) { + alg = otp_find_alg (alg_string); + if (alg == NULL) + errx (1, "Unknown algorithm: %s", alg_string); + } + if (user && uid != 0) + errx (1, "Only root can use `-u'"); + argc -= optidx; + argv += optidx; + + if (!(listp || deletep || renewp || openp)) + defaultp = 1; + + if ( listp + deletep + renewp + defaultp + openp != 1) + usage(1); /* one of -d or -l or -r or none */ + + if(deletep || openp || listp) { + if(argc != 0) + errx(1, "delete, open, and list requires no arguments"); + } else { + if(argc != 2) + errx(1, "setup, and renew requires `num', and `seed'"); + } + if (listp) + return list_otps (argc, argv, user); + + if (user == NULL) { + user = roken_get_username(userbuf, sizeof(userbuf)); + if (user == NULL) + err (1, "You don't exist"); + } + + /* + * users other that root must provide the next OTP to update the sequence. + * it avoids someone to use a pending session to change an OTP sequence. + * see RFC 1938/8.0. + */ + if (uid != 0 && (defaultp || renewp)) { + if (!has_an_otp(user)) { + errx (1, "Only root can set an initial OTP"); + } else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */ + if (verify_user_otp(user) != 0) { + errx (1, "User authentication failed"); + } + } + } + + if (deletep) + return delete_otp (argc, argv, user); + else if (renewp) + return renew (argc, argv, alg, user); + else if (openp) + return open_otp (argc, argv, user); + else + return set (argc, argv, alg, user); +} diff --git a/third_party/heimdal/appl/otp/otp_locl.h b/third_party/heimdal/appl/otp/otp_locl.h new file mode 100644 index 0000000..76f0ac4 --- /dev/null +++ b/third_party/heimdal/appl/otp/otp_locl.h @@ -0,0 +1,56 @@ +/* + * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_PWD_H +#include +#endif +#include +#include +#include "crypto-headers.h" /* for des_read_pw_string */ +#include diff --git a/third_party/heimdal/appl/otp/otpprint.1 b/third_party/heimdal/appl/otp/otpprint.1 new file mode 100644 index 0000000..8045933 --- /dev/null +++ b/third_party/heimdal/appl/otp/otpprint.1 @@ -0,0 +1,82 @@ +.\" Copyright (c) 1996, 2000 - 2001 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd November 17, 1996 +.Dt OTP 1 +.Os KTH-KRB +.Sh NAME +.Nm otpprint +.Nd print lists of one-time passwords +.Sh SYNOPSIS +.Nm otp +.Op Fl n Ar count +.Op Fl e +.Op Fl h +.Op Fl f Ar algorithm +.Ar sequence-number +.Ar seed +.Sh DESCRIPTION +The +.Nm +program prints lists of OTPs. +.Pp +Use this to print out a series of one-time passwords. You will have +to supply the +.Ar sequence number +and the +.Ar seed +as arguments and then the program will prompt you for your pass-phrase. +.Pp +There are several different print formats. The default is to print +each password with six short english words. +.Pp +Options are: +.Bl -tag -width Ds +.It Fl e +Print the passwords in ``extended'' format. In this format a prefix +that says ``hex:'' or ``word:'' is included. +.It Fl f +To choose a different +.Ar algorithm +from the default md5. Pick any of: md4, md5, and sha. +.It Fl h +Print the passwords in hex. +.It Fl n +Print +.Ar count +one-time passwords, starting at +.Ar sequence-number +and going backwards. The default is 10. +.El +.Sh SEE ALSO +.Xr otp 1 diff --git a/third_party/heimdal/appl/otp/otpprint.c b/third_party/heimdal/appl/otp/otpprint.c new file mode 100644 index 0000000..1c9c339 --- /dev/null +++ b/third_party/heimdal/appl/otp/otpprint.c @@ -0,0 +1,136 @@ +/* + * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "otp_locl.h" +#include + +RCSID("$Id$"); + +static int extendedp; +static int count = 10; +static int hexp; +static char* alg_string; +static int version_flag; +static int help_flag; + +struct getargs args[] = { + { "extended", 'e', arg_flag, &extendedp, "print keys in extended format", + NULL }, + { "count", 'n', arg_integer, &count, "number of keys to print", NULL }, + { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL }, + { "hash", 'f', arg_string, &alg_string, + "hash algorithm (md4, md5, or sha)", "algorithm"}, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } +}; + +int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int code) +{ + arg_printusage(args, num_args, NULL, "num seed"); + exit(code); +} + +static int +print (int argc, + char **argv, + int incount, + OtpAlgorithm *alg, + void (*print_fn)(OtpKey, char *, size_t)) +{ + char pw[64]; + OtpKey key; + int n; + int i; + char *seed; + + if (argc != 2) + usage (1); + n = atoi(argv[0]); + seed = argv[1]; + if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0)) + return 1; + alg->init (key, pw, seed); + for (i = 0; i < n; ++i) { + char s[64]; + + alg->next (key); + if (i >= n - incount) { + (*print_fn)(key, s, sizeof(s)); + printf ("%d: %s\n", i + 1, s); + } + } + return 0; +} + +int +main (int argc, char **argv) +{ + int optidx = 0; + void (*fn)(OtpKey, char *, size_t); + OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT); + + setprogname (argv[0]); + if(getarg(args, num_args, argc, argv, &optidx)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(alg_string) { + alg = otp_find_alg (alg_string); + if (alg == NULL) + errx(1, "Unknown algorithm: %s", alg_string); + } + argc -= optidx; + argv += optidx; + + if (hexp) { + if (extendedp) + fn = otp_print_hex_extended; + else + fn = otp_print_hex; + } else { + if (extendedp) + fn = otp_print_stddict_extended; + else + fn = otp_print_stddict; + } + + return print (argc, argv, count, alg, fn); +} diff --git a/third_party/heimdal/appl/test/Makefile.am b/third_party/heimdal/appl/test/Makefile.am new file mode 100644 index 0000000..15ed68f --- /dev/null +++ b/third_party/heimdal/appl/test/Makefile.am @@ -0,0 +1,46 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +WFLAGS += $(WFLAGS_LITE) + +noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \ + uu_server uu_client nt_gss_server nt_gss_client http_client + +tcp_client_SOURCES = tcp_client.c common.c test_locl.h + +tcp_server_SOURCES = tcp_server.c common.c test_locl.h + +gssapi_server_SOURCES = gssapi_server.c gss_common.c common.c \ + gss_common.h test_locl.h + +gssapi_client_SOURCES = gssapi_client.c gss_common.c common.c \ + gss_common.h test_locl.h + +http_client_SOURCES = http_client.c gss_common.c common.c \ + gss_common.h test_locl.h + +uu_server_SOURCES = uu_server.c common.c test_locl.h + +uu_client_SOURCES = uu_client.c common.c test_locl.h + +gssapi_server_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) + +gssapi_client_LDADD = $(gssapi_server_LDADD) + +http_client_LDADD = $(top_builddir)/lib/gssapi/libgssapi.la $(LDADD) + +nt_gss_client_SOURCES = nt_gss_client.c nt_gss_common.c nt_gss_common.h common.c + +nt_gss_server_SOURCES = nt_gss_server.c nt_gss_common.c nt_gss_common.h + +nt_gss_client_LDADD = $(gssapi_server_LDADD) + +nt_gss_server_LDADD = $(nt_gss_client_LDADD) + +LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ + $(LIB_hcrypto) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_roken) + +EXTRA_DIST = NTMakefile jgssapi_server.java diff --git a/third_party/heimdal/appl/test/NTMakefile b/third_party/heimdal/appl/test/NTMakefile new file mode 100644 index 0000000..15bea96 --- /dev/null +++ b/third_party/heimdal/appl/test/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=appl\test + +!include ../../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/appl/test/common.c b/third_party/heimdal/appl/test/common.c new file mode 100644 index 0000000..3f0fc23 --- /dev/null +++ b/third_party/heimdal/appl/test/common.c @@ -0,0 +1,180 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" + +static int help_flag; +static int version_flag; +static char *port_str; +char *keytab_str; +krb5_keytab keytab; +char *service = SERVICE; +char *mech = "krb5"; +int fork_flag; +char *password = NULL; + +static struct getargs args[] = { + { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, + { "service", 's', arg_string, &service, "service to use", "service" }, + { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" }, + { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" }, + { "password", 'P', arg_string, &password, "password to use", "password" }, + { "fork", 'f', arg_flag, &fork_flag, "do fork", NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static void +server_usage(int code, struct getargs *args, int num_args) +{ + arg_printusage(args, num_args, NULL, ""); + exit(code); +} + +static void +client_usage(int code, struct getargs *args, int num_args) +{ + arg_printusage(args, num_args, NULL, "host"); + exit(code); +} + + +static int +common_setup(krb5_context *context, int *argc, char **argv, + void (*usage)(int, struct getargs*, int)) +{ + int port = 0; + *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); + + if(help_flag) + (*usage)(0, args, num_args); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(port_str){ + struct servent *s = roken_getservbyname(port_str, "tcp"); + if(s) + port = s->s_port; + else { + char *ptr; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + errx (1, "Bad port `%s'", port_str); + port = htons(port); + } + } + + if (port == 0) + port = krb5_getportbyname (*context, PORT, "tcp", 4711); + + return port; +} + +int +server_setup(krb5_context *context, int argc, char **argv) +{ + int port = common_setup(context, &argc, argv, server_usage); + krb5_error_code ret; + + if(argv[argc] != NULL) + server_usage(1, args, num_args); + if (keytab_str != NULL) { + ret = krb5_kt_resolve (*context, keytab_str, &keytab); + if (ret) + krb5_err (*context, 1, ret, "krb5_kt_resolve"); + } else { + ret = krb5_kt_default (*context, &keytab); + if (ret) + krb5_err (*context, 1, ret, "krb5_kt_default"); + } + return port; +} + +int +client_setup(krb5_context *context, int *argc, char **argv) +{ + int optind = *argc; + int port = common_setup(context, &optind, argv, client_usage); + if(*argc - optind != 1) + client_usage(1, args, num_args); + *argc = optind; + return port; +} + +int +client_doit (const char *hostname, int port, const char *service, + int (*func)(int, const char *hostname, const char *service)) +{ + struct addrinfo *ai, *a; + struct addrinfo hints; + int error; + char portstr[NI_MAXSERV]; + + memset (&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + snprintf (portstr, sizeof(portstr), "%u", ntohs(port)); + + error = getaddrinfo (hostname, portstr, &hints, &ai); + if (error) { + errx (1, "%s: %s", hostname, gai_strerror(error)); + return -1; + } + + for (a = ai; a != NULL; a = a->ai_next) { + int s; + + s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + if (s < 0) + continue; + + socket_set_ipv6only(s, 1); + + if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { + warn ("connect(%s)", hostname); + close (s); + continue; + } + freeaddrinfo (ai); + return (*func) (s, hostname, service); + } + warnx ("failed to contact %s", hostname); + freeaddrinfo (ai); + return 1; +} diff --git a/third_party/heimdal/appl/test/gss_common.c b/third_party/heimdal/appl/test/gss_common.c new file mode 100644 index 0000000..6a0eb77 --- /dev/null +++ b/third_party/heimdal/appl/test/gss_common.c @@ -0,0 +1,154 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include +#include +#include "gss_common.h" +RCSID("$Id$"); + +void +write_token (int sock, gss_buffer_t buf) +{ + uint32_t len, net_len; + OM_uint32 min_stat; + + len = buf->length; + + net_len = htonl(len); + + if (net_write (sock, &net_len, 4) != 4) + err (1, "write"); + if (net_write (sock, buf->value, len) != len) + err (1, "write"); + + gss_release_buffer (&min_stat, buf); +} + +static void +enet_read(int fd, void *buf, size_t len) +{ + ssize_t ret; + + ret = net_read (fd, buf, len); + if (ret == 0) + errx (1, "EOF in read"); + else if (ret < 0) + errx (1, "read"); +} + +void +read_token (int sock, gss_buffer_t buf) +{ + uint32_t len, net_len; + + enet_read (sock, &net_len, 4); + len = ntohl(net_len); + buf->length = len; + buf->value = emalloc(len); + enet_read (sock, buf->value, len); +} + +void +gss_print_errors (int min_stat) +{ + OM_uint32 new_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + OM_uint32 ret; + + do { + ret = gss_display_status (&new_stat, + min_stat, + GSS_C_MECH_CODE, + GSS_C_NO_OID, + &msg_ctx, + &status_string); + fprintf (stderr, "%.*s\n", (int)status_string.length, + (char *)status_string.value); + gss_release_buffer (&new_stat, &status_string); + } while (!GSS_ERROR(ret) && msg_ctx != 0); +} + +void +gss_verr(int exitval, int status, const char *fmt, va_list ap) +{ + vwarnx (fmt, ap); + gss_print_errors (status); + exit (exitval); +} + +void +gss_err(int exitval, int status, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + gss_verr (exitval, status, fmt, args); + va_end(args); +} + +gss_OID +select_mech(const char *mech) +{ + if (strcasecmp(mech, "krb5") == 0) + return GSS_KRB5_MECHANISM; + else if (strcasecmp(mech, "spnego") == 0) + return GSS_SPNEGO_MECHANISM; + else if (strcasecmp(mech, "no-oid") == 0) + return GSS_C_NO_OID; + else + errx (1, "Unknown mechanism '%s' (spnego, krb5, no-oid)", mech); +} + +void +print_gss_name(const char *prefix, gss_name_t name) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc name_token; + + maj_stat = gss_display_name (&min_stat, + name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_display_name"); + + fprintf (stderr, "%s `%.*s'\n", prefix, + (int)name_token.length, + (char *)name_token.value); + + gss_release_buffer (&min_stat, &name_token); + +} diff --git a/third_party/heimdal/appl/test/gss_common.h b/third_party/heimdal/appl/test/gss_common.h new file mode 100644 index 0000000..eaab550 --- /dev/null +++ b/third_party/heimdal/appl/test/gss_common.h @@ -0,0 +1,49 @@ +/* + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +void write_token (int sock, gss_buffer_t buf); +void read_token (int sock, gss_buffer_t buf); + +void gss_print_errors (int min_stat); + +void gss_verr(int exitval, int status, const char *fmt, va_list ap) + __attribute__ ((format (printf, 3, 0))); + +void gss_err(int exitval, int status, const char *fmt, ...) + __attribute__ ((format (printf, 3, 4))); + +gss_OID select_mech(const char *); + +void print_gss_name(const char *, gss_name_t); diff --git a/third_party/heimdal/appl/test/gssapi_client.c b/third_party/heimdal/appl/test/gssapi_client.c new file mode 100644 index 0000000..13049c8 --- /dev/null +++ b/third_party/heimdal/appl/test/gssapi_client.c @@ -0,0 +1,307 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include +#include +#include "gss_common.h" +RCSID("$Id$"); + +static int +do_trans (int sock, gss_ctx_id_t context_hdl) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc real_input_token, real_output_token; + gss_buffer_t input_token = &real_input_token, + output_token = &real_output_token; + int conf_flag; + + /* get_mic */ + + input_token->length = 3; + input_token->value = strdup("hej"); + + maj_stat = gss_get_mic(&min_stat, + context_hdl, + GSS_C_QOP_DEFAULT, + input_token, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_get_mic"); + + write_token (sock, input_token); + write_token (sock, output_token); + + gss_release_buffer(&min_stat, output_token); + + /* verify mic */ + + read_token (sock, input_token); + read_token (sock, output_token); + + maj_stat = gss_verify_mic(&min_stat, + context_hdl, + input_token, + output_token, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_verify_mic"); + + gss_release_buffer (&min_stat, input_token); + gss_release_buffer (&min_stat, output_token); + + /* wrap */ + + input_token->length = 7; + input_token->value = "hemligt"; + + maj_stat = gss_wrap (&min_stat, + context_hdl, + 0, + GSS_C_QOP_DEFAULT, + input_token, + NULL, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_wrap"); + + write_token (sock, output_token); + + maj_stat = gss_wrap (&min_stat, + context_hdl, + 1, + GSS_C_QOP_DEFAULT, + input_token, + NULL, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_wrap"); + + write_token (sock, output_token); + + read_token (sock, input_token); + + maj_stat = gss_unwrap (&min_stat, + context_hdl, + input_token, + output_token, + &conf_flag, + NULL); + if(GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_unwrap"); + + write_token (sock, output_token); + + gss_release_buffer(&min_stat, output_token); + + return 0; +} + +extern char *password; + +static int +proto (int sock, const char *hostname, const char *service) +{ + struct sockaddr_storage remote, local; + socklen_t addrlen; + + int context_established = 0; + gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; + gss_buffer_desc real_input_token, real_output_token; + gss_buffer_t input_token = &real_input_token, + output_token = &real_output_token; + OM_uint32 maj_stat, min_stat; + gss_name_t server; + gss_buffer_desc name_token; + gss_OID mech_oid; + char *str; + + mech_oid = select_mech(mech); + + name_token.length = asprintf (&str, + "%s@%s", service, hostname); + if (str == NULL) + errx(1, "malloc - out of memory"); + name_token.value = str; + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_HOSTBASED_SERVICE, + &server); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, + "Error importing name `%s@%s':\n", service, hostname); + + if (password) { + gss_buffer_desc pw; + + pw.value = password; + pw.length = strlen(password); + + maj_stat = gss_acquire_cred_with_password(&min_stat, + GSS_C_NO_NAME, + &pw, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_INITIATE, + &cred, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, + "Error acquiring default initiator credentials"); + } + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen > sizeof(local)) + err (1, "getsockname(%s)", hostname); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen > sizeof(remote)) + err (1, "getpeername(%s)", hostname); + + input_token->length = 0; + output_token->length = 0; + +#if 0 + struct gss_channel_bindings_struct input_chan_bindings; + u_char init_buf[4]; + u_char acct_buf[4]; + + input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; + input_chan_bindings.initiator_address.length = 4; + init_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; + init_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; + init_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; + init_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; + input_chan_bindings.initiator_address.value = init_buf; + + input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; + input_chan_bindings.acceptor_address.length = 4; + acct_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; + acct_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; + acct_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; + acct_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; + input_chan_bindings.acceptor_address.value = acct_buf; + + input_chan_bindings.application_data.value = emalloc(4); + * (unsigned short*)input_chan_bindings.application_data.value = local.sin_port; + * ((unsigned short *)input_chan_bindings.application_data.value + 1) = remote.sin_port; + input_chan_bindings.application_data.length = 4; + + input_chan_bindings.application_data.length = 0; + input_chan_bindings.application_data.value = NULL; +#endif + + while(!context_established) { + maj_stat = + gss_init_sec_context(&min_stat, + cred, + &context_hdl, + server, + mech_oid, + GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, + 0, + NULL, + input_token, + NULL, + output_token, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_init_sec_context"); + if (output_token->length != 0) + write_token (sock, output_token); + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + } + if (maj_stat & GSS_S_CONTINUE_NEEDED) { + read_token (sock, input_token); + } else { + context_established = 1; + } + + } + if (fork_flag) { + pid_t pid; + int pipefd[2]; + + if (pipe (pipefd) < 0) + err (1, "pipe"); + + pid = fork (); + if (pid < 0) + err (1, "fork"); + if (pid != 0) { + gss_buffer_desc buf; + + maj_stat = gss_export_sec_context (&min_stat, + &context_hdl, + &buf); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_export_sec_context"); + write_token (pipefd[1], &buf); + exit (0); + } else { + gss_ctx_id_t context_hdl; + gss_buffer_desc buf; + + close (pipefd[1]); + read_token (pipefd[0], &buf); + close (pipefd[0]); + maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_import_sec_context"); + gss_release_buffer (&min_stat, &buf); + return do_trans (sock, context_hdl); + } + } else { + return do_trans (sock, context_hdl); + } +} + +int +main(int argc, char **argv) +{ + krb5_context context; /* XXX */ + int port = client_setup(&context, &argc, argv); + return client_doit (argv[argc], port, service, proto); +} diff --git a/third_party/heimdal/appl/test/gssapi_server.c b/third_party/heimdal/appl/test/gssapi_server.c new file mode 100644 index 0000000..baf13ec --- /dev/null +++ b/third_party/heimdal/appl/test/gssapi_server.c @@ -0,0 +1,401 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * A sample server that uses the GSSAPI. + */ + +#include "test_locl.h" +#include +#include +#include +#include "gss_common.h" + +static int +process_it(int sock, + gss_ctx_id_t context_hdl, + gss_name_t client_name + ) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc real_input_token, real_output_token; + gss_buffer_t input_token = &real_input_token, + output_token = &real_output_token; + gss_name_t server_name; + int conf_flag; + + print_gss_name("User is", client_name); + + maj_stat = gss_inquire_context(&min_stat, + context_hdl, + NULL, + &server_name, + NULL, + NULL, + NULL, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_inquire_context"); + + print_gss_name("Server is", server_name); + + maj_stat = gss_release_name(&min_stat, &server_name); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_release_name"); + + /* gss_verify_mic */ + + read_token (sock, input_token); + read_token (sock, output_token); + + maj_stat = gss_verify_mic (&min_stat, + context_hdl, + input_token, + output_token, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_verify_mic"); + + fprintf (stderr, "gss_verify_mic: %.*s\n", (int)input_token->length, + (char *)input_token->value); + + gss_release_buffer (&min_stat, input_token); + gss_release_buffer (&min_stat, output_token); + + /* create mic */ + + input_token->length = 6; + input_token->value = strdup("hejsan"); + + maj_stat = gss_get_mic(&min_stat, + context_hdl, + GSS_C_QOP_DEFAULT, + input_token, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_get_mic"); + + write_token (sock, input_token); + write_token (sock, output_token); + + gss_release_buffer (&min_stat, output_token); + + /* gss_unwrap */ + + read_token (sock, input_token); + + maj_stat = gss_unwrap (&min_stat, + context_hdl, + input_token, + output_token, + &conf_flag, + NULL); + if(GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_unwrap"); + + fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length, + (char *)output_token->value, + conf_flag ? "CONF" : "INT"); + + gss_release_buffer (&min_stat, input_token); + gss_release_buffer (&min_stat, output_token); + + read_token (sock, input_token); + + maj_stat = gss_unwrap (&min_stat, + context_hdl, + input_token, + output_token, + &conf_flag, + NULL); + if(GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_unwrap"); + + fprintf (stderr, "gss_unwrap: %.*s %s\n", (int)output_token->length, + (char *)output_token->value, + conf_flag ? "CONF" : "INT"); + + gss_release_buffer (&min_stat, input_token); + gss_release_buffer (&min_stat, output_token); + + input_token->value = "hejhej"; + input_token->length = 6; + + maj_stat = gss_wrap (&min_stat, + context_hdl, + 1, + GSS_C_QOP_DEFAULT, + input_token, + NULL, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err(1, min_stat, "gss_wrap"); + + write_token (sock, output_token); + gss_release_buffer (&min_stat, output_token); + + read_token (sock, input_token); + + if (input_token->length != 6 && memcmp(input_token->value, "hejhej", 6) != 0) + errx(1, "invalid reply"); + + return 0; +} + +static int +proto (int sock, const char *service) +{ + struct sockaddr_in remote, local; + socklen_t addrlen; + gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + gss_buffer_desc real_input_token, real_output_token; + gss_buffer_t input_token = &real_input_token, + output_token = &real_output_token; + OM_uint32 maj_stat, min_stat; + gss_name_t client_name; + struct gss_channel_bindings_struct input_chan_bindings; + gss_cred_id_t delegated_cred_handle = NULL; + krb5_ccache ccache = NULL; + u_char init_buf[4]; + u_char acct_buf[4]; + gss_OID mech_oid; + char *mech, *p; + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen != sizeof(local)) + err (1, "getsockname)"); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen != sizeof(remote)) + err (1, "getpeername"); + + input_chan_bindings.initiator_addrtype = GSS_C_AF_INET; + input_chan_bindings.initiator_address.length = 4; + init_buf[0] = (remote.sin_addr.s_addr >> 24) & 0xFF; + init_buf[1] = (remote.sin_addr.s_addr >> 16) & 0xFF; + init_buf[2] = (remote.sin_addr.s_addr >> 8) & 0xFF; + init_buf[3] = (remote.sin_addr.s_addr >> 0) & 0xFF; + + input_chan_bindings.initiator_address.value = init_buf; + input_chan_bindings.acceptor_addrtype = GSS_C_AF_INET; + + input_chan_bindings.acceptor_address.length = 4; + acct_buf[0] = (local.sin_addr.s_addr >> 24) & 0xFF; + acct_buf[1] = (local.sin_addr.s_addr >> 16) & 0xFF; + acct_buf[2] = (local.sin_addr.s_addr >> 8) & 0xFF; + acct_buf[3] = (local.sin_addr.s_addr >> 0) & 0xFF; + input_chan_bindings.acceptor_address.value = acct_buf; + input_chan_bindings.application_data.value = emalloc(4); +#if 0 + * (unsigned short *)input_chan_bindings.application_data.value = + remote.sin_port; + * ((unsigned short *)input_chan_bindings.application_data.value + 1) = + local.sin_port; + input_chan_bindings.application_data.length = 4; +#else + input_chan_bindings.application_data.length = 0; + input_chan_bindings.application_data.value = NULL; +#endif + + delegated_cred_handle = GSS_C_NO_CREDENTIAL; + + do { + read_token (sock, input_token); + maj_stat = + gss_accept_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_CREDENTIAL, + input_token, + &input_chan_bindings, + &client_name, + &mech_oid, + output_token, + NULL, + NULL, + &delegated_cred_handle); + if(GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_accept_sec_context"); + if (output_token->length != 0) + write_token (sock, output_token); + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + } + } while(maj_stat & GSS_S_CONTINUE_NEEDED); + + p = (char *)mech_oid->elements; + if (mech_oid->length == GSS_KRB5_MECHANISM->length + && memcmp(p, GSS_KRB5_MECHANISM->elements, mech_oid->length) == 0) + mech = "Kerberos 5"; + else if (mech_oid->length == GSS_SPNEGO_MECHANISM->length + && memcmp(p, GSS_SPNEGO_MECHANISM->elements, mech_oid->length) == 0) + mech = "SPNEGO"; /* XXX Silly, wont show up */ + else + mech = "Unknown"; + + printf("Using mech: %s\n", mech); + + if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) { + krb5_context context = NULL; + + printf("Delegated cred found\n"); + + min_stat = krb5_init_context(&context); + if (min_stat) + gss_err(1, min_stat, "krb5_init_context"); + if (min_stat == 0) + min_stat = krb5_cc_resolve(context, "FILE:/tmp/krb5cc_test", &ccache); + if (min_stat == 0) + maj_stat = gss_krb5_copy_ccache(&min_stat, + delegated_cred_handle, + ccache); + else + maj_stat = GSS_S_FAILURE; + if (maj_stat == 0) { + krb5_principal p; + maj_stat = krb5_cc_get_principal(context, ccache, &p); + if (maj_stat == 0) { + char *name; + maj_stat = krb5_unparse_name(context, p, &name); + if (maj_stat == 0) { + printf("Delegated user is: `%s'\n", name); + free(name); + } + krb5_free_principal(context, p); + } + } + krb5_cc_close(context, ccache); + krb5_free_context(context); + gss_release_cred(&min_stat, &delegated_cred_handle); + } + + if (fork_flag) { + pid_t pid; + int pipefd[2]; + + if (pipe (pipefd) < 0) + err (1, "pipe"); + + pid = fork (); + if (pid < 0) + err (1, "fork"); + if (pid != 0) { + gss_buffer_desc buf; + + maj_stat = gss_export_sec_context (&min_stat, + &context_hdl, + &buf); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_export_sec_context"); + write_token (pipefd[1], &buf); + exit (0); + } else { + gss_ctx_id_t context_hdl; + gss_buffer_desc buf; + + close (pipefd[1]); + read_token (pipefd[0], &buf); + close (pipefd[0]); + maj_stat = gss_import_sec_context (&min_stat, &buf, &context_hdl); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_import_sec_context"); + gss_release_buffer (&min_stat, &buf); + return process_it (sock, context_hdl, client_name); + } + } else { + return process_it (sock, context_hdl, client_name); + } +} + +static void +loop (int port, const char *service) +{ + int sock, sock2; + struct sockaddr_in my_addr; + int one = 1; + + if (keytab_str) + gsskrb5_register_acceptor_identity(keytab_str); + + sock = socket (AF_INET, SOCK_STREAM, 0); + if (sock < 0) + err (1, "socket"); + + memset (&my_addr, 0, sizeof(my_addr)); + my_addr.sin_family = AF_INET; + my_addr.sin_port = port; + my_addr.sin_addr.s_addr = INADDR_ANY; + + if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, + (void *)&one, sizeof(one)) < 0) + warn ("setsockopt SO_REUSEADDR"); + + if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) + err (1, "bind"); + + while (1) { + if (listen (sock, 1) < 0) + err (1, "listen"); + + sock2 = accept (sock, NULL, NULL); + if (sock2 < 0) + err (1, "accept"); + + proto (sock2, service); + } +} + +/* + * Iterative server; process one connection at a time. + */ +int +main(int argc, char **argv) +{ + krb5_context context = NULL; /* XXX */ + krb5_error_code ret; + int port = server_setup(&context, argc, argv); + + ret = krb5_kt_have_content(context, keytab); + if (ret) + krb5_err (context, 1, ret, "krb5_kt_have_content"); + + loop (port, service); + return 0; +} + diff --git a/third_party/heimdal/appl/test/http_client.c b/third_party/heimdal/appl/test/http_client.c new file mode 100644 index 0000000..24c4e6e --- /dev/null +++ b/third_party/heimdal/appl/test/http_client.c @@ -0,0 +1,513 @@ +/* + * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include +#include +#include "gss_common.h" +#include + +RCSID("$Id$"); + +/* + * A simplistic client implementing draft-brezak-spnego-http-04.txt + */ + +static int +do_connect (const char *hostname, const char *port) +{ + struct addrinfo *ai, *a; + struct addrinfo hints; + int error; + int s = -1; + + memset (&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = 0; + + error = getaddrinfo (hostname, port, &hints, &ai); + if (error) + errx (1, "getaddrinfo(%s): %s", hostname, gai_strerror(error)); + + for (a = ai; a != NULL; a = a->ai_next) { + s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + if (s < 0) + continue; + if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { + warn ("connect(%s)", hostname); + close (s); + continue; + } + break; + } + freeaddrinfo (ai); + if (a == NULL) + errx (1, "failed to contact %s", hostname); + + return s; +} + +static void +fdprintf(int s, const char *fmt, ...) +{ + size_t len; + ssize_t ret; + va_list ap; + char *str, *buf; + + va_start(ap, fmt); + vasprintf(&str, fmt, ap); + va_end(ap); + + if (str == NULL) + errx(1, "vasprintf"); + + buf = str; + len = strlen(buf); + while (len) { + ret = write(s, buf, len); + if (ret == 0) + err(1, "connection closed"); + else if (ret < 0) + err(1, "error"); + len -= ret; + buf += ret; + } + free(str); +} + +static int help_flag; +static int version_flag; +static int verbose_flag; +static int mutual_flag = 1; +static int delegate_flag; +static char *port_str = "http"; +static char *gss_service = "HTTP"; + +static struct getargs http_args[] = { + { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL }, + { "port", 'p', arg_string, &port_str, "port to connect to", "port" }, + { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential", + NULL }, + { "gss-service", 's', arg_string, &gss_service, "gssapi service to use", + "service" }, + { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" }, + { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth", + NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } +}; + +static int num_http_args = sizeof(http_args) / sizeof(http_args[0]); + +static void +usage(int code) +{ + arg_printusage(http_args, num_http_args, NULL, "host [page]"); + exit(code); +} + +/* + * + */ + +struct http_req { + char *response; + char **headers; + int num_headers; + void *body; + size_t body_size; +}; + + +static void +http_req_zero(struct http_req *req) +{ + req->response = NULL; + req->headers = NULL; + req->num_headers = 0; + req->body = NULL; + req->body_size = 0; +} + +static void +http_req_free(struct http_req *req) +{ + int i; + + free(req->response); + for (i = 0; i < req->num_headers; i++) + free(req->headers[i]); + free(req->headers); + free(req->body); + http_req_zero(req); +} + +static const char * +http_find_header(struct http_req *req, const char *header) +{ + int i, len = strlen(header); + + for (i = 0; i < req->num_headers; i++) { + if (strncasecmp(header, req->headers[i], len) == 0) { + return req->headers[i] + len + 1; + } + } + return NULL; +} + + +static int +http_query(const char *host, const char *page, + char **headers, struct http_req *req) +{ + enum { RESPONSE, HEADER, BODY } state; + ssize_t ret; + char in_buf[1024], *in_ptr = in_buf; + size_t in_len = 0; + int s, i; + + http_req_zero(req); + + s = do_connect(host, port_str); + if (s < 0) + errx(1, "connection failed"); + + fdprintf(s, "GET %s HTTP/1.0\r\n", page); + for (i = 0; headers[i]; i++) + fdprintf(s, "%s\r\n", headers[i]); + fdprintf(s, "Host: %s\r\n\r\n", host); + + state = RESPONSE; + + while (1) { + ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1); + if (ret == 0) + break; + else if (ret < 0) + err (1, "read: %lu", (unsigned long)ret); + + in_buf[ret + in_len] = '\0'; + + if (state == HEADER || state == RESPONSE) { + char *p; + + in_len += ret; + in_ptr += ret; + + while (1) { + p = strstr(in_buf, "\r\n"); + + if (p == NULL) { + break; + } else if (p == in_buf) { + memmove(in_buf, in_buf + 2, sizeof(in_buf) - 2); + state = BODY; + in_len -= 2; + in_ptr -= 2; + break; + } else if (state == RESPONSE) { + req->response = emalloc(p - in_buf + 1); + memcpy(req->response, in_buf, p - in_buf); + req->response[p - in_buf] = '\0'; + state = HEADER; + } else { + req->headers = realloc(req->headers, + (req->num_headers + 1) * sizeof(req->headers[0])); + req->headers[req->num_headers] = emalloc(p - in_buf + 1); + memcpy(req->headers[req->num_headers], in_buf, p - in_buf); + req->headers[req->num_headers][p - in_buf] = '\0'; + if (req->headers[req->num_headers] == NULL) + errx(1, "strdup"); + req->num_headers++; + } + memmove(in_buf, p + 2, sizeof(in_buf) - (p - in_buf) - 2); + in_len -= (p - in_buf) + 2; + in_ptr -= (p - in_buf) + 2; + } + } + + if (state == BODY) { + + req->body = erealloc(req->body, req->body_size + ret + 1); + + memcpy((char *)req->body + req->body_size, in_buf, ret); + req->body_size += ret; + ((char *)req->body)[req->body_size] = '\0'; + + in_ptr = in_buf; + in_len = 0; + } else + abort(); + } + + if (verbose_flag) { + int i; + printf("response: %s\n", req->response); + for (i = 0; i < req->num_headers; i++) + printf("header[%d] %s\n", i, req->headers[i]); + printf("body: %.*s\n", (int)req->body_size, (char *)req->body); + } + + close(s); + return 0; +} + + +int +main(int argc, char **argv) +{ + struct http_req req; + const char *host, *page; + int i, done, print_body, gssapi_done, gssapi_started; + char *headers[10] = { 0 }; + int num_headers = 0; + gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + gss_name_t server = GSS_C_NO_NAME; + int optind = 0; + gss_OID mech_oid; + OM_uint32 flags; + + setprogname(argv[0]); + + if(getarg(http_args, num_http_args, argc, argv, &optind)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag) { + print_version(NULL); + exit(0); + } + + argc -= optind; + argv += optind; + + mech_oid = select_mech(mech); + + if (argc != 1 && argc != 2) + errx(1, "usage: %s host [page]", getprogname()); + host = argv[0]; + if (argc == 2) + page = argv[1]; + else + page = "/"; + + flags = 0; + if (delegate_flag) + flags |= GSS_C_DELEG_FLAG; + if (mutual_flag) + flags |= GSS_C_MUTUAL_FLAG; + + done = 0; + num_headers = 0; + gssapi_done = 1; + gssapi_started = 0; + do { + print_body = 0; + + http_query(host, page, headers, &req); + for (i = 0 ; headers[i]; i++) { + free(headers[i]); + headers[i] = NULL; + } + num_headers = 0; + + if (strstr(req.response, " 200 ") != NULL) { + print_body = 1; + done = 1; + } else if (strstr(req.response, " 401 ") != NULL) { + if (http_find_header(&req, "WWW-Authenticate:") == NULL) + errx(1, "Got %s but missed `WWW-Authenticate'", req.response); + gssapi_done = 0; + } + + if (!gssapi_done) { + const char *h = http_find_header(&req, "WWW-Authenticate:"); + if (h == NULL) + errx(1, "Got %s but missed `WWW-Authenticate'", req.response); + + if (strncasecmp(h, "Negotiate", 9) == 0) { + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token; + + if (verbose_flag) + printf("Negotiate found\n"); + + if (server == GSS_C_NO_NAME) { + char *name; + asprintf(&name, "%s@%s", gss_service, host); + input_token.length = strlen(name); + input_token.value = name; + + maj_stat = gss_import_name(&min_stat, + &input_token, + GSS_C_NT_HOSTBASED_SERVICE, + &server); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_inport_name"); + free(name); + input_token.length = 0; + input_token.value = NULL; + } + + i = 9; + while(h[i] && isspace((unsigned char)h[i])) + i++; + if (h[i] != '\0') { + int len = strlen(&h[i]); + if (len == 0) + errx(1, "invalid Negotiate token"); + input_token.value = emalloc(len); + len = rk_base64_decode(&h[i], input_token.value); + if (len < 0) + errx(1, "invalid base64 Negotiate token %s", &h[i]); + input_token.length = len; + } else { + if (gssapi_started) + errx(1, "Negotiate already started"); + gssapi_started = 1; + + input_token.length = 0; + input_token.value = NULL; + } + + maj_stat = + gss_init_sec_context(&min_stat, + GSS_C_NO_CREDENTIAL, + &context_hdl, + server, + mech_oid, + flags, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, + NULL, + &output_token, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_init_sec_context"); + else if (maj_stat & GSS_S_CONTINUE_NEEDED) + gssapi_done = 0; + else { + gss_name_t targ_name, src_name; + gss_buffer_desc name_buffer; + gss_OID mech_type; + + gssapi_done = 1; + + printf("Negotiate done: %s\n", mech); + + maj_stat = gss_inquire_context(&min_stat, + context_hdl, + &src_name, + &targ_name, + NULL, + &mech_type, + NULL, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_inquire_context"); + + maj_stat = gss_display_name(&min_stat, + src_name, + &name_buffer, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_display_name"); + + printf("Source: %.*s\n", + (int)name_buffer.length, + (char *)name_buffer.value); + + gss_release_buffer(&min_stat, &name_buffer); + + maj_stat = gss_display_name(&min_stat, + targ_name, + &name_buffer, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_display_name"); + + printf("Target: %.*s\n", + (int)name_buffer.length, + (char *)name_buffer.value); + + gss_release_name(&min_stat, &targ_name); + gss_release_buffer(&min_stat, &name_buffer); + } + + if (output_token.length) { + char *neg_token; + + rk_base64_encode(output_token.value, + output_token.length, + &neg_token); + + asprintf(&headers[num_headers++], "Authorization: Negotiate %s", + neg_token); + + free(neg_token); + gss_release_buffer(&min_stat, &output_token); + } + if (input_token.length) + free(input_token.value); + + } else + done = 1; + } else + done = 1; + + if (verbose_flag) { + printf("%s\n\n", req.response); + + for (i = 0; i < req.num_headers; i++) + printf("%s\n", req.headers[i]); + printf("\n"); + } + if (print_body || verbose_flag) + printf("%.*s\n", (int)req.body_size, (char *)req.body); + + http_req_free(&req); + } while (!done); + + if (gssapi_done == 0) + errx(1, "gssapi not done but http dance done"); + + return 0; +} diff --git a/third_party/heimdal/appl/test/jgssapi_server.java b/third_party/heimdal/appl/test/jgssapi_server.java new file mode 100644 index 0000000..6a9e75e --- /dev/null +++ b/third_party/heimdal/appl/test/jgssapi_server.java @@ -0,0 +1,148 @@ +/* + * Copyright (c) 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +import org.ietf.jgss.*; +import java.io.*; +import java.net.Socket; +import java.net.ServerSocket; + +public class jgssapi_server { + + static byte [] getMessage(DataInputStream inStream) + throws IOException + { + byte[] token; + token = new byte[inStream.readInt()]; + inStream.readFully(token); + return token; + } + + static void putMessage(DataOutputStream outStream, byte [] token) + throws IOException + { + outStream.writeInt(token.length); + outStream.write(token); + } + + + public static void main(String[] args) + throws IOException, GSSException { + + GSSManager manager = GSSManager.getInstance(); + + GSSContext context = manager.createContext((GSSCredential)null); + + byte[] token = null; + + int port = 4717; + + System.out.println("listen on port " + port); + + Socket s = new ServerSocket(port).accept(); + + DataInputStream inStream = new DataInputStream(s.getInputStream()); + DataOutputStream outStream = new DataOutputStream(s.getOutputStream()); + + System.out.println("negotiate context"); + while (!context.isEstablished()) { + token = getMessage(inStream); + + token = context.acceptSecContext(token, 0, token.length); + if (token != null) + putMessage(outStream, token); + } + + System.out.println("done"); + + /* + * mic + */ + System.out.println("mic test"); + + System.out.println(" verify mic"); + + byte[] intoken = getMessage(inStream); + byte[] outtoken = getMessage(inStream); + byte[] bytes = null; + + context.verifyMIC(outtoken, 0, outtoken.length, + intoken, 0, intoken.length, new MessageProp(0, false)); + + System.out.println(" create mic"); + + bytes = new byte[] { 0x66, 0x6f, 0x6f }; + + outtoken = context.getMIC(bytes, 0, bytes.length, new MessageProp(0, false)); + putMessage(outStream, bytes); + putMessage(outStream, outtoken); + + /* + * wrap int + */ + System.out.println("warp int"); + + outtoken = getMessage(inStream); + + bytes = context.unwrap(outtoken, 0, outtoken.length, new MessageProp(0, false)); + + if (bytes == null) + System.err.println("wrap int failed"); + + /* + * wrap conf + */ + System.out.println("warp conf"); + + outtoken = getMessage(inStream); + + bytes = context.unwrap(outtoken, 0, outtoken.length, new MessageProp(0, true)); + + if (bytes == null) + System.err.println("wrap conf failed"); + + + /* + * wrap conf + */ + System.out.println("warp conf"); + intoken = new byte[] { 0x66, 0x6f, 0x6f }; + outtoken = context.wrap(intoken, 0, intoken.length, new MessageProp(0, true)); + putMessage(outStream, outtoken); + outtoken = getMessage(inStream); + + context.dispose(); + + System.exit(0); + } +} + diff --git a/third_party/heimdal/appl/test/nt_gss_client.c b/third_party/heimdal/appl/test/nt_gss_client.c new file mode 100644 index 0000000..fc9ff3c --- /dev/null +++ b/third_party/heimdal/appl/test/nt_gss_client.c @@ -0,0 +1,167 @@ +/* + * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include "nt_gss_common.h" + +RCSID("$Id$"); + +/* + * This program tries to act as a client for the sample in `Sample + * SSPI Code' in Windows 2000 RC1 SDK. + */ + +static int +proto (int sock, const char *hostname, const char *service) +{ + struct sockaddr_in remote, local; + socklen_t addrlen; + + int context_established = 0; + gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat, min_stat; + gss_name_t server; + gss_buffer_desc name_token; + char *str; + + name_token.length = asprintf (&str, + "%s@%s", service, hostname); + if (str == NULL) + errx(1, "out of memory"); + name_token.value = str; + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_HOSTBASED_SERVICE, + &server); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, + "Error importing name `%s@%s':\n", service, hostname); + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen != sizeof(local)) + err (1, "getsockname(%s)", hostname); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen != sizeof(remote)) + err (1, "getpeername(%s)", hostname); + + input_token = &real_input_token; + output_token = &real_output_token; + + input_token->length = 0; + output_token->length = 0; + + while(!context_established) { + maj_stat = + gss_init_sec_context(&min_stat, + GSS_C_NO_CREDENTIAL, + &context_hdl, + server, + GSS_C_NO_OID, + GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + input_token, + NULL, + output_token, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_init_sec_context"); + if (output_token->length != 0) + nt_write_token (sock, output_token); + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + } + if (maj_stat & GSS_S_CONTINUE_NEEDED) { + nt_read_token (sock, input_token); + } else { + context_established = 1; + } + + } + + /* get_mic */ + + input_token->length = 3; + input_token->value = strdup("hej"); + + maj_stat = gss_get_mic(&min_stat, + context_hdl, + GSS_C_QOP_DEFAULT, + input_token, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_get_mic"); + + nt_write_token (sock, input_token); + nt_write_token (sock, output_token); + + /* wrap */ + + input_token->length = 7; + input_token->value = "hemligt"; + + + maj_stat = gss_wrap (&min_stat, + context_hdl, + 1, + GSS_C_QOP_DEFAULT, + input_token, + NULL, + output_token); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_wrap"); + + nt_write_token (sock, output_token); + + return 0; +} + +int +main(int argc, char **argv) +{ + krb5_context context; /* XXX */ + int port = client_setup(&context, &argc, argv); + return client_doit (argv[argc], port, service, proto); +} diff --git a/third_party/heimdal/appl/test/nt_gss_common.c b/third_party/heimdal/appl/test/nt_gss_common.c new file mode 100644 index 0000000..617c18a --- /dev/null +++ b/third_party/heimdal/appl/test/nt_gss_common.c @@ -0,0 +1,135 @@ +/* + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include "nt_gss_common.h" + +RCSID("$Id$"); + +/* + * These are functions that are needed to interoperate with the + * `Sample SSPI Code' in Windows 2000 RC1 SDK. + */ + +/* + * Write the `gss_buffer_t' in `buf' onto the fd `sock', but remember that + * the length is written in little-endian-order. + */ + +void +nt_write_token (int sock, gss_buffer_t buf) +{ + unsigned char net_len[4]; + uint32_t len; + OM_uint32 min_stat; + + len = buf->length; + + net_len[0] = (len >> 0) & 0xFF; + net_len[1] = (len >> 8) & 0xFF; + net_len[2] = (len >> 16) & 0xFF; + net_len[3] = (len >> 24) & 0xFF; + + if (write (sock, net_len, 4) != 4) + err (1, "write"); + if (write (sock, buf->value, len) != len) + err (1, "write"); + + gss_release_buffer (&min_stat, buf); +} + +/* + * + */ + +void +nt_read_token (int sock, gss_buffer_t buf) +{ + unsigned char net_len[4]; + uint32_t len; + + if (read(sock, net_len, 4) != 4) + err (1, "read"); + len = (net_len[0] << 0) + | (net_len[1] << 8) + | (net_len[2] << 16) + | (net_len[3] << 24); + + if (len > INT_MAX/16) + errx(1, "len too large"); + buf->length = len; + buf->value = malloc(len); + if (read (sock, buf->value, len) != len) + err (1, "read"); +} + +void +gss_print_errors (int min_stat) +{ + OM_uint32 new_stat; + OM_uint32 msg_ctx = 0; + gss_buffer_desc status_string; + OM_uint32 ret; + + do { + ret = gss_display_status (&new_stat, + min_stat, + GSS_C_MECH_CODE, + GSS_C_NO_OID, + &msg_ctx, + &status_string); + fprintf (stderr, "%.*s\n", + (int)status_string.length, + (char *)status_string.value); + gss_release_buffer (&new_stat, &status_string); + } while (!GSS_ERROR(ret) && msg_ctx != 0); +} + +void +gss_verr(int exitval, int status, const char *fmt, va_list ap) +{ + vwarnx (fmt, ap); + gss_print_errors (status); + exit (exitval); +} + +void +gss_err(int exitval, int status, const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + gss_verr (exitval, status, fmt, args); + va_end(args); +} diff --git a/third_party/heimdal/appl/test/nt_gss_common.h b/third_party/heimdal/appl/test/nt_gss_common.h new file mode 100644 index 0000000..134afe3 --- /dev/null +++ b/third_party/heimdal/appl/test/nt_gss_common.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +void nt_write_token (int sock, gss_buffer_t buf); +void nt_read_token (int sock, gss_buffer_t buf); + +void gss_print_errors (int min_stat); + +void gss_verr(int exitval, int status, const char *fmt, va_list ap) + __attribute__ ((format (printf, 3, 0))); + +void gss_err(int exitval, int status, const char *fmt, ...) + __attribute__ ((format (printf, 3, 4))); diff --git a/third_party/heimdal/appl/test/nt_gss_server.c b/third_party/heimdal/appl/test/nt_gss_server.c new file mode 100644 index 0000000..d6f7cc1 --- /dev/null +++ b/third_party/heimdal/appl/test/nt_gss_server.c @@ -0,0 +1,244 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +#include +#include +#include +#include +#include "nt_gss_common.h" + +RCSID("$Id$"); + +/* + * This program tries to act as a server for the sample in `Sample + * SSPI Code' in Windows 2000 RC1 SDK. + * + * use --dump-auth to get a binary dump of the authorization data in the ticket + */ + +static int help_flag; +static int version_flag; +static char *port_str; +char *service = SERVICE; +static char *auth_file; + +static struct getargs args[] = { + { "port", 'p', arg_string, &port_str, "port to listen to", "port" }, + { "service", 's', arg_string, &service, "service to use", "service" }, + { "dump-auth", 0, arg_string, &auth_file, "dump authorization data", + "file" }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static int +proto (int sock, const char *service) +{ + struct sockaddr_in remote, local; + socklen_t addrlen; + gss_ctx_id_t context_hdl = GSS_C_NO_CONTEXT; + gss_buffer_t input_token, output_token; + gss_buffer_desc real_input_token, real_output_token; + OM_uint32 maj_stat, min_stat; + gss_name_t client_name; + gss_buffer_desc name_token; + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen != sizeof(local)) + err (1, "getsockname)"); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen != sizeof(remote)) + err (1, "getpeername"); + + input_token = &real_input_token; + output_token = &real_output_token; + + do { + nt_read_token (sock, input_token); + maj_stat = + gss_accept_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_CREDENTIAL, + input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, + NULL, + output_token, + NULL, + NULL, + NULL); + if(GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_accept_sec_context"); + if (output_token->length != 0) + nt_write_token (sock, output_token); + if (GSS_ERROR(maj_stat)) { + if (context_hdl != GSS_C_NO_CONTEXT) + gss_delete_sec_context (&min_stat, + &context_hdl, + GSS_C_NO_BUFFER); + break; + } + } while(maj_stat & GSS_S_CONTINUE_NEEDED); + + if (auth_file != NULL) { + gss_buffer_desc data; + + maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, + context_hdl, + KRB5_AUTHDATA_WIN2K_PAC, + &data); + if (maj_stat == GSS_S_COMPLETE) { + rk_dumpdata(auth_file, data.value, data.length); + gss_release_buffer(&min_stat, &data); + } + } + + maj_stat = gss_display_name (&min_stat, + client_name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) + gss_err (1, min_stat, "gss_display_name"); + + fprintf (stderr, "User is `%.*s'\n", (int)name_token.length, + (char *)name_token.value); + + /* write something back */ + + output_token->value = strdup ("hejsan"); + output_token->length = strlen (output_token->value) + 1; + nt_write_token (sock, output_token); + + output_token->value = strdup ("hoppsan"); + output_token->length = strlen (output_token->value) + 1; + nt_write_token (sock, output_token); + + return 0; +} + +static int +doit (int port, const char *service) +{ + int sock, sock2; + struct sockaddr_in my_addr; + int one = 1; + + sock = socket (AF_INET, SOCK_STREAM, 0); + if (sock < 0) + err (1, "socket"); + + memset (&my_addr, 0, sizeof(my_addr)); + my_addr.sin_family = AF_INET; + my_addr.sin_port = port; + my_addr.sin_addr.s_addr = INADDR_ANY; + + if (setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, + (void *)&one, sizeof(one)) < 0) + warn ("setsockopt SO_REUSEADDR"); + + if (bind (sock, (struct sockaddr *)&my_addr, sizeof(my_addr)) < 0) + err (1, "bind"); + + if (listen (sock, 1) < 0) + err (1, "listen"); + + sock2 = accept (sock, NULL, NULL); + if (sock2 < 0) + err (1, "accept"); + + return proto (sock2, service); +} + +static void +usage(int code, struct getargs *args, int num_args) +{ + arg_printusage(args, num_args, NULL, ""); + exit(code); +} + +static int +common_setup(krb5_context *context, int *argc, char **argv, + void (*usage)(int, struct getargs*, int)) +{ + int port = 0; + *argc = krb5_program_setup(context, *argc, argv, args, num_args, usage); + + if(help_flag) + (*usage)(0, args, num_args); + if(version_flag) { + print_version(NULL); + exit(0); + } + + if(port_str){ + struct servent *s = roken_getservbyname(port_str, "tcp"); + if(s) + port = s->s_port; + else { + char *ptr; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + errx (1, "Bad port `%s'", port_str); + port = htons(port); + } + } + + if (port == 0) + port = krb5_getportbyname (*context, PORT, "tcp", 4711); + + return port; +} + +static int +setup(krb5_context *context, int argc, char **argv) +{ + int port = common_setup(context, &argc, argv, usage); + if(argv[argc] != NULL) + usage(1, args, num_args); + return port; +} + +int +main(int argc, char **argv) +{ + krb5_context context = NULL; /* XXX */ + int port = setup(&context, argc, argv); + return doit (port, service); +} diff --git a/third_party/heimdal/appl/test/tcp_client.c b/third_party/heimdal/appl/test/tcp_client.c new file mode 100644 index 0000000..2bbb068 --- /dev/null +++ b/third_party/heimdal/appl/test/tcp_client.c @@ -0,0 +1,132 @@ +/* + * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +RCSID("$Id$"); + +krb5_context context; + +static int +proto (int sock, const char *hostname, const char *service) +{ + krb5_auth_context auth_context; + krb5_error_code status; + krb5_principal server; + krb5_data data; + krb5_data packet; + uint32_t len, net_len; + + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err (context, 1, status, "krb5_auth_con_init"); + + status = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &sock); + if (status) + krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); + + status = krb5_sname_to_principal (context, + hostname, + service, + KRB5_NT_SRV_HST, + &server); + if (status) + krb5_err (context, 1, status, "krb5_sname_to_principal"); + + status = krb5_sendauth (context, + &auth_context, + &sock, + VERSION, + NULL, + server, + AP_OPTS_MUTUAL_REQUIRED, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_sendauth"); + + data.data = "hej"; + data.length = 3; + + krb5_data_zero (&packet); + + status = krb5_mk_safe (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_mk_safe"); + + len = packet.length; + net_len = htonl(len); + + if (krb5_net_write (context, &sock, &net_len, 4) != 4) + err (1, "krb5_net_write"); + if (krb5_net_write (context, &sock, packet.data, len) != len) + err (1, "krb5_net_write"); + + data.data = "hemligt"; + data.length = 7; + + krb5_data_free (&packet); + + status = krb5_mk_priv (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_mk_priv"); + + len = packet.length; + net_len = htonl(len); + + if (krb5_net_write (context, &sock, &net_len, 4) != 4) + err (1, "krb5_net_write"); + if (krb5_net_write (context, &sock, packet.data, len) != len) + err (1, "krb5_net_write"); + return 0; +} + +int +main(int argc, char **argv) +{ + int port = client_setup(&context, &argc, argv); + return client_doit (argv[argc], port, service, proto); +} diff --git a/third_party/heimdal/appl/test/tcp_server.c b/third_party/heimdal/appl/test/tcp_server.c new file mode 100644 index 0000000..50d1bf4 --- /dev/null +++ b/third_party/heimdal/appl/test/tcp_server.c @@ -0,0 +1,205 @@ +/* + * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * A sample server that uses the Kerberos V5 API. + * + * See "Introduction to the Kerberos 5 API" in the Doxygen documentation + * for a walkthrough of this code. + */ + +#include "test_locl.h" +RCSID("$Id$"); + +/* The API needs one Kerberos context per thread. */ +krb5_context context; + +static int +proto (int sock, const char *service) +{ + krb5_auth_context auth_context; + krb5_error_code status; + krb5_principal server; + krb5_ticket *ticket; + char *name; + char hostname[MAXHOSTNAMELEN]; + krb5_data packet; + krb5_data data; + uint32_t len, net_len; + ssize_t n; + + /* Initialize the authentication context, to be used to authenticate the peer. */ + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err (context, 1, status, "krb5_auth_con_init"); + + /* Extract the local and remote address from the socket into auth_context. */ + status = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &sock); + if (status) + krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd"); + + if (gethostname (hostname, sizeof(hostname)) < 0) + krb5_err (context, 1, errno, "gethostname"); + + /* Create principal "server" for "service" on "hostname" (this host). */ + status = krb5_sname_to_principal (context, + hostname, + service, + KRB5_NT_SRV_HST, + &server); + if (status) + krb5_err (context, 1, status, "krb5_sname_to_principal"); + + /* + * Perform the server side of the sendauth protocol. On success, "ticket" + * contains the authenticated credentials of the client. + */ + status = krb5_recvauth (context, + &auth_context, + &sock, + VERSION, + server, + 0, /* flags */ + keytab, + &ticket); + if (status) + krb5_err (context, 1, status, "krb5_recvauth"); + + /* Extract the client name as a string. */ + status = krb5_unparse_name (context, + ticket->client, + &name); + if (status) + krb5_err (context, 1, status, "krb5_unparse_name"); + + fprintf (stderr, "User is `%s'\n", name); + free (name); + + krb5_data_zero (&data); + krb5_data_zero (&packet); + + /* + * Read the payload (encoded as length, value). + */ + n = krb5_net_read (context, &sock, &net_len, 4); + if (n == 0) + krb5_errx (context, 1, "EOF in krb5_net_read"); + if (n < 0) + krb5_err (context, 1, errno, "krb5_net_read"); + + len = ntohl(net_len); + + krb5_data_alloc (&packet, len); + + n = krb5_net_read (context, &sock, packet.data, len); + if (n == 0) + krb5_errx (context, 1, "EOF in krb5_net_read"); + if (n < 0) + krb5_err (context, 1, errno, "krb5_net_read"); + + /* + * Expect a KRB_SAFE message (authenticated, not encrypted) + */ + status = krb5_rd_safe (context, + auth_context, + &packet, + &data, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_rd_safe"); + + fprintf (stderr, "safe packet: %.*s\n", (int)data.length, + (char *)data.data); + + /* + * Read the payload (encoded as length, value). + */ + n = krb5_net_read (context, &sock, &net_len, 4); + if (n == 0) + krb5_errx (context, 1, "EOF in krb5_net_read"); + if (n < 0) + krb5_err (context, 1, errno, "krb5_net_read"); + + len = ntohl(net_len); + + krb5_data_alloc (&packet, len); + + n = krb5_net_read (context, &sock, packet.data, len); + if (n == 0) + krb5_errx (context, 1, "EOF in krb5_net_read"); + if (n < 0) + krb5_err (context, 1, errno, "krb5_net_read"); + + /* + * Expect a KRB_PRIV message (authenticated and encrypted) + */ + status = krb5_rd_priv (context, + auth_context, + &packet, + &data, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_rd_priv"); + + fprintf (stderr, "priv packet: %.*s\n", (int)data.length, + (char *)data.data); + + return 0; +} + +static int +doit (int port, const char *service) +{ + /* Block waiting for a connection. */ + mini_inetd (port, NULL); + + return proto (STDIN_FILENO, service); +} + +/* + * Process only one connection and then exit. + */ +int +main(int argc, char **argv) +{ + int port = server_setup(&context, argc, argv); + krb5_error_code ret; + + ret = krb5_kt_have_content(context, keytab); + if (ret) + krb5_err (context, 1, ret, "krb5_kt_have_content"); + + return doit (port, service); +} diff --git a/third_party/heimdal/appl/test/test_locl.h b/third_party/heimdal/appl/test/test_locl.h new file mode 100644 index 0000000..dba2bba --- /dev/null +++ b/third_party/heimdal/appl/test/test_locl.h @@ -0,0 +1,89 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_NETINET_IN6_H +#include +#endif +#ifdef HAVE_NETINET6_IN6_H +#include +#endif + +#ifdef HAVE_PWD_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_SYS_PARAM_H +#include +#endif +#include +#include +#include +#include +#include + +#define SERVICE "test" + +#define PORT "test" + +extern char *service; +extern char *mech; +extern char *keytab_str; +extern krb5_keytab keytab; +extern int fork_flag; +int server_setup(krb5_context*, int, char**); +int client_setup(krb5_context*, int*, char**); +int client_doit (const char *hostname, int port, const char *service, + int (*func)(int, const char *hostname, const char *service)); diff --git a/third_party/heimdal/appl/test/uu_client.c b/third_party/heimdal/appl/test/uu_client.c new file mode 100644 index 0000000..15e7899 --- /dev/null +++ b/third_party/heimdal/appl/test/uu_client.c @@ -0,0 +1,192 @@ +/* + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +RCSID("$Id$"); + +krb5_context context; + +static int +proto (int sock, const char *hostname, const char *service) +{ + struct sockaddr_storage remote, local; + socklen_t addrlen; + krb5_address remote_addr, local_addr; + krb5_context context; + krb5_ccache ccache; + krb5_auth_context auth_context; + krb5_error_code status; + krb5_principal client; + krb5_data data; + krb5_data packet; + krb5_creds mcred, cred; + krb5_ticket *ticket; + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen > sizeof(local)) + err (1, "getsockname(%s)", hostname); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen > sizeof(remote)) + err (1, "getpeername(%s)", hostname); + + status = krb5_init_context(&context); + if (status) + errx(1, "krb5_init_context failed: %d", status); + + status = krb5_cc_default (context, &ccache); + if (status) + krb5_err(context, 1, status, "krb5_cc_default"); + + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_init"); + + status = krb5_sockaddr2address (context, (struct sockaddr *)&local, &local_addr); + if (status) + krb5_err(context, 1, status, "krb5_sockaddr2address(local)"); + status = krb5_sockaddr2address (context, (struct sockaddr *)&remote, &remote_addr); + if (status) + krb5_err(context, 1, status, "krb5_sockaddr2address(remote)"); + + status = krb5_auth_con_setaddrs (context, + auth_context, + &local_addr, + &remote_addr); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_setaddr"); + + krb5_cc_clear_mcred(&mcred); + + status = krb5_cc_get_principal(context, ccache, &client); + if(status) + krb5_err(context, 1, status, "krb5_cc_get_principal"); + status = krb5_make_principal(context, &mcred.server, + krb5_principal_get_realm(context, client), + "krbtgt", + krb5_principal_get_realm(context, client), + NULL); + if(status) + krb5_err(context, 1, status, "krb5_make_principal"); + mcred.client = client; + + status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); + if(status) + krb5_err(context, 1, status, "krb5_cc_retrieve_cred"); + + { + char *client_name; + krb5_data data; + status = krb5_unparse_name(context, cred.client, &client_name); + if(status) + krb5_err(context, 1, status, "krb5_unparse_name"); + data.data = client_name; + data.length = strlen(client_name) + 1; + status = krb5_write_message(context, &sock, &data); + if(status) + krb5_err(context, 1, status, "krb5_write_message"); + free(client_name); + } + + status = krb5_write_message(context, &sock, &cred.ticket); + if(status) + krb5_err(context, 1, status, "krb5_write_message"); + + status = krb5_auth_con_setuserkey(context, auth_context, &cred.session); + if(status) + krb5_err(context, 1, status, "krb5_auth_con_setuserkey"); + + status = krb5_recvauth(context, &auth_context, &sock, + VERSION, client, 0, NULL, &ticket); + + if (status) + krb5_err(context, 1, status, "krb5_recvauth"); + + if (ticket->ticket.authorization_data) { + AuthorizationData *authz; + int i; + + printf("Authorization data:\n"); + + authz = ticket->ticket.authorization_data; + for (i = 0; i < authz->len; i++) { + printf("\ttype %d, length %lu\n", + authz->val[i].ad_type, + (unsigned long)authz->val[i].ad_data.length); + } + } + + data.data = "hej"; + data.length = 3; + + krb5_data_zero (&packet); + + status = krb5_mk_safe (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err(context, 1, status, "krb5_mk_safe"); + + status = krb5_write_message(context, &sock, &packet); + if(status) + krb5_err(context, 1, status, "krb5_write_message"); + + data.data = "hemligt"; + data.length = 7; + + krb5_data_free (&packet); + + status = krb5_mk_priv (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err(context, 1, status, "krb5_mk_priv"); + + status = krb5_write_message(context, &sock, &packet); + if(status) + krb5_err(context, 1, status, "krb5_write_message"); + return 0; +} + +int +main(int argc, char **argv) +{ + int port = client_setup(&context, &argc, argv); + return client_doit (argv[argc], port, service, proto); +} diff --git a/third_party/heimdal/appl/test/uu_server.c b/third_party/heimdal/appl/test/uu_server.c new file mode 100644 index 0000000..6e04699 --- /dev/null +++ b/third_party/heimdal/appl/test/uu_server.c @@ -0,0 +1,195 @@ +/* + * Copyright (c) 1997 - 2000, 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "test_locl.h" +RCSID("$Id$"); + +krb5_context context; + +static int +proto (int sock, const char *service) +{ + struct sockaddr_storage remote, local; + socklen_t addrlen; + krb5_address remote_addr, local_addr; + krb5_ccache ccache; + krb5_auth_context auth_context; + krb5_error_code status; + krb5_data packet; + krb5_data data; + krb5_data client_name; + krb5_creds in_creds, *out_creds; + + addrlen = sizeof(local); + if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0 + || addrlen > sizeof(local)) + err (1, "getsockname)"); + + addrlen = sizeof(remote); + if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0 + || addrlen > sizeof(remote)) + err (1, "getpeername"); + + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_init"); + + status = krb5_sockaddr2address (context, (struct sockaddr *)&local, &local_addr); + if (status) + krb5_err(context, 1, status, "krb5_sockaddr2address(local)"); + status = krb5_sockaddr2address (context, (struct sockaddr *)&remote, &remote_addr); + if (status) + krb5_err(context, 1, status, "krb5_sockaddr2address(remote)"); + + status = krb5_auth_con_setaddrs (context, + auth_context, + &local_addr, + &remote_addr); + if (status) + krb5_err(context, 1, status, "krb5_auth_con_setaddr"); + + status = krb5_read_message(context, &sock, &client_name); + if(status) + krb5_err(context, 1, status, "krb5_read_message"); + + memset(&in_creds, 0, sizeof(in_creds)); + status = krb5_cc_default(context, &ccache); + if(status) + krb5_err(context, 1, status, "krb5_cc_default"); + status = krb5_cc_get_principal(context, ccache, &in_creds.client); + if(status) + krb5_err(context, 1, status, "krb5_cc_get_principal"); + + status = krb5_read_message(context, &sock, &in_creds.second_ticket); + if(status) + krb5_err(context, 1, status, "krb5_read_message"); + + status = krb5_parse_name(context, client_name.data, &in_creds.server); + if(status) + krb5_err(context, 1, status, "krb5_parse_name"); + + status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache, + &in_creds, &out_creds); + if(status) + krb5_err(context, 1, status, "krb5_get_credentials"); + krb5_cc_close(context, ccache); + ccache = NULL; + + status = krb5_cc_default(context, &ccache); + if(status) + krb5_err(context, 1, status, "krb5_cc_default"); + + status = krb5_sendauth(context, + &auth_context, + &sock, + VERSION, + in_creds.client, + in_creds.server, + AP_OPTS_USE_SESSION_KEY, + NULL, + out_creds, + ccache, + NULL, + NULL, + NULL); + krb5_cc_close(context, ccache); + ccache = NULL; + + if (status) + krb5_err(context, 1, status, "krb5_sendauth"); + + { + char *str; + krb5_unparse_name(context, in_creds.server, &str); + printf ("User is `%s'\n", str); + free(str); + krb5_unparse_name(context, in_creds.client, &str); + printf ("Server is `%s'\n", str); + free(str); + } + + krb5_free_principal(context, in_creds.client); + krb5_free_principal(context, in_creds.server); + + krb5_data_zero (&data); + krb5_data_zero (&packet); + + status = krb5_read_message(context, &sock, &packet); + if(status) + krb5_err(context, 1, status, "krb5_read_message"); + + status = krb5_rd_safe (context, + auth_context, + &packet, + &data, + NULL); + if (status) + krb5_err(context, 1, status, "krb5_rd_safe"); + + printf ("safe packet: %.*s\n", (int)data.length, + (char *)data.data); + + status = krb5_read_message(context, &sock, &packet); + if(status) + krb5_err(context, 1, status, "krb5_read_message"); + + status = krb5_rd_priv (context, + auth_context, + &packet, + &data, + NULL); + if (status) + krb5_err(context, 1, status, "krb5_rd_priv"); + + printf ("priv packet: %.*s\n", (int)data.length, + (char *)data.data); + + return 0; +} + +static int +doit (int port, const char *service) +{ + rk_socket_t sock; + + mini_inetd(port, &sock); + + return proto(sock, service); +} + +int +main(int argc, char **argv) +{ + int port = server_setup(&context, argc, argv); + return doit (port, service); +} diff --git a/third_party/heimdal/apply_heimdal.sh b/third_party/heimdal/apply_heimdal.sh new file mode 100755 index 0000000..fc9aa29 --- /dev/null +++ b/third_party/heimdal/apply_heimdal.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +[ $# == 2 ] || { + echo "Usage: apply_heimdal.sh " + exit 1 +} + +LORIKEET_PATH="$1" +IMPORT_HASH="$2" +S4PATH="$PWD" + +pushd $LORIKEET_PATH || exit 1 +git reset --hard +git am --abort +popd + +# From https://gist.github.com/kfish/7425248 + +apply () { + filename=$1 + shift + patch_args=$* + + gotSubject=no + msg="" + + cat $filename | while read line; do + if [ "$line" == "---" ]; then + + patch $patch_args -p1 < $filename + git commit -a -m 'CHECK AUTHOR' -m "$msg" + + break + fi + if [ "$gotSubject" == "no" ]; then + hdr=(${line//:/ }) + if [ "${hdr[0]}" == "Subject" ]; then + gotSubject=yes + msg="${hdr[@]:3}" + fi + else + msg="$msg $line" + fi + msg="$msg +" + done +} + +try_patch() { + commit="$1" + git format-patch --stdout $commit -1 source4/heimdal > "$commit".patch + sed -i 's|/source4/heimdal/|/|g' "$commit".patch + sed -i "s|^---$|(cherry picked from Samba commit $commit)\n---|g" "$commit".patch + pushd $LORIKEET_PATH || exit 1 + git reset --hard + echo + if patch -p1 --forward < "$S4PATH/$commit.patch"; then + echo + echo "Commit $commit can apply - applying" + git reset --hard + git am "$S4PATH/$commit.patch" || apply "$S4PATH/$commit.patch" + else + echo + echo "Commit $commit does not apply cleanly" + echo + fi + git am --abort + popd || exit 1 +} + +commits="$(git log --pretty=oneline --reverse $IMPORT_HASH..HEAD -- source4/heimdal | cut -d' ' -f1)" +for c in $commits; do + git log $c -1 + echo -n "Try apply? [Y/n] " + read answer + case $answer in + n*) + continue + ;; + *) + try_patch $c + ;; + esac +done diff --git a/third_party/heimdal/appveyor.yml b/third_party/heimdal/appveyor.yml new file mode 100644 index 0000000..fa56c4c --- /dev/null +++ b/third_party/heimdal/appveyor.yml @@ -0,0 +1,85 @@ +# +# This file tells appveyor.com how to build Heimdal on Windows. +# Appveyor is a continuous integration (CI) service for github and other +# users, and is free for public repositories. +# + +version: '1.0.{build}' + +image: + - Visual Studio 2019 + +install: + # HACK -- pacman installation in Appveyor seems broken + # Taken from https://github.com/johnkerl/miller/blob/master/appveyor.yml + # (which is gone) + #- ps: dir 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Microsoft SDKs\Windows' -Recurse + - set "PATH=C:\msys64\usr\bin;%PATH%" + - set "PATH=C:\%MSYS2_DIR%\%MSYSTEM%\bin;C:\%MSYS2_DIR%\usr\bin;%PATH%" + - bash -lc "mkdir -p /var/lib/pacman/sync/" + - bash -lc "pacman-key --init" + - bash -lc "pacman-key --populate msys2" + - bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst" + - bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst.sig" + - bash -lc "pacman --noconfirm -U --config <(echo) msys2-keyring-1~20211228-1-any.pkg.tar.zst" + - bash -lc "mkdir -p /var/lib/pacman/sync/" + - bash -lc "pacman-key --init" + - bash -lc "pacman-key --populate msys2" + - bash -lc "pacman -S --noconfirm --refresh pacman" + - bash -lc "pacman -S --needed --noconfirm pacman-mirrors" + - bash -lc "pacman -S --needed --noconfirm mingw-w64-x86_64-toolchain autoconf automake libtool make patch mingw-w64-x86_64-libtool" + - bash -lc "pacman -S --needed --noconfirm bison flex" + - bash -lc "pacman -S --needed --noconfirm perl perl-JSON" + +build_script: + # build using Windows 10 SDK + - set "WINSDKVER=10.0.22000.0" + - call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" amd64 %WINSDKVER% + - set "WIXDIR=c:\Program Files (x86)\Windows Installer XML v3.5" + # We're not doing any codesigning in the Appveyor build yet. + - SET "CODESIGN_PKT=0000000000000000" + - set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" + - set "PATH=%PATH%;C:/msys64/usr/bin" + - set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin" + # double check this, should it be x86 or x64? + - set "PATH=%PATH%;%WindowsSdkVerBinPath%\x86" + - set "PATH=C:\Python310-x64;%PATH%" + - set dbg__type=Debug + - title Heimdal Build %CPU% %dbg__type% + - echo PATH=%PATH% + # target Windows 10 API + - set APPVER=10.0 + # Newer texinfo has no .exe's, so we have to invoke it as + # "perl ...\makeinfo ...". See doc/NTMakefile. + - nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 + - 7z a heimdal.zip C:\projects\heimdal + +test_script: + # Packages are not validated in the Appveyor build, FYI. + - nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test + +artifacts: + - path: heimdal-out.zip + name: heimdal-out + - path: heimdal.zip + name: heimdal + +on_failure: + - 7z a heimdal-out.zip C:\projects\heimdal + - appveyor PushArtifact heimdal-out.zip + +# To get RDP access to an appveyor worker for debugging a build, just +# uncomment these next two lines and the last two lines too. +#init: +# - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) + +# Uncomment this to allow the RDP session to continue after the build +# finishes. +# +# There's a delete-me file on the desktop that one should delete when +# one is done with the worker. RDP sessions are capped at 60 minutes as +# of this writing. +# +#on_finish: +# - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) + diff --git a/third_party/heimdal/autogen.sh b/third_party/heimdal/autogen.sh new file mode 100755 index 0000000..0817912 --- /dev/null +++ b/third_party/heimdal/autogen.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# +# to really generate all files you need to run "make distcheck" in a +# object tree, but this will do if you have all parts of the required +# tool-chain installed +set -e +autoreconf -f -i || { echo "autoreconf failed: $?"; exit 1; } +find . \( -name '*-private.h' -o -name '*-protos.h' \) | xargs rm -f +perl -MJSON -e 'print foo;' || \ + { echo "you must install JSON perl module (cpan install JSON)"; exit 1; } +# +# This is to build the DISTFILES into the disttree for heimdal-lorikeet +# +./configure || exit 1 +make distdir-in-tree || exit 1 +make distclean || exit 1 +exit 0 diff --git a/third_party/heimdal/cf/ChangeLog b/third_party/heimdal/cf/ChangeLog new file mode 100644 index 0000000..8bd0b3e --- /dev/null +++ b/third_party/heimdal/cf/ChangeLog @@ -0,0 +1,1295 @@ +2008-07-26 Love Hörnquist Åstrand + + * krb-ipv6.m4: Patch from Björn Schlögl to enable disable-ness of + ipv6. + +2008-05-20 Love Hörnquist Åstrand + + * sunos.m4: Detect solaris2.11 and later and assume its sunos=58. + Bug report from Klas Heggemann. + +2008-05-05 Love Hörnquist Åstrand + + * version-script.m4: Add -rpath to avoid building a convince + library, also sprinkle some other options to make the link line + more like automake's. + +2008-04-29 Love Hörnquist Åstrand + + * version-script.m4: use libtool to probe for version script to + make it work on amd64/ia64 where -fpic in needed to build shared + objects. + +2008-04-24 Björn Sandell + + * pthreads.m4: macros for OpenBSD + +2008-04-17 Love Hörnquist Åstrand + + * make-proto.pl: Define both export variables. + + * win32.m4: Export _FUNCTION and _VARIABLE for _win32 magic + + * krb-ipv6.m4: Rename cache variable to AC_CACHE_CHECK to make the + cached. + + * win32.m4: replace _export with __declspec(dllexport) + + * make-proto.pl: Add __declspec(dllimport) to the exported + functions. + +2008-04-07 Love Hörnquist Åstrand + + * wflags.m4: Add -Wstrict-overflow=5 as an example. + +2008-03-25 Love Hörnquist Åstrand + + * install-catman.sh: Match man_MANS = files with directories in + them. + +2008-02-23 Love Hörnquist Åstrand + + * make-proto.pl: Handle c-comments. + + * Makefile.am.common: Make DEFAULT_INCLUDES work better, avoid + picking up the wrong headerfiles. $(top_builddir)/include vs + ${builddir}. + +2008-01-21 Love Hörnquist Åstrand + + * Makefile.am.common: remove the check-symbols check + + * check-symbols.sh: removed, use version script instead + +2007-10-01 Love Hörnquist Åstrand + + * crypto.m4: openssl might require -ldl too, so lets check that. + +2007-07-31 Love Hörnquist Åstrand + + * Makefile.am.common (check-local::): exit on failure to perform + test. + +2007-07-28 Love Hörnquist Åstrand + + * Makefile.am.common (check-local): also check that --help works. + +2007-07-17 Love Hörnquist Åstrand + + * crypto.m4: depend on EVP_CIPHER_iv_length + +2007-06-27 Love Hörnquist Åstrand + + * Makefile.am.common: Need absolute reference to the top source + directory and top build directory. + +2007-06-20 Love Hörnquist Åstrand + + * wflags.m4: Add --enable-developer and make it cause -Werror to + be included. + +2007-06-18 Love Hörnquist Åstrand + + * Makefile.am.common: Merge from samba config. + + * Makefile.am.common (makedir-in-tree): depend on INFO_DEPS. + + * valgrind-suppressions: Unknown suppression in runtime link + editor + +2007-06-08 Love Hörnquist Åstrand + + * Makefile.am.common: Add heimdal-lorikeet target distdir-in-tree + +2007-06-04 Love Hörnquist Åstrand + + * framework-security.m4: test for -framework Security + +2007-05-10 Love Hörnquist Åstrand + + * roken-frag.m4: we have a fnmatch.h only if there is a working + implementation and a header file. If we do use roken, lets use our + own headerfile that does symbol renaming. + +2007-04-19 Love Hörnquist Åstrand + + * version-script.m4: check if ld supports --version-script + +2007-04-11 Love Hörnquist Åstrand + + * roken-frag.m4: drop broken-getnameinfo.m4 + + * roken-frag.m4: drop test for broken getnameinfo, that old aix is + no longer relevant. + +2007-02-16 Love Hörnquist Åstrand + + * install-catman.sh: Stop overwriting cmd. + +2007-01-15 Love Hörnquist Åstrand + + * install-catman.sh: Use test instead of [. + + * install-catman.sh: Use = instead of ==, make solaris more happy. + +2007-01-08 Love Hörnquist Åstrand + + * roken-frag.m4: More headerfiles for iruserok prototype check. + + * check-symbols.sh: Add fc_softc for AIX as ignore syms. + +2007-01-04 Love Hörnquist Åstrand + + * roken-frag.m4: Check if iruserok needs a prototype. + +2006-12-06 Love Hörnquist Åstrand + + * check-compile-et.m4: set automake symbol COM_ERR when we build + local com_err + +2006-11-16 Love Hörnquist Åstrand + + * valgrind-suppressions: We shouldn't be running /bin/ls under + valgrind, but for now, at least make it easier to see any other + warnings. From Andrew Bartlett. + +2006-10-22 Love Hörnquist Åstrand + + * Makefile.am.common: Add target for valgrind debugging + + * valgrind-suppressions: valgrind suppressions + +2006-10-21 Love Hörnquist Åstrand + + * check-lex.m4: Borrow test for autoconf cvs to help hpux hosts + +2006-10-20 Love Hörnquist Åstrand + + * Makefile.am.common: provide uninstall hook for cat/manpages. + + * install-catman.sh: provide uninstall command + +2006-10-19 Love Hörnquist Åstrand + + * roken-frag.m4: Add check for timegm. + + * roken-frag.m4: Include sys/types.h for sys/socket.h and netdb.h. + +2006-10-07 Love Hörnquist Åstrand + + * Makefile.am.common (install-build-headers): make this function + convoluted and deal with dist_, nodist, nobase and all its + friends. + + * have-struct-field.m4: memset the structure to make sure that we + don't get compiler warnings. + + * crypto.m4: OpenSSL_add_all_algorithms is not a openssl specific + requirement, hcrypto need to have to too. + + * crypto.m4: Require openssl have OpenSSL_add_all_algorithms + +2006-10-04 Love Hörnquist Åstrand + + * autobuild.m4: Add autobuild, GPLed, but free to use in projects + not avaible under GPL or LGPL (just like autoconf). + +2006-09-16 Love Hörnquist Åstrand + + * roken-frag.m4: Add samba_SOCKET_WRAPPER fragment + +2006-09-12 Love Hörnquist Åstrand + + * socket-wrapper.m4: Add socket-wrapper test + +2006-05-06 Love Hörnquist Åstrand + + * crypto.m4: Move up evp.h to please OpenSSL, from Douglas + E. Engert. + +2006-04-22 Love Hörnquist Åstrand + + * roken-frag.m4: Add check for fnmatch.h, its needed to be done + for the automake conditional below. + +2006-04-15 Love Hörnquist Åstrand + + * crypto.m4: Require SHA256 + +2006-01-18 Love Hörnquist Åstrand + + * crypto.m4 Check for if we are to consider + using OpenSSL, also check for headers since + make_crypto.c assumes that the name of the files. + +2006-01-13 Love Hörnquist Åstrand + + * crypto.m4: libdes is renamed to hcrypto + + * crypto.m4: Remove support for old hash names. + +2005-10-26 Love Hörnquist Åstrand + + * install-catman.sh: Add variable INSTALL_CATPAGES that controls + if cat pages are installed, defaults to true. From Johnny Lam + . + +2005-09-28 Love Hörnquist Åstrand + + * roken-frag.m4: Check for and uintptr_t + +2005-09-02 Love Hörnquist Åstrand + + * roken-frag.m4: Resolver check moved to rk_RESOLV, from Andrew + Bartlet + + * resolv.m4: Resolver checks, broken out so samba can use it From + Andrew Bartlet + +2005-08-22 Love Hörnquist Åstrand + + * roken-frag.m4: Check for res_ndestroy. + +2005-08-03 Love Hörnquist Åstrand + + * crypto.m4: Add , OpenSSL 0.9.8 needs it for size_t. + From: Quanah Gibson-Mount + +2005-07-12 Love Hörnquist Åstrand + + * check-compile-et.m4: check that initialize_conf_error_table_r + have the right argument + +2005-07-07 Love Hörnquist Åstrand + + * check-symbols.sh: allow symbols to start with ., aix uses this + +2005-06-16 Love Hörnquist Åstrand + + * krb-bigendian.m4: use ansi c prototypes + + * krb-func-getcwd-broken.m4: use ansi c prototypes + + * broken-snprintf.m4: use ansi c prototypes + + * have-pragma-weak.m4: use ansi c declarations + + * check-getpwnam_r-posix.m4: use ansi c declarations + + * broken-realloc.m4: use ansi c declarations + + * check-compile-et.m4: use ansi c declarations + + * dlopen.m4: add headers and argument to dlopen + + * c-function.m4: use ansi c declarations + + * check-var.m4: use ansi c declarations + + * pthreads.m4: disable threads on aix because of utmp/utmpx + problems + + * broken-getaddrinfo.m4: check for brokenness in getaddrinfo on + AIX that can't handle "0" as port number. + +2005-06-11 Love Hörnquist Åstrand + + * db.m4: Add an option to disable ndbm, from Stefan Metzmacher + + +2005-06-03 Love Hörnquist Åstrand + + * pthreads.m4: rework how pthreads support to turned on/off, + always run though the switch to figure out what the + linker/compiler flag are + +2005-06-01 Love Hörnquist Åstrand + + * pthreads.m4: s/else if/elif/ + + * check-symbols.sh: AIX have a diffrent nm, use -B to get bsd like + output + + * pthreads.m4: aix case: assume gcc handles -pthread, in the + non-gcc case, use the compiler as hint (xlc vs xlc_r) if this + environment handles threads or not + +2005-05-22 Love Hörnquist Åstrand + + * check-symbols.sh: ignore weak symbols too + +2005-05-19 David Love + + * check-getpwnam_r-posix.m4: define _POSIX_PTHREAD_SEMANTICS to + make solaris provide the right getpwname_r + +2005-05-17 Johan Danielsson + + * roken-frag.m4: am_conditional have_cgetent + +2005-05-10 David Love + + * roken-frag.m4: Get daemon declared on Solaris (it's in unistd.h + but masked by a feature test), just to avoid a warning, since it + has int args. + +2005-05-11 Love Hörnquist Åstrand + + * check-var.m4: AC_CHECK_DECL and AC_CHECK_DECLS have a subtile + diffrence, the later defines HAVE_ cpp symbols, the first doesn't. + +2005-05-05 Love Hörnquist Åstrand + + * check-symbols.sh: ignore N symbols too + +2005-04-30 Love Hörnquist Åstrand + + * broken-snprintf.m4: include checking if snprintf(NULL, 0, "") + works + + * check-compile-et.m4: require compile_et to generate a + initialize_FOO_error_table_r (they are used in libkrb5), and + always check for initialize_error_table_r + +2005-04-29 Love Hörnquist Åstrand + + * Makefile.am.common: add LIB_com_err + +2005-04-29 David Love + + * roken-frag.m4: Check for correct vis.h. + +2005-04-28 David Love + + * pthreads.m4: Set PTHREADS_LIBS on Irix. + +2005-04-27 Love Hörnquist Åstrand + + * broken-realloc.m4: use rk_realloc if realloc is broken, this + makes "host-tools" not beeing able to use realloc + + * pthreads.m4: Add support for Solaris, Irix, and modern + Linux. From David Love + +2005-04-25 Love Hörnquist Åstrand + + * check-symbols.sh: limit the units functions to + asn1_[A-Za-z0-9]*_units$ + +2005-04-20 Love Hörnquist Åstrand + + * check-symbols.sh: this lib include com_err, add -com_err to + CHECK_SYMBOLS + + * check-symbols.sh: print the type so I don't need to ask for it + +2005-04-18 Love Hörnquist Åstrand + + * check-symbols.sh: ignore filename symbols + +2005-04-04 Love Hörnquist Åstrand + + * check-symbols.sh: assume symbols prefixed with _ is a sideeffekt + of the local linker and also just fine + +2005-03-16 Love Hörnquist Åstrand + + * roken-frag.m4: include for + +2005-03-01 Love Hörnquist Åstrand + + * sunos.m4: Match solaris 10. From: Joakim Fallsjo + + +2004-12-29 Love + + * check-symbols.sh: add -asn1compile symbols + +2004-12-29 Love Hörnquist Åstrand + + * check-symbols.sh: add exported symbols test + + * Makefile.am.common: add CHECK_SYMBOLS tests, so that we don't + export to much stuff + +2004-09-03 Love Hörnquist Åstrand + + * make-proto.pl: add cpluscplus extern "C" support + +2004-07-09 Love Hörnquist Åstrand + + * pthreads.m4: add -pthread to LIBS since libtool doesn't preserve + it for us when adding is as a dependency on libs + +2004-04-24 Johan Danielsson + + * largefile.m4: like AC_SYS_LARGEFILE, but also add to CPPFLAGS + +2004-04-14 Love Hörnquist Åstrand + + * check-compile-et.m4: even more evil stuff for cross-compiling + + * check-x.m4: use AC_RUN_IFELSE so we can handle cross compiling + + * check-compile-et.m4: use AC_RUN_IFELSE so we can handle cross + compiling + +2004-04-13 Love Hörnquist Åstrand + + * make-proto.pl: if -E, add windows standard calling conv to + headerfile if needed + + * win32.m4: add rk_WIN32_EXPORT + +2004-02-12 Love Hörnquist Åstrand + + * configure.in: rename AC_WFLAGS to rk_WFLAGS + + * *.m4: overquote to pacify automake1.8 + +2004-02-11 Love Hörnquist Åstrand + + * roken-frag.m4: resolv.h is even more special + + * roken-frag.m4: AC_CHECK_HEADERS(net/if.h netinet6/in6_var.h + sys/sysctl.h sys/proc.h, resolv.h) are all special and need extra + help + + * test-package.m4: If there is a --with-PACKAGE=path but no + --with-PACKAGE-config, go seach for path/PACKEGE-config and use it + if it exists. Inspired by Harald Barth + +2003-09-03 Love Hörnquist Åstrand + + * crypto.m4: check for DES_, AES_, and if openssl UI_ + +2003-08-27 Johan Danielsson + + * vararray.m4: test for variable-length arrays + + * roken-frag.m4: test for poll and poll.h + +2003-08-16 Love Hörnquist Åstrand + + * Makefile.am.common: don't try doing local checks if CHECK_LOCAL + is set to no-check-local + +2003-08-01 Love Hörnquist Åstrand + + * check-compile-et.m4: check if compile_et support ``error_table N + M'' also, don't be overly aggressivly reset CFLAGS + +2003-07-22 Love Hörnquist Åstrand + + * pthreads.m4: pthread test + +2003-05-08 Johan Danielsson + + * Makefile.am.common: change install-data-local to + install-data-hook + +2003-05-05 Assar Westerlund + + * crypto.m4: define OPENSSL_DES_LIBDES_COMPATIBILITY + +2003-04-03 Love Hörnquist Åstrand + + * crypto.m4: check if libcrypto needs -lnsl or -lsocket + +2003-04-02 Love Hörnquist Åstrand + + * crypto.m4: in the case where se don't link with kerberos 4, use + ${with_openssl_include} if its are set (not + ${with_openssl}/include) same for with_openssl_lib + +2003-03-18 Love Hörnquist Åstrand + + * Makefile.am.common: always define LIB_kafs + +2003-03-12 Love Hörnquist Åstrand + + * check-compile-et.m4: check if the output of compile_et needs + initialize_error_table_r + +2003-02-17 Love Hörnquist Åstrand + + * check-var.m4: add a check if the variable is avaible when we + include the headerfiles + +2002-12-18 Johan Danielsson + + * roken-frag.m4: res_nsearch takes 6 parameters; spotted by Howard + Chu + +2002-10-25 Johan Danielsson + + * crypto.m4: do a better job at matching headers to libraries + +2002-10-16 Johan Danielsson + + * sunos.m4: more quoting + +2002-09-19 Johan Danielsson + + * make-proto.pl: check the processed string for closing ), not the + source + +2002-09-10 Johan Danielsson + + * crypto.m4: use m4 macros for test cases, also test for older + hash names + + * test-package.m4: include dep libraries in LIB_* + + * crypto.m4: move krb4 test before test for openssl, and bail out + if krb4 is requested, but the crypto library is not the same as + krb4 + + * db.m4: filter contents of LDFLAGS + +2002-09-09 Johan Danielsson + + * auth-modules.m4: rename to rk_AUTH_MODULES + + * auth-modules.m4: only include modules explicitly asked for + +2002-09-04 Johan Danielsson + + * roken-frag.m4: test for res_nsearch + +2002-09-03 Assar Westerlund + + * roken-frag.m4: check for sys/mman.h and mmap (used by + parse_reply-test) + +2002-08-28 Assar Westerlund + + * krb-readline.m4: also add LIB_tgetent in the case of editline + + * crypto.m4: define HAVE_OPENSSL even if we got to hear about it + by krb4 + +2002-08-28 Johan Danielsson + + * krb-readline.m4: add LIB_tgetent to LIB_readline if we have to + + * sunos.m4: various sunos tests + + * crypto.m4: try to extract the crypto compiler flags from + {INCLUDE,LIB}_krb4 + (XXX this is really horrible) + + * krb-readline.m4: don't add -rpath to LIB_readline (libtool + should to this for us), also don't append LIB_tgetent to + LIB_readline (TEST_PACKAGE should do this) + + * test-package.m4: add the possibility to use a *-config program + to get flags; rename to rk_TEST_PACKAGE while here + + * krb-bigendian.m4: move ENDIANESS_IN_SYS_PARAM_H tests here + + * aix.m4: rename to rk_AIX + + * telnet.m4: move telnet tests here + + * aix.m4: restructure this somewhat + + * dlopen.m4: test for dlopen suitable for AC_REQUIRE + + * irix.m4: move some stuff here and rename to irix.m4 + + * krb-sys-nextstep.m4: move SGTTY stuff to read_pwd.c + +2002-08-28 Jacques Vidrine + + * auth-modules.m4: do not build pam_krb4 on freebsd + +2002-08-26 Assar Westerlund + + * roken-frag.m4: test for the vis, strvis functions requiring + prototypes + +2002-08-23 Johan Danielsson + + * need-proto.m4: missing comma + +2002-08-22 Johan Danielsson + + * roken-frag.m4: some rototilling + + * need-proto.m4: use AS_TR_CPP + +2002-08-20 Johan Danielsson + + * roken-frag.m4: HAVE_TYPE instead of CHECK_TYPE ssize_t + + * krb-version.m4: use PACKAGE_TARNAME and PACKAGE_STRING + + * broken-getaddrinfo.m4: can't test for EAI_SERVICE here since AIX + is even more fsck:ed + + * roken-frag.m4: test for altzone + +2002-08-19 Johan Danielsson + + * Makefile.am.common: only define ROKEN_RENAME if do_roken_rename + +2002-08-13 Johan Danielsson + + * Makefile.am.common: add ROKEN_RENAME variable + +2002-08-12 Johan Danielsson + + * make-proto.pl: include to get va_list + + * destdirs.m4: also define localstatedir and sysconfdir + +2002-08-01 Johan Danielsson + + * crypto.m4: newer openssl seems to take the address of the + schedule parameter to des_cbc_encrypt, so we need to feed it a + variable, not just NULL (from Magnus Holmberg) + +2002-05-24 Johan Danielsson + + * misc.m4: change \100 back to @; some m4's (probably some regex) + doesn't like this as a replacement regexp; the reason it was once + changed to \100 was probably because of some autoconf bug at the + time + +2002-05-20 Johan Danielsson + + * broken2.m4 []-less is apparently the way to go + +2002-05-19 Johan Danielsson + + * otp.m4: check db_type instead of precence of dbm_firstkey + + * roken-frag.m4: don't AC_LIBOBJ more than one function at a time + + * find-if-not-broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ + + * broken2.m4: s/AC_LIBOBJ/rk_LIBOBJ/ + + * broken.m4: s/AC_LIBOBJ/rk_LIBOBJ/ + + * misc.m4: automake can't handle macros passed to AC_LIBOBJ, so + add an alias to it called rk_LIBOBJ; this requires that the + relevant source are manually included in roken/Makefile.am + + * aix.m4: ac_enable --diable-dynamic-afs + + * roken-frag.m4: use AC_LIBOBJ + + * krb-func-getcwd-broken.m4: use AC_LIBOBJ + + * find-if-not-broken.m4: use AC_LIBOBJ + + * broken2.m4: use AC_LIBOBJ + + * broken.m4: use AC_LIBOBJ + + * aix.m4: recognise aix5 + +2002-05-17 Johan Danielsson + + * crypto.m4: am-conditionalise HAVE_OPENSSL + + * db.m4: make it possible to run this twice + + * Makefile.am.common: also install nodist_include_HEADERS + +2002-05-16 Johan Danielsson + + * make-proto.pl: make it possible to redefine the "private" regexp + +2002-05-02 Johan Danielsson + + * db.m4: am_cond HAVE_* + +2002-04-30 Johan Danielsson + + * krb-ipv6.m4: use AC_HELP_STRING; fix logic bug in AC_MSG_RESULT + call + + * test-package.m4: use AC_HELP_STRING + + * roken.m4: use AC_HELP_STRING + + * osfc2.m4: use AC_HELP_STRING + + * mips-abi.m4: use AC_HELP_STRING + + * krb-bigendian.m4: use AC_HELP_STRING + + * db.m4: rework this somewhat; check for db3/4 in subdirs, change + --with to --enable; it should really be possible to point it to + some directory --with-berkeley-db=/foo + + * otp.m4: OTP test + +2002-04-25 Johan Danielsson + + * destdirs.m4: define BINDIR et al + +2002-04-18 Johan Danielsson + + * misc.m4: remove some stuff that is defined elsewhere + + * make-proto.pl: optionally remove __P and parameter names + +2001-11-30 Assar Westerlund + + * roken-frag.m4: move ipv6 tests after -lsocket (to handle Solaris + 8) + +2001-09-29 Assar Westerlund + + * install-catman.sh: handle man pages without SYNOPSIS but looking + for both SYNOPSIS and DESCRIPTION + +2001-09-18 Johan Danielsson + + * roken-frag.m4: include freeaddrinfo if using getaddrinfo + +2001-09-13 Assar Westerlund + + * db.m4: test for the ndbm database really being a .db one + and use it when moving/removing database files + +2001-09-03 Assar Westerlund + + * db.m4: prefer ndbm.h to dbm.h + * roken-frag.m4: check for atexit and on_exit + +2001-09-02 Assar Westerlund + + * check-compile-et.m4: only add /usr/include/et to CPPFLAGS if + it's actually used + +2001-09-01 Assar Westerlund + + * Makefile.am.common (AUTOMAKE_OPTIONS): set 1.4b here so that + users are warned if using earlier automake versions + + * find-func-no-libs2.m4: ignore "no" as a library - another + special case to make it easy to send the result from this macro + into another invocation + +2001-08-30 Assar Westerlund + + * db.m4: check for ndbm functions in db3 library too + +2001-08-29 Jacques Vidrine + + * check-compile-et.m4: Check for already-installed com_err. + * Makefile.am.common: Use the compile_et discovered at + configuration time. + +2001-08-29 Assar Westerlund + + * crypto.m4: use AC_WITH_ALL to allow separate specification of + include and lib + * with-all.m4: new macro for doing --with-foo, --with-foo-include, + and --with-foo-lib in a sensible way + + * find-func-no-libs2.m4: handle both -llib and lib in the second + argument also yes -> "" as a library, to ease callers that send in + results from this macro (this might be a little bit unclean) + +2001-08-28 Assar Westerlund + + * roken-frag.m4: test for issetugid + +2001-08-24 Assar Westerlund + + * Makefile.am.common: change one += to = to AM_CFLAGS to avoid an + error with recent automake + +2001-08-22 Assar Westerlund + + * crypto.m4: SHA1_CTX should be SHA_CTX + +2001-08-21 Assar Westerlund + + * roken-frag.m4: remove all winsock.h + for now, it does more harm than good under cygwin and if it should be + used, the correct conditional needs to be found + from + +2001-08-21 Johan Danielsson + + * check-var.m4: AC_TR_CPP -> AS_TR_CPP to make autoconf 2.52 happy + +2001-08-17 Johan Danielsson + + * krb-ipv6.m4: add test for non-existant in6addr_loopback in AIX + +2001-08-15 Johan Danielsson + + * roken-frag.m4: test for getaddrinfo's that doesn't like numeric + services + + * broken-getaddrinfo.m4: test for getaddrinfo's that doesn't like + numeric services + +2001-08-08 Assar Westerlund + + * db.m4: do a separate test for gdbm/ndbm.h and -lgdbm + +2001-08-05 Assar Westerlund + + * db.m4: ac_cv_funclib_\func can be yes + * db.m4: use AC_FIND_FUNC_NO_LIBS to test in libc + anset cache variables after first attempt at finding dbm_firstkey (how + should this be done?) + * db.m4: do not test for ndbm library when ndbm-db was found in libc + * db.m4: test for ndbm-compatability with db + * db.m4: add forgotten AC_SUBST + * db.m4: first steps towards a new db test + + * roken-frag.m4: remove header files checked by rk_db + +2001-08-05 Assar Westerlund + + * roken-frag.m4: remove header files checked by rk_db + +2001-06-24 Assar Westerlund + + * roken-frag.m4: make sure of building getaddrinfo et al if + missing + +2001-06-20 Johan Danielsson + + * install-catman.sh: try to install links to manpages + +2001-06-19 Assar Westerlund + + * broken-glob.m4: try to handle FreeBSD's GLOB_MAXPATH + +2001-06-18 Johan Danielsson + + * roken-frag.m4: test for getaddrinfo needs netdb.h on Tru64 + +2001-06-17 Assar Westerlund + + * roken-frag.m4 (AC_CHECK_HEADERS): test for random + * roken-frag.m4 (AC_CHECK_HEADERS): test for initstate and + setstate + + * roken-frag.m4 (AC_BROKEN): test for + emalloc,ecalloc,erealloc,estrdup + +2001-05-11 Johan Danielsson + + * roken-frag.m4: bswap{16,32} + +2001-03-26 Assar Westerlund + + * broken-glob.m4: also test for GLOB_LIMIT + * krb-ipv6.m4: restore CFLAGS if v6 is not detected + +2001-02-20 Assar Westerlund + + * roken-frag.m4: check for getprogname, setprogname + +2001-02-07 Assar Westerlund + + * Makefile.am.common (LIB_kdfs): set. use it. from Ake Sandgren + + +2000-12-26 Assar Westerlund + + * krb-ipv6.m4: remove some dnl that weren't the correct with + modern autoconf + +2000-12-15 Assar Westerlund + + * roken-frag.m4 (inet_ntoa, inet_ntop, inet_pton): add necessary + includes when testing + * broken2.m4: new variant of broken, with includes and arguments + + * test-package.m4: s/ifval/m4_ifval/ to keep in sync with + autoconf. from Ake Sandgren + * check-var.m4: s/ifval/m4_ifval/ to keep in sync with autoconf. + from Ake Sandgren + +2000-12-13 Assar Westerlund + + * krb-irix.m4: need to set irix to no first. From Ake Sandgren + + +2000-12-12 Johan Danielsson + + * roken-frag.m4: move sa_len test to before test for broken + getnameinfo + +2000-12-12 Assar Westerlund + + * roken-frag.m4: only test for broken getnameinfo if it exists + +2000-12-10 Johan Danielsson + + * roken-frag.m4: ifaddrs.h + +2000-12-06 Johan Danielsson + + * roken-frag.m4: test for unvis, and vis.h + + * roken-frag.m4: test for strvis* + +2000-12-05 Johan Danielsson + + * Makefile.am.common: just warn if we fail to setuid a program + + * broken-getnameinfo.m4: add more quotes + + * roken-frag.m4: test for getifaddrs + + * roken-frag.m4: test for broken AIX getnameinfo + + * broken-getnameinfo.m4: test for broken getnameinfo + +2000-12-01 Assar Westerlund + + * Makefile.am.common: add kludge for LIBS + +2000-11-30 Johan Danielsson + + * check-man.m4: update this after recent changes + + * Makefile.am.common: use install-catman.sh + + * install-catman.sh: script to install preformatted manual pages + + * Makefile.am.common: change cat handling + +2000-11-29 Johan Danielsson + + * roken-frag.m4: don't use AC_CONFIG_FILES here, since it doesn't + work with automake + +2000-11-15 Assar Westerlund + + * krb-readline.m4: link against the libtool-versions of + libeditline and libel_compat + + * Makefile.am.common (INCLUDES): add $(INCLUDES_roken) + * roken-frag.m4 (CPPFLAGS_roken): rename to INCLUDES_roken + +2000-11-05 Johan Danielsson + + * aix.m4: set aix + +2000-08-19 Assar Westerlund + + * krb-bigendian.m4: merge from arla: make it work better + +2000-08-07 Johan Danielsson + + * roken-frag.m4: check getsockname for proto compat + +2000-08-04 Johan Danielsson + + * Makefile.am.common: add library for pidfile + + * roken-frag.m4: tests for util.h and pidfile + +2000-07-19 Johan Danielsson + + * check-var.m4: rename to rk_CHECK_VAR, transposing the arguments, + and making the second optional, AU_DEFINE AC_CHECK_VAR to + rk_CHECK_VAR + + * roken-frag.m4: other roken tests + + * db.m4: db tests + +2000-07-18 Johan Danielsson + + * mips-abi.m4: AC_ERROR -> AC_MSG_ERROR + + * check-netinet-ip-and-tcp.m4: use cache_check, and make this work + with new autoconf + + * aix.m4: don't subst AFS_EXTRA_LD + +2000-07-15 Johan Danielsson + + * check-var.m4: workaround feature of newer autoconf + + * find-func-no-libs2.m4: use cleaner autoheader trick + + * have-type.m4: use cleaner autoheader trick + + * have-types.m4: use cleaner autoheader trick + + * test-package.m4: add 6th parameter for now + + * broken.m4: use cleaner autoheader trick + + * retsigtype.m4: test for signal handler return type + + * broken-realloc.m4: test for broken realloc + +2000-07-08 Assar Westerlund + + * roken.m4: set CPPFLAGS_roken and call AC_CONFIG_SUBDIRS + +2000-07-02 Assar Westerlund + + * Makefile.am.common (CP): set and use + +2000-04-05 Assar Westerlund + + * Makefile.am.common (INCLUDE_openldap, LIB_openldap): add + +2000-03-28 Assar Westerlund + + * krb-prog-yacc.m4: AC_MSG_WARNING should be AC_MSG_WARN + + * shared-libs.m4: try to update to freebsd5 (and elf) + +2000-03-16 Assar Westerlund + + * krb-prog-yacc.m4: warn we do not find any yacc + +2000-01-08 Assar Westerlund + + * krb-bigendian.m4: new file, replacement for ac_c_bigendian + +2000-01-01 Assar Westerlund + + * krb-ipv6.m4: re-organize: test for type of stack first so that + we can find the libraries that we might have to link the test + program against. not linking the test program means we don't know + if the right stuff is in the libraries. also cosmetic changes to + make sure we print the checking for... nicely + +1999-12-21 Assar Westerlund + + * krb-ipv6.m4: try linking, not only compiling + * krb-ipv6.m4: add --without-ipv6 make sure we have `in6addr_any' + which we use in the code. This test avoids false positives on + OpenBSD + +1999-11-29 Johan Danielsson + + * grok-type.m4: inttypes.h + +1999-11-05 Assar Westerlund + + * check-x.m4: include X_PRE_LIBS and X_EXTRA_LIBS when testing + +1999-11-01 Assar Westerlund + + * Makefile.am.common (install-build-headers): use `cp' instead of + INSTALL_DATA for copying header files inside the build tree. The + user might have redefined INSTALL_DATA to specify owners and other + information. + +1999-10-30 Assar Westerlund + + * find-func-no-libs2.m4: add yet another argument to allow specify + linker flags that will be added _before_ the library when trying + to link + + * find-func-no-libs.m4: add yet another argument to allow specify + linker flags that will be added _before_ the library when trying + to link + +1999-10-12 Assar Westerlund + + * find-func-no-libs2.m4 (AC_FIND_FUNC_NO_LIBS2): new argument + `extra libs' + + * find-func-no-libs.m4 (AC_FIND_FUNC_NO_LIBS): new argument `extra + libs' + +1999-09-01 Johan Danielsson + + * capabilities.m4: sgi capabilities + +1999-07-29 Assar Westerlund + + * have-struct-field.m4: quote macros when undefining + +1999-07-28 Assar Westerlund + + * Makefile.am.common (install-build-headers): add dependencies + +1999-07-24 Assar Westerlund + + * have-type.m4: try to get autoheader to co-operate + + * have-type.m4: stolen from Arla + + * krb-struct-sockaddr-sa-len.m4: not used any longer. removed. + +1999-06-13 Assar Westerlund + + * krb-struct-spwd.m4: consequent name of cache variables + + * krb-func-getlogin.m4: new file for testing for posix (broken) + getlogin + + * shared-libs.m4 (freebsd[34]): don't use ld -Bshareable + +1999-06-02 Johan Danielsson + + * check-x.m4: extended test for X + +1999-05-14 Assar Westerlund + + * check-netinet-ip-and-tcp.m4: proper autoheader tricks + + * check-netinet-ip-and-tcp.m4: new file for checking for + netinet/{ip,tcp}.h. These are special as they on Irix 6.5.3 + require to be included in advance. + + * check-xau.m4: we also need to check for XauFilename since it's + used by appl/kx. And on Irix 6.5 that function requires linking + with -lX11. + +1999-05-08 Assar Westerlund + + * krb-find-db.m4: try with more header files than ndbm.h + +1999-04-19 Assar Westerlund + + * test-package.m4: try to handle the case of --without-package + correctly + +1999-04-17 Assar Westerlund + + * make-aclocal: removed. Not used anymore, being replaced by + aclocal from automake. + +Thu Apr 15 14:17:26 1999 Johan Danielsson + + * make-proto.pl: handle __attribute__ + +Fri Apr 9 20:37:18 1999 Assar Westerlund + + * shared-libs.m4: quote $@ + (freebsd3): add install_symlink_command2 + +Wed Apr 7 20:40:22 1999 Assar Westerlund + + * shared-libs.m4 (hpux): no library dependencies + +Mon Apr 5 16:13:08 1999 Johan Danielsson + + * test-package.m4: compile and link, rather than looking for + files; also export more information, so it's possible to add rpath + information + +Tue Mar 30 13:49:54 1999 Johan Danielsson + + * Makefile.am.common: CFLAGS -> AM_CFLAGS + +Mon Mar 29 16:51:12 1999 Johan Danielsson + + * check-xau.m4: check for XauWriteAuth before checking for + XauReadAuth to catch -lX11:s not containing XauWriteAuth, and IRIX + 6.5 that doesn't work with -lXau + +Sat Mar 27 18:03:58 1999 Johan Danielsson + + * osfc2.m4: --enable-osfc2 + +Fri Mar 19 15:34:52 1999 Johan Danielsson + + * shared-libs.m4: move shared lib stuff here + +Wed Mar 24 23:24:51 1999 Assar Westerlund + + * Makefile.am.common (install-build-headers): simplify loop + +Tue Mar 23 17:31:23 1999 Johan Danielsson + + * check-getpwnam_r-posix.m4: check for getpwnam_r, and if it's + posix or not + +Tue Mar 23 00:00:13 1999 Assar Westerlund + + * Makefile.am.common (install_build_headers): try to make it work + better when list of headers is empty. handle make rewriting the + filenames. + + * Makefile.am.common: hesoid -> hesiod + +Sun Mar 21 14:48:03 1999 Johan Danielsson + + * grok-type.m4: + + * Makefile.am.common: fix for automake bug/feature; add more LIB_* + + * test-package.m4: fix typo + + * check-man.m4: fix some typos + + * auth-modules.m4: tests for authentication modules + +Thu Mar 18 11:02:55 1999 Johan Danielsson + + * Makefile.am.common: make install-build-headers a multi + dependency target + + * Makefile.am.common: remove include_dir hack + + * Makefile.am.common: define LIB_kafs and LIB_gssapi + + * krb-find-db.m4: subst DBLIB also + + * check-xau.m4: test for Xau{Read,Write}Auth + +Wed Mar 10 19:29:20 1999 Johan Danielsson + + * wflags.m4: AC_WFLAGS + +Mon Mar 1 11:23:41 1999 Johan Danielsson + + * have-struct-field.m4: remove extra AC_MSG_RESULT + + * proto-compat.m4: typo + + * krb-func-getcwd-broken.m4: update to autoconf 2.13 + + * krb-find-db.m4: update to autoconf 2.13 + + * check-declaration.m4: typo + + * have-pragma-weak.m4: update to autoconf 2.13 + + * have-struct-field.m4: better handling of types with spaces + +Mon Feb 22 20:05:06 1999 Johan Danielsson + + * broken-glob.m4: check for broken glob + +Sun Jan 31 06:50:33 1999 Assar Westerlund + + * krb-ipv6.m4: more magic for different v6 implementations. From + Jun-ichiro itojun Hagino + +Sun Nov 22 12:16:06 1998 Assar Westerlund + + * krb-struct-spwd.m4: new file + +Thu Jun 4 04:07:41 1998 Assar Westerlund + + * find-func-no-libs2.m4: new file + +Fri May 1 23:31:28 1998 Assar Westerlund + + * c-attribute.m4, c-function.m4: new files (from arla) + +Wed Mar 18 23:11:29 1998 Assar Westerlund + + * krb-ipv6.m4: rename HAVE_STRUCT_SOCKADDR_IN6 to HAVE_IPV6 + +Thu Feb 26 02:37:49 1998 Assar Westerlund + + * make-proto.pl: should work with perl4 + diff --git a/third_party/heimdal/cf/Makefile.am.common b/third_party/heimdal/cf/Makefile.am.common new file mode 100644 index 0000000..90921fe --- /dev/null +++ b/third_party/heimdal/cf/Makefile.am.common @@ -0,0 +1,294 @@ +# $Id$ + +SUFFIXES = .et .h .pc.in .pc + +DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include + +AM_CPPFLAGS = $(INCLUDES_roken) + +if do_roken_rename +ROKEN_RENAME = -DROKEN_RENAME +endif + +AM_CFLAGS = $(WFLAGS) + +CLANG_FORMAT_STYLE = '{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' + +CP = cp + +## set build_HEADERZ to headers that should just be installed in build tree + +buildinclude = $(top_builddir)/include + +## these aren't detected by automake +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_crypt = @LIB_crypt@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_el_init = @LIB_el_init@ +LIB_getattr = @LIB_getattr@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_getpwent_r = @LIB_getpwent_r@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_odm_initialize = @LIB_odm_initialize@ +LIB_openpty = @LIB_openpty@ +LIB_pidfile = @LIB_pidfile@ +LIB_res_search = @LIB_res_search@ +LIB_setpcred = @LIB_setpcred@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ +LIB_com_err = @LIB_com_err@ +LIB_door_create = @LIB_door_create@ + +LIB_openssl_crypto = @LIB_openssl_crypto@ +INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@ + +INCLUDE_krb4 = @INCLUDE_krb4@ +LIB_krb4 = @LIB_krb4@ + +INCLUDE_openldap = @INCLUDE_openldap@ +LIB_openldap = @LIB_openldap@ + +INCLUDE_readline = @INCLUDE_readline@ +LIB_readline = @LIB_readline@ + +LEXLIB = @LEXLIB@ + +libexec_heimdaldir = $(libexecdir)/heimdal + +install-suid-programs: + @foo='$(bin_SUIDS)'; \ + for file in $$foo; do \ + x=$(DESTDIR)$(bindir)/$$file; \ + if chown 0:0 $$x && chmod u+s $$x; then :; else \ + echo "*"; \ + echo "* Failed to install $$x setuid root"; \ + echo "*"; \ + fi; \ + done + +install-exec-local: install-suid-programs + +codesign-all: + @if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \ + foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \ + for file in $$foo ; do \ + echo "CODESIGN $$file" ; \ + codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \ + done ; \ + fi + + + +all-local: codesign-all + +install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS) + @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \ + for f in $$foo; do \ + f=`basename $$f`; \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f || true; \ + fi ; \ + done ; \ + foo='$(nobase_include_HEADERS)'; \ + for f in $$foo; do \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + $(mkdir_p) $(buildinclude)/`dirname $$f` ; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ + fi ; \ + done + +all-local: install-build-headers + +check-local:: + @if test '$(CHECK_LOCAL)' = "no-check-local"; then \ + foo=''; elif test '$(CHECK_LOCAL)'; then \ + foo='$(CHECK_LOCAL)'; else \ + foo='$(PROGRAMS)'; fi; \ + if test "$$foo"; then \ + failed=0; all=0; \ + for i in $$foo; do \ + all=`expr $$all + 1`; \ + if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \ + echo "PASS: $$i"; \ + else \ + echo "FAIL: $$i"; \ + failed=`expr $$failed + 1`; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="$$failed of $$all tests failed"; \ + fi; \ + dashes=`echo "$$banner" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0 || exit 1; \ + fi + +SUFFIXES += .x .z + +SUFFIXES += .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 + +NROFF_MAN = groff -mandoc -Tascii +#NROFF_MAN = nroff -man +.1.cat1: + $(NROFF_MAN) $< > $@ +.3.cat3: + $(NROFF_MAN) $< > $@ +.5.cat5: + $(NROFF_MAN) $< > $@ +.7.cat7: + $(NROFF_MAN) $< > $@ +.8.cat8: + $(NROFF_MAN) $< > $@ + +## MAINTAINERCLEANFILES += + +dist-cat1-mans: + @foo='$(man1_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.1) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat3-mans: + @foo='$(man3_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.3) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat5-mans: + @foo='$(man5_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.5) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat7-mans: + @foo='$(man7_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.7) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat8-mans: + @foo='$(man8_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.8) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans + +install-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS) + +uninstall-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS) + +install-data-hook: install-cat-mans +uninstall-hook: uninstall-cat-mans + + +.et.h: + $(COMPILE_ET) $< +.et.c: + $(COMPILE_ET) $< + +if NO_AFS +LIB_kafs = +else +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +endif + +if KRB5 +LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ + $(top_builddir)/lib/asn1/libasn1.la +LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +endif + +LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la + +if DCE +LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la +endif + +# +# Useful target for debugging +# + +check-valgrind: + tobjdir=`cd $(top_builddir) && pwd` ; \ + tsrcdir=`cd $(top_srcdir) && pwd` ; \ + env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check + +# +# Target to please samba build farm, builds distfiles in-tree. +# Will break when automake changes... +# + +distdir-in-tree: $(DISTFILES) $(INFO_DEPS) + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" != .; then \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \ + fi ; \ + done + + +#silent-rules + +heim_verbose = $(heim_verbose_$(V)) +heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY)) +heim_verbose_0 = @echo " GEN "$@; + +if ENABLE_GCOV +AM_CFLAGS += --coverage --no-inline +AM_LDFLAGS = -lgcov +endif diff --git a/third_party/heimdal/cf/aix.m4 b/third_party/heimdal/cf/aix.m4 new file mode 100644 index 0000000..2c450fb --- /dev/null +++ b/third_party/heimdal/cf/aix.m4 @@ -0,0 +1,62 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_AIX],[ + +aix=no +case "$host" in +*-*-aix3*) + aix=3 + ;; +*-*-aix[[4-9]]*) + aix=4 + ;; +esac + +AM_CONDITIONAL(AIX, test "$aix" != no)dnl +AM_CONDITIONAL(AIX4, test "$aix" = 4)dnl + +AC_ARG_ENABLE(dynamic-afs, + AS_HELP_STRING([--disable-dynamic-afs], + [do not use loaded AFS library with AIX])) + +if test "$aix" != no; then + + AC_DEFINE(NEED_QSORT, 1, [if your qsort is not a stable sort]) + + if test "$enable_dynamic_afs" != no; then + AC_REQUIRE([rk_DLOPEN]) + if test "$ac_cv_func_dlopen" = no; then + AC_FIND_FUNC_NO_LIBS(loadquery, ld) + fi + if test "$ac_cv_func_dlopen" != no; then + AIX_EXTRA_KAFS='$(LIB_dlopen)' + elif test "$ac_cv_func_loadquery" != no; then + AIX_EXTRA_KAFS='$(LIB_loadquery)' + else + AC_MSG_NOTICE([not using dynloaded AFS library]) + AIX_EXTRA_KAFS= + enable_dynamic_afs=no + fi + else + AIX_EXTRA_KAFS= + fi +fi + +AM_CONDITIONAL(AIX_DYNAMIC_AFS, test "$enable_dynamic_afs" != no)dnl +AC_SUBST(AIX_EXTRA_KAFS)dnl + +if test "$aix" != no; then + AC_DEFINE([_ALL_SOURCE],1,[Required for functional/sane headers on AIX]) +fi + +AH_BOTTOM([#if _AIX +/* XXX this is gross, but kills about a gazillion warnings */ +struct ether_addr; +struct sockaddr; +struct sockaddr_dl; +struct sockaddr_in; +#endif]) + +]) diff --git a/third_party/heimdal/cf/auth-modules.m4 b/third_party/heimdal/cf/auth-modules.m4 new file mode 100644 index 0000000..e27de4b --- /dev/null +++ b/third_party/heimdal/cf/auth-modules.m4 @@ -0,0 +1,45 @@ +dnl $Id$ +dnl +dnl Figure what authentication modules should be built +dnl +dnl rk_AUTH_MODULES(module-list) + +AC_DEFUN([rk_AUTH_MODULES],[ +AC_MSG_CHECKING([which authentication modules should be built]) + +z='m4_ifval([$1], $1, [sia pam afskauthlib])' +LIB_AUTH_SUBDIRS= +for i in $z; do +case $i in +sia) +if test "$ac_cv_header_siad_h" = yes; then + LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS sia" +fi +;; +pam) +case "${host}" in +*-*-freebsd*) ac_cv_want_pam_krb4=no ;; +*) ac_cv_want_pam_krb4=yes ;; +esac + +if test "$ac_cv_want_pam_krb4" = yes -a \ + "$ac_cv_header_security_pam_modules_h" = yes -a \ + "$enable_shared" = yes; then + LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS pam" +fi +;; +afskauthlib) +case "${host}" in +*-*-irix[[56]]*) LIB_AUTH_SUBDIRS="$LIB_AUTH_SUBDIRS afskauthlib" ;; +esac +;; +esac +done +if test "$LIB_AUTH_SUBDIRS"; then + AC_MSG_RESULT($LIB_AUTH_SUBDIRS) +else + AC_MSG_RESULT(none) +fi + +AC_SUBST(LIB_AUTH_SUBDIRS)dnl +]) diff --git a/third_party/heimdal/cf/ax_check_sign.m4 b/third_party/heimdal/cf/ax_check_sign.m4 new file mode 100644 index 0000000..bc2c3f0 --- /dev/null +++ b/third_party/heimdal/cf/ax_check_sign.m4 @@ -0,0 +1,54 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_sign.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_SIGN (TYPE, [ACTION-IF-SIGNED], [ACTION-IF-UNSIGNED], [INCLUDES]) +# +# DESCRIPTION +# +# Checks whether TYPE is signed or not. If no INCLUDES are specified, the +# default includes are used. If ACTION-IF-SIGNED is given, it is +# additional shell code to execute when the type is signed. If +# ACTION-IF-UNSIGNED is given, it is executed when the type is unsigned. +# +# This macro assumes that the type exists. Therefore the existence of the +# type should be checked before calling this macro. For example: +# +# AC_CHECK_HEADERS([wchar.h]) +# AC_CHECK_TYPE([wchar_t],,[ AC_MSG_ERROR([Type wchar_t not found.]) ]) +# AX_CHECK_SIGN([wchar_t], +# [ AC_DEFINE(WCHAR_T_SIGNED, 1, [Define if wchar_t is signed]) ], +# [ AC_DEFINE(WCHAR_T_UNSIGNED, 1, [Define if wchar_t is unsigned]) ], [ +# #ifdef HAVE_WCHAR_H +# #include +# #endif +# ]) +# +# LICENSE +# +# Copyright (c) 2008 Ville Laurikari +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 7 + +AU_ALIAS([VL_CHECK_SIGN], [AX_CHECK_SIGN]) +AC_DEFUN([AX_CHECK_SIGN], [ + typename=`echo $1 | sed "s/@<:@^a-zA-Z0-9_@:>@/_/g"` + AC_CACHE_CHECK([whether $1 is signed], ax_cv_decl_${typename}_signed, [ + AC_TRY_COMPILE([$4], + [ int foo @<:@ 1 - 2 * !((($1) -1) < 0) @:>@ ], + [ eval "ax_cv_decl_${typename}_signed=\"yes\"" ], + [ eval "ax_cv_decl_${typename}_signed=\"no\"" ])]) + symbolname=`echo $1 | sed "s/@<:@^a-zA-Z0-9_@:>@/_/g" | tr "a-z" "A-Z"` + if eval "test \"\${ax_cv_decl_${typename}_signed}\" = \"yes\""; then + $2 + elif eval "test \"\${ax_cv_decl_${typename}_signed}\" = \"no\""; then + $3 + fi +])dnl diff --git a/third_party/heimdal/cf/broken-getaddrinfo.m4 b/third_party/heimdal/cf/broken-getaddrinfo.m4 new file mode 100644 index 0000000..5daf416 --- /dev/null +++ b/third_party/heimdal/cf/broken-getaddrinfo.m4 @@ -0,0 +1,26 @@ +dnl $Id$ +dnl +dnl test if getaddrinfo can handle numeric services + +AC_DEFUN([rk_BROKEN_GETADDRINFO],[ +AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv, +AC_RUN_IFELSE([AC_LANG_SOURCE([[#include +#include +#include +#include + +int +main(int argc, char **argv) +{ + struct addrinfo hints, *ai; + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_PASSIVE; + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = PF_UNSPEC; + if(getaddrinfo(NULL, "17", &hints, &ai) != 0) + return 1; + if(getaddrinfo(NULL, "0", &hints, &ai) != 0) + return 1; + return 0; +} +]])],[ac_cv_func_getaddrinfo_numserv=yes],[ac_cv_func_getaddrinfo_numserv=no],[ac_cv_func_getaddrinfo_numserv=yes]))]) diff --git a/third_party/heimdal/cf/broken-realloc.m4 b/third_party/heimdal/cf/broken-realloc.m4 new file mode 100644 index 0000000..b6d962a --- /dev/null +++ b/third_party/heimdal/cf/broken-realloc.m4 @@ -0,0 +1,25 @@ +dnl +dnl $Id$ +dnl +dnl Test for realloc that doesn't handle NULL as first parameter +dnl +AC_DEFUN([rk_BROKEN_REALLOC], [ +AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [ +ac_cv_func_realloc_broken=no +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include + +int main(int argc, char **argv) +{ + return realloc(NULL, 17) == NULL; +} +]])],[:], [ac_cv_func_realloc_broken=yes],[:]) +]) +if test "$ac_cv_func_realloc_broken" = yes ; then + AC_DEFINE(BROKEN_REALLOC, 1, [Define if realloc(NULL) doesn't work.]) +fi +AH_BOTTOM([#ifdef BROKEN_REALLOC +#define realloc(X, Y) rk_realloc((X), (Y)) +#endif]) +]) diff --git a/third_party/heimdal/cf/broken-snprintf.m4 b/third_party/heimdal/cf/broken-snprintf.m4 new file mode 100644 index 0000000..0261116 --- /dev/null +++ b/third_party/heimdal/cf/broken-snprintf.m4 @@ -0,0 +1,63 @@ +dnl $Id$ +dnl +AC_DEFUN([AC_BROKEN_SNPRINTF], [ +AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working, +ac_cv_func_snprintf_working=yes +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include +int main(int argc, char **argv) +{ + char foo[[3]]; + snprintf(foo, 2, "12"); + return strcmp(foo, "1") || snprintf(NULL, 0, "%d", 12) != 2; +}]])],[:],[ac_cv_func_snprintf_working=no],[:])) + +if test "$ac_cv_func_snprintf_working" = yes; then + AC_DEFINE_UNQUOTED(HAVE_SNPRINTF, 1, [define if you have a working snprintf]) +fi +if test "$ac_cv_func_snprintf_working" = yes; then +AC_NEED_PROTO([#include ],snprintf) +fi +]) + +AC_DEFUN([AC_BROKEN_VSNPRINTF],[ +AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working, +ac_cv_func_vsnprintf_working=yes +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include +#include + +int foo(int num, ...) +{ + char bar[[3]]; + va_list arg; + va_start(arg, num); + vsnprintf(bar, 2, "%s", arg); + va_end(arg); + return strcmp(bar, "1"); +} + +int bar(int num, int len, ...) +{ + int r; + va_list arg; + va_start(arg, len); + r = vsnprintf(NULL, 0, "%s", arg); + va_end(arg); + return r != len; +} + +int main(int argc, char **argv) +{ + return foo(0, "12") || bar(0, 2, "12"); +}]])],[:],[ac_cv_func_vsnprintf_working=no],[:])) + +if test "$ac_cv_func_vsnprintf_working" = yes; then + AC_DEFINE_UNQUOTED(HAVE_VSNPRINTF, 1, [define if you have a working vsnprintf]) +fi +if test "$ac_cv_func_vsnprintf_working" = yes; then +AC_NEED_PROTO([#include ],vsnprintf) +fi +]) diff --git a/third_party/heimdal/cf/broken.m4 b/third_party/heimdal/cf/broken.m4 new file mode 100644 index 0000000..1c8db72 --- /dev/null +++ b/third_party/heimdal/cf/broken.m4 @@ -0,0 +1,12 @@ +dnl $Id$ +dnl +dnl +dnl Same as AC _REPLACE_FUNCS, just define HAVE_func if found in normal +dnl libraries + +AC_DEFUN([AC_BROKEN], +[AC_FOREACH([rk_func], [$1], + [AC_CHECK_FUNC(rk_func, + [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]rk_func), 1, + [Define if you have the function `]rk_func['.])], + [rk_LIBOBJ(rk_func)])])]) diff --git a/third_party/heimdal/cf/broken2.m4 b/third_party/heimdal/cf/broken2.m4 new file mode 100644 index 0000000..71e2afa --- /dev/null +++ b/third_party/heimdal/cf/broken2.m4 @@ -0,0 +1,25 @@ +dnl $Id$ +dnl +dnl AC_BROKEN but with more arguments + +dnl AC_BROKEN2(func, includes, arguments) +AC_DEFUN([AC_BROKEN2], +[AC_MSG_CHECKING([for $1]) +AC_CACHE_VAL(ac_cv_func_[]$1, +[AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$1) || defined (__stub___$1) +choke me +#else +$1($3); +#endif +]])], [eval "ac_cv_func_[]$1=yes"], [eval "ac_cv_func_[]$1=no"])]) +if eval "test \"\${ac_cv_func_[]$1}\" = yes"; then + AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, define) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) + rk_LIBOBJ($1) +fi]) diff --git a/third_party/heimdal/cf/c-attribute.m4 b/third_party/heimdal/cf/c-attribute.m4 new file mode 100644 index 0000000..8ff6bd3 --- /dev/null +++ b/third_party/heimdal/cf/c-attribute.m4 @@ -0,0 +1,28 @@ +dnl +dnl $Id$ +dnl + +dnl +dnl Test for __attribute__ +dnl + +AC_DEFUN([AC_C___ATTRIBUTE__], [ +AC_MSG_CHECKING(for __attribute__) +AC_CACHE_VAL(ac_cv___attribute__, [ +AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include +static void foo(void) __attribute__ ((noreturn)); + +static void +foo(void) +{ + exit(1); +} +]])], +[ac_cv___attribute__=yes], +[ac_cv___attribute__=no])]) +if test "$ac_cv___attribute__" = "yes"; then + AC_DEFINE(HAVE___ATTRIBUTE__, 1, [define if your compiler has __attribute__]) +fi +AC_MSG_RESULT($ac_cv___attribute__) +]) + diff --git a/third_party/heimdal/cf/c-function.m4 b/third_party/heimdal/cf/c-function.m4 new file mode 100644 index 0000000..74ffd95 --- /dev/null +++ b/third_party/heimdal/cf/c-function.m4 @@ -0,0 +1,33 @@ +dnl +dnl $Id$ +dnl + +dnl +dnl Test for __FUNCTION__ +dnl + +AC_DEFUN([AC_C___FUNCTION__], [ +AC_MSG_CHECKING(for __FUNCTION__) +AC_CACHE_VAL(ac_cv___function__, [ +AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include + +static char *foo(void) +{ + return __FUNCTION__; +} + +int main(int argc, char **argc) +{ + return strcmp(foo(), "foo") != 0; +} +]])], +[ac_cv___function__=yes], +[ac_cv___function__=no], +[ac_cv___function__=no])]) +if test "$ac_cv___function__" = "yes"; then + AC_DEFINE(HAVE___FUNCTION__, 1, [define if your compiler has __FUNCTION__]) +fi +AC_MSG_RESULT($ac_cv___function__) +]) + diff --git a/third_party/heimdal/cf/check-compile-et.m4 b/third_party/heimdal/cf/check-compile-et.m4 new file mode 100644 index 0000000..e580cbb --- /dev/null +++ b/third_party/heimdal/cf/check-compile-et.m4 @@ -0,0 +1,114 @@ +dnl $Id$ +dnl +dnl CHECK_COMPILE_ET +AC_DEFUN([CHECK_COMPILE_ET], [ + +AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et], [no]) + +krb_cv_compile_et="no" +krb_cv_com_err_need_r="" +krb_cv_compile_et_cross=no +if test "${COMPILE_ET}" != "no"; then + +dnl We have compile_et. Now let's see if it supports `prefix' and `index'. +AC_MSG_CHECKING(whether compile_et has the features we need) +cat > conftest_et.et <<'EOF' +error_table test conf +prefix CONFTEST +index 1 +error_code CODE1, "CODE1" +index 128 +error_code CODE2, "CODE2" +end +EOF +if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then + dnl XXX Some systems have . + save_CPPFLAGS="${CPPFLAGS}" + if test -d "/usr/include/et"; then + CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" + fi + dnl Check that the `prefix' and `index' directives were honored. + AC_LANG(C) + AC_RUN_IFELSE([AC_LANG_SOURCE([ +#include +#include +#include "conftest_et.h" +int main(int argc, char **argv){ +#ifndef ERROR_TABLE_BASE_conf +#error compile_et does not handle error_table N M +#endif +return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} + ])], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"], + [krb_cv_compile_et="yes" krb_cv_compile_et_cross=yes] ) +fi +AC_MSG_RESULT(${krb_cv_compile_et}) +if test "${krb_cv_compile_et}" = "yes" -a "${krb_cv_compile_et_cross}" = no; then + AC_MSG_CHECKING([for if com_err generates a initialize_conf_error_table_r]) + AC_EGREP_CPP([initialize_conf_error_table_r.*struct et_list], + [#include "conftest_et.h"], + [krb_cv_com_err_need_r="ok"]) + if test X"$krb_cv_com_err_need_r" = X ; then + AC_MSG_RESULT(no) + krb_cv_compile_et=no + else + AC_MSG_RESULT(yes) + fi +fi +rm -fr conftest* +fi + +if test "${krb_cv_compile_et_cross}" = yes ; then + krb_cv_com_err="cross" +elif test "${krb_cv_compile_et}" = "yes"; then + dnl Since compile_et seems to work, let's check libcom_err + krb_cv_save_LIBS="${LIBS}" + LIBS="${LIBS} -lcom_err" + AC_MSG_CHECKING(for com_err) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],[[ + const char *p; + p = error_message(0); + initialize_error_table_r(0,0,0,0); + com_right_r(0, 0, 0, 0); + ]])],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"]) + AC_MSG_RESULT(${krb_cv_com_err}) + LIBS="${krb_cv_save_LIBS}" +else + dnl Since compile_et doesn't work, forget about libcom_err + krb_cv_com_err="no" +fi + +dnl Only use the system's com_err if we found compile_et, libcom_err, and +dnl com_err.h. +if test "${krb_cv_com_err}" = "yes"; then + DIR_com_err="" + LIB_com_err="-lcom_err" + LIB_com_err_a="" + LIB_com_err_so="" + AC_MSG_NOTICE(Using the already-installed com_err) + COMPILE_ET="${ac_cv_prog_COMPILE_ET}" + localcomerr=no +elif test "${krb_cv_com_err}" = "cross"; then + DIR_com_err="com_err" + LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" + LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" + LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" + AC_MSG_NOTICE(Using our own com_err with toolchain compile_et) + COMPILE_ET="${ac_cv_prog_COMPILE_ET}" + localcomerr=yes +else + COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et" + DIR_com_err="com_err" + LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la" + LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a" + LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so" + AC_MSG_NOTICE(Using our own com_err) + localcomerr=yes +fi +AM_CONDITIONAL(COM_ERR, test "$localcomerr" = yes)dnl +AC_SUBST(COMPILE_ET) +AC_SUBST(DIR_com_err) +AC_SUBST(LIB_com_err) +AC_SUBST(LIB_com_err_a) +AC_SUBST(LIB_com_err_so) + +]) diff --git a/third_party/heimdal/cf/check-compile-flag.m4 b/third_party/heimdal/cf/check-compile-flag.m4 new file mode 100644 index 0000000..bd753b3 --- /dev/null +++ b/third_party/heimdal/cf/check-compile-flag.m4 @@ -0,0 +1,53 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_COMPILE_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 6 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_VAR_IF(CACHEVAR,yes, + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/third_party/heimdal/cf/check-getpwnam_r-posix.m4 b/third_party/heimdal/cf/check-getpwnam_r-posix.m4 new file mode 100644 index 0000000..0e9167f --- /dev/null +++ b/third_party/heimdal/cf/check-getpwnam_r-posix.m4 @@ -0,0 +1,74 @@ +dnl $Id$ +dnl +dnl check for getpwnam_r, and if it's posix or not; also check for getpwuid_r + +AC_DEFUN([AC_CHECK_GETPWNAM_R_POSIX],[ +AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r) +if test "$ac_cv_func_getpwnam_r" = yes; then + AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix, + ac_libs="$LIBS" + LIBS="$LIBS $LIB_getpwnam_r" + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#define _POSIX_PTHREAD_SEMANTICS +#include +int main(int argc, char **argv) +{ + struct passwd pw, *pwd; + return getpwnam_r("", &pw, 0, 0, &pwd) < 0; +} +]])],[ac_cv_func_getpwnam_r_posix=yes],[ac_cv_func_getpwnam_r_posix=no],[:]) +LIBS="$ac_libs") + AC_CACHE_CHECK(if _POSIX_PTHREAD_SEMANTICS is needed,ac_cv_func_getpwnam_r_posix_def, + ac_libs="$LIBS" + LIBS="$LIBS $LIB_getpwnam_r" + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +int main(int argc, char **argv) +{ + struct passwd pw, *pwd; + return getpwnam_r("", &pw, 0, 0, &pwd) < 0; +} +]])],[ac_cv_func_getpwnam_r_posix_def=no],[ac_cv_func_getpwnam_r_posix_def=yes],[:]) +LIBS="$ac_libs") +if test "$ac_cv_func_getpwnam_r_posix" = yes; then + AC_DEFINE(POSIX_GETPWNAM_R, 1, [Define if getpwnam_r has POSIX flavour.]) +fi +if test "$ac_cv_func_getpwnam_r_posix" = yes -a "$ac_cv_func_getpwnam_r_posix_def" = yes; then + AC_DEFINE(_POSIX_PTHREAD_SEMANTICS, 1, [Define to get POSIX getpwnam_r in some systems.]) +fi +fi +]) + +AC_DEFUN([AC_CHECK_GETPWUID_R_POSIX],[ +AC_FIND_FUNC_NO_LIBS(getpwuid_r,c_r) +if test "$ac_cv_func_getpwuid_r" = yes; then + AC_CACHE_CHECK(if getpwuid_r is posix,ac_cv_func_getpwuid_r_posix, + ac_libs="$LIBS" + LIBS="$LIBS $LIB_getpwuid_r" + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#define _POSIX_PTHREAD_SEMANTICS +#include +int main(int argc, char **argv) +{ + struct passwd pw, *pwd; + return getpwuid_r(0, &pw, 0, 0, &pwd) < 0; +} +]])],[ac_cv_func_getpwuid_r_posix=yes],[ac_cv_func_getpwuid_r_posix=no],[:]) +LIBS="$ac_libs") + AC_CACHE_CHECK(if _POSIX_PTHREAD_SEMANTICS is needed,ac_cv_func_getpwuid_r_posix_def, + ac_libs="$LIBS" + LIBS="$LIBS $LIB_getpwuid_r" + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +int main(int argc, char **argv) +{ + struct passwd pw, *pwd; + return getpwuid_r("", &pw, 0, 0, &pwd) < 0; +} +]])],[ac_cv_func_getpwuid_r_posix_def=no],[ac_cv_func_getpwuid_r_posix_def=yes],[:]) +LIBS="$ac_libs") +if test "$ac_cv_func_getpwuid_r_posix" = yes; then + AC_DEFINE(POSIX_GETPWUID_R, 1, [Define if getpwuid_r has POSIX flavour.]) +fi +fi +]) diff --git a/third_party/heimdal/cf/check-man.m4 b/third_party/heimdal/cf/check-man.m4 new file mode 100644 index 0000000..ad013a4 --- /dev/null +++ b/third_party/heimdal/cf/check-man.m4 @@ -0,0 +1,57 @@ +dnl $Id$ +dnl check how to format manual pages +dnl + +AC_DEFUN([rk_CHECK_MAN], +[AC_PATH_PROG(NROFF, nroff) +AC_PATH_PROG(GROFF, groff) +AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format, +[cat > conftest.1 << END +.Dd January 1, 1970 +.Dt CONFTEST 1 +.Sh NAME +.Nm conftest +.Nd foobar +END + +if test "$NROFF" ; then + for i in "-mdoc" "-mandoc"; do + if "$NROFF" $i conftest.1 2> /dev/null | \ + grep Jan > /dev/null 2>&1 ; then + ac_cv_sys_man_format="$NROFF $i" + break + fi + done +fi +if test "$ac_cv_sys_man_format" = "" -a "$GROFF" ; then + for i in "-mdoc" "-mandoc"; do + if "$GROFF" -Tascii $i conftest.1 2> /dev/null | \ + grep Jan > /dev/null 2>&1 ; then + ac_cv_sys_man_format="$GROFF -Tascii $i" + break + fi + done +fi +if test "$ac_cv_sys_man_format"; then + ac_cv_sys_man_format="$ac_cv_sys_man_format \[$]< > \[$]@" +fi +]) +if test "$ac_cv_sys_man_format"; then + CATMAN="$ac_cv_sys_man_format" + AC_SUBST(CATMAN) +fi +AM_CONDITIONAL(CATMAN, test "$CATMAN") +AC_CACHE_CHECK(extension of pre-formatted manual pages,ac_cv_sys_catman_ext, +[if grep _suffix /etc/man.conf > /dev/null 2>&1; then + ac_cv_sys_catman_ext=0 +else + ac_cv_sys_catman_ext=number +fi +]) +if test "$ac_cv_sys_catman_ext" = number; then + CATMANEXT='$$section' +else + CATMANEXT=0 +fi +AC_SUBST(CATMANEXT) +]) diff --git a/third_party/heimdal/cf/check-netinet-ip-and-tcp.m4 b/third_party/heimdal/cf/check-netinet-ip-and-tcp.m4 new file mode 100644 index 0000000..65c5f64 --- /dev/null +++ b/third_party/heimdal/cf/check-netinet-ip-and-tcp.m4 @@ -0,0 +1,33 @@ +dnl +dnl $Id$ +dnl + +dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3 +dnl you have to include standards.h before including these files + +AC_DEFUN([CHECK_NETINET_IP_AND_TCP], +[ +AC_CHECK_HEADERS(standards.h) +for i in netinet/ip.h netinet/tcp.h; do + +cv=`echo "$i" | sed 'y%./+-%__p_%'` + +AC_CACHE_CHECK([for $i],ac_cv_header_$cv, +[AC_PREPROC_IFELSE([AC_LANG_SOURCE([[ +#ifdef HAVE_STANDARDS_H +#include +#endif +#include <$i> +]])], +[eval "ac_cv_header_$cv=yes"], +[eval "ac_cv_header_$cv=no"])]) +ac_res=`eval echo \\$ac_cv_header_$cv` +if test "$ac_res" = yes; then + ac_tr_hdr=HAVE_`echo $i | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + AC_DEFINE_UNQUOTED($ac_tr_hdr, 1) +fi +done +if false;then + AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h) +fi +]) diff --git a/third_party/heimdal/cf/check-type-extra.m4 b/third_party/heimdal/cf/check-type-extra.m4 new file mode 100644 index 0000000..f881120 --- /dev/null +++ b/third_party/heimdal/cf/check-type-extra.m4 @@ -0,0 +1,23 @@ +dnl $Id$ +dnl +dnl ac_check_type + extra headers + +dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS) +AC_DEFUN([AC_CHECK_TYPE_EXTRA], +[AC_REQUIRE([AC_HEADER_STDC])dnl +AC_MSG_CHECKING(for $1) +AC_CACHE_VAL(ac_cv_type_$1, +[AC_EGREP_CPP(dnl +changequote(<<,>>)dnl +<<$1[^a-zA-Z_0-9]>>dnl +changequote([,]), [#include +#if STDC_HEADERS +#include +#include +#endif +$3], ac_cv_type_$1=yes, ac_cv_type_$1=no)])dnl +AC_MSG_RESULT($ac_cv_type_$1) +if test $ac_cv_type_$1 = no; then + AC_DEFINE($1, $2, [Define this to what the type $1 should be.]) +fi +]) diff --git a/third_party/heimdal/cf/check-var.m4 b/third_party/heimdal/cf/check-var.m4 new file mode 100644 index 0000000..71d6f70 --- /dev/null +++ b/third_party/heimdal/cf/check-var.m4 @@ -0,0 +1,28 @@ +dnl $Id$ +dnl +dnl rk_CHECK_VAR(variable, includes) +AC_DEFUN([rk_CHECK_VAR], [ +AC_MSG_CHECKING(for $1) +AC_CACHE_VAL(ac_cv_var_$1, [ +m4_ifval([$2],[ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2 + void * foo(void) { return &$1; }]],[[foo()]])], + [ac_cv_var_$1=yes],[ac_cv_var_$1=no])]) +if test "$ac_cv_var_$1" != yes ; then +AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2 +extern int $1; +int foo(void) { return $1; }]],[[foo()]])], + [ac_cv_var_$1=yes],[ac_cv_var_$1=no]) +fi +]) +ac_foo=`eval echo \\$ac_cv_var_$1` +AC_MSG_RESULT($ac_foo) +if test "$ac_foo" = yes; then + AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, + [Define if you have the `]$1[' variable.]) + m4_ifval([$2], [AC_CHECK_DECLS([$1],[],[],[$2])]) +fi +]) + +AC_WARNING_ENABLE([obsolete]) +AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo]) diff --git a/third_party/heimdal/cf/crypto.m4 b/third_party/heimdal/cf/crypto.m4 new file mode 100644 index 0000000..b8b011d --- /dev/null +++ b/third_party/heimdal/cf/crypto.m4 @@ -0,0 +1,166 @@ +dnl $Id$ +dnl +dnl test for crypto libraries: +dnl - libcrypto (from openssl) +dnl - own-built libhcrypto + +m4_define([test_headers], [ + #undef KRB5 /* makes md4.h et al unhappy */ + #ifdef HAVE_HCRYPTO_W_OPENSSL + #ifdef HAVE_SYS_TYPES_H + #include + #endif + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #else + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #endif + ]) +m4_define([test_body], [ + void *schedule = 0; + EVP_MD_CTX mdctx; + + EVP_md4(); + EVP_md5(); + EVP_sha1(); + EVP_sha256(); + + EVP_MD_CTX_init(&mdctx); + EVP_DigestInit_ex(&mdctx, EVP_sha1(), (ENGINE *)0); + EVP_CIPHER_iv_length(((EVP_CIPHER*)0)); + UI_UTIL_read_pw_string(0,0,0,0); + RAND_status(); + #ifdef HAVE_HCRYPTO_W_OPENSSL + EC_KEY_new(); + #endif + + OpenSSL_add_all_algorithms(); + AES_encrypt(0,0,0); + DES_cbc_encrypt(0, 0, 0, schedule, 0, 0); + RC4(0, 0, 0, 0);]) + +AC_DEFUN([KRB_CRYPTO],[ +AC_ARG_WITH([hcrypto-default-backend], + AS_HELP_STRING([--with-hcrypto-default-backend=cc|pkcs11_hcrypto|ossl|w32crypto|hcrypto], + [specify the default hcrypto backend]), + [ + CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}" + case "$withval" in + cc) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [cc], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + pkcs11_hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [pkcs11_hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + ossl) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [ossl], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + w32crypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [w32crypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);; + *) echo "Invalid hcrypto provider name ($withval)"; exit 5;; + esac + ], + []) +AC_ARG_WITH([hcrypto-fallback], + AS_HELP_STRING([--without-hcrypto-fallback], + [disable fallback on hcrypto for unavailable algorithms]), + [AC_DEFINE([HCRYPTO_FALLBACK],0,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])], + [AC_DEFINE([HCRYPTO_FALLBACK],1,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])]) +AC_WITH_ALL([openssl]) + +AC_MSG_CHECKING([for crypto library]) + +openssl=no + +if test "$with_openssl" = "yes"; then + with_openssl=/usr +fi +if test "$with_openssl" != "no"; then + saved_CFLAGS="${CFLAGS}" + saved_LDFLAGS="${LDFLAGS}" + INCLUDE_openssl_crypto= + LIB_openssl_crypto= + if test "$with_openssl_include" != ""; then + INCLUDE_openssl_crypto="-I${with_openssl_include}" + else + INCLUDE_openssl_crypto="-I${with_openssl}/include" + fi + if test "$with_openssl_lib" != ""; then + LIB_openssl_crypto="-L${with_openssl_lib}" + elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then + LIB_openssl_crypto="-L${with_openssl}/lib" + fi + CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL ${INCLUDE_openssl_crypto} ${CFLAGS}" + LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}" + AC_CHECK_LIB([crypto], [OPENSSL_init], + [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], []) + # These cases are just for static linking on older OSes, + # presumably. + if test "$openssl" = "no"; then + AC_CHECK_LIB([crypto], [OPENSSL_init], + [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl"; openssl=yes], [openssl=no], [-ldl]) + fi + if test "$openssl" = "no"; then + AC_CHECK_LIB([crypto], [OPENSSL_init], + [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl -lnsl"; openssl=yes], [openssl=no], [-ldl -lnsl]) + fi + if test "$openssl" = "no"; then + AC_CHECK_LIB([crypto], [OPENSSL_init], + [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto -ldl -lnsl -lsocket"; openssl=yes], [openssl=no], [-ldl -lnsl -lsocket]) + fi + if test "$openssl" = "no"; then + INCLUDE_openssl_crypto= + LIB_openssl_crypto= + fi + CFLAGS="${saved_CFLAGS}" + LDFLAGS="${saved_LDFLAGS}" +fi + +LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la' +LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a' +LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so' +LIB_hcrypto_appl="-lhcrypto" + +AC_MSG_RESULT([included libhcrypto]) + +AC_ARG_WITH(pkcs11-module, + AS_HELP_STRING([--with-pkcs11-module=path], + [use PKCS11 module in path]), + [pkcs11_module="$withval"], + []) + +if test "$pkcs11_module" != ""; then + AC_DEFINE_UNQUOTED(PKCS11_MODULE_PATH, "$pkcs11_module", [path to PKCS11 module]) + openssl=no +fi + +if test "$openssl" = "yes"; then + AC_DEFINE([HAVE_HCRYPTO_W_OPENSSL], 1, [define to use openssl's libcrypto as the default backend for libhcrypto]) +fi +AM_CONDITIONAL(HAVE_HCRYPTO_W_OPENSSL, test "$openssl" = yes)dnl + +AC_SUBST(INCLUDE_openssl_crypto) +AC_SUBST(LIB_openssl_crypto) +AC_SUBST(LIB_hcrypto) +AC_SUBST(LIB_hcrypto_a) +AC_SUBST(LIB_hcrypto_so) +AC_SUBST(LIB_hcrypto_appl) +]) diff --git a/third_party/heimdal/cf/db.m4 b/third_party/heimdal/cf/db.m4 new file mode 100644 index 0000000..c0b4510 --- /dev/null +++ b/third_party/heimdal/cf/db.m4 @@ -0,0 +1,268 @@ +dnl $Id$ +dnl +dnl tests for various db libraries +dnl + +AC_DEFUN([rk_DB],[ +AC_ARG_WITH(db-type-preference, + AS_HELP_STRING([--with-db-type-preference=list], + [specify HDB backend DB type preference as whitespace-separated list of db1, db3, lmdb, and/or sqlite]), + [db_type_preference="$withval"], + [db_type_preference="lmdb db3 db1 sqlite"]) +AC_ARG_WITH(berkeley-db, + AS_HELP_STRING([--with-berkeley-db], + [enable support for berkeley db @<:@default=check@:>@]), + [], + [with_berkeley_db=check]) + +dbheader="" +AC_ARG_WITH(berkeley-db-include, + AS_HELP_STRING([--with-berkeley-db-include=dir], + [use berkeley-db headers in dir]), + [dbheader=$withval], + [with_berkeley_db_include=check]) + +AC_ARG_ENABLE(ndbm-db, + AS_HELP_STRING([--disable-ndbm-db], + [if you don't want ndbm db]),[ +]) + +AC_ARG_ENABLE(mdb-db, + AS_HELP_STRING([--disable-mdb-db], + [if you don't want LMDB]),[ +]) + +have_db1=no +have_db3=no +have_lmdb=no +db_type=unknown + +AS_IF([test "x$with_berkeley_db" != xno], + [AS_IF([test "x$with_berkeley_db_include" != xcheck], + [AC_CHECK_HEADERS(["$dbheader/db.h"], + [AC_SUBST([DBHEADER], [$dbheader]) + AC_DEFINE([HAVE_DBHEADER], [1], + [Define if you have user supplied header location]) + ], + [if test "x$with_berkeley_db_include" != xcheck; then + AC_MSG_FAILURE( + [--with-berkeley-db-include was given but include test failed]) + fi + ])], + [AC_CHECK_HEADERS([ \ + db6/db.h \ + db5/db.h \ + db4/db.h \ + db3/db.h \ + db.h \ + ])]) + +dnl db_create is used by db3 and db4 and db5 and db6 + + AC_FIND_FUNC_NO_LIBS(db_create, [$dbheader] db-6 db-5 db4 db3 db, [ + #include + #ifdef HAVE_DBHEADER + #include <$dbheader/db.h> + #elif HAVE_DB6_DB_H + #include + #elif HAVE_DB5_DB_H + #include + #elif HAVE_DB4_DB_H + #include + #elif defined(HAVE_DB3_DB_H) + #include + #else + #include + #endif + ],[NULL, NULL, 0]) + + if test "$ac_cv_func_db_create" = "yes"; then + have_db3=yes + if test "$ac_cv_funclib_db_create" != "yes"; then + DB3LIB="$ac_cv_funclib_db_create" + else + DB3LIB="" + fi + AC_DEFINE(HAVE_DB3, 1, [define if you have a berkeley db3/4/5/6 library]) + fi + +dnl dbopen is used by db1/db2 + + AC_FIND_FUNC_NO_LIBS(dbopen, db2 db, [ + #include + #if defined(HAVE_DB2_DB_H) + #include + #elif defined(HAVE_DB_H) + #include + #else + #error no db.h + #endif + ],[NULL, 0, 0, 0, NULL]) + + if test "$ac_cv_func_dbopen" = "yes"; then + have_db1=yes + if test "$ac_cv_funclib_dbopen" != "yes"; then + DB1LIB="$ac_cv_funclib_dbopen" + else + DB1LIB="" + fi + AC_DEFINE(HAVE_DB1, 1, [define if you have a berkeley db1/2 library]) + fi + +dnl test for ndbm compatability + + if test "$ac_cv_func_dbm_firstkey" != yes; then + AC_FIND_FUNC_NO_LIBS2(dbm_firstkey, $ac_cv_funclib_dbopen $ac_cv_funclib_db_create, [ + #include + #define DB_DBM_HSEARCH 1 + #include + DBM *dbm; + ],[NULL]) + + if test "$ac_cv_func_dbm_firstkey" = "yes"; then + if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then + NDBMLIB="$ac_cv_funclib_dbm_firstkey" + else + NDBMLIB="" + fi + AC_DEFINE(HAVE_DB_NDBM, 1, [define if you have ndbm compat in db]) + AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) + else + $as_unset ac_cv_func_dbm_firstkey + $as_unset ac_cv_funclib_dbm_firstkey + fi + fi + +]) # fi berkeley db + + +AS_IF([test "x$enable_mdb_db" != xno], + [AC_CHECK_HEADER(lmdb.h, [ + AC_CHECK_LIB(lmdb, mdb_env_create, have_lmdb=yes; LMDBLIB="-llmdb" + AC_DEFINE(HAVE_LMDB, 1, [define if you have the LMDB library]))])]) + +for db_type in unknown $db_type_preference; do + if eval test \"x\$have_${db_type}\" = xyes -o ${db_type} = sqlite; then + break + fi + db_type=unknown +done + +AS_IF([test "x$have_db3" = xyes -a "$db_type" = unknown], db_type=db3, db_type="$db_type") +AS_IF([test "x$have_db1" = xyes -a "$db_type" = unknown], db_type=db1, db_type="$db_type") +AS_IF([test "x$have_lmdb" = xyes -a "$db_type" = unknown], db_type=lmdb, db_type="$db_type") + +if test "$enable_ndbm_db" != "no"; then + + if test "$db_type" = "unknown" -o "$ac_cv_func_dbm_firstkey" = ""; then + + AC_CHECK_HEADERS([ \ + dbm.h \ + ndbm.h \ + ]) + + AC_FIND_FUNC_NO_LIBS(dbm_firstkey, ndbm, [ + #include + #if defined(HAVE_NDBM_H) + #include + #elif defined(HAVE_DBM_H) + #include + #endif + DBM *dbm; + ],[NULL]) + + if test "$ac_cv_func_dbm_firstkey" = "yes"; then + if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then + NDBMLIB="$ac_cv_funclib_dbm_firstkey" + else + NDBMLIB="" + fi + AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl + have_ndbm=yes + else + + $as_unset ac_cv_func_dbm_firstkey + $as_unset ac_cv_funclib_dbm_firstkey + + AC_CHECK_HEADERS([ \ + gdbm/ndbm.h \ + ]) + + AC_FIND_FUNC_NO_LIBS(dbm_firstkey, gdbm, [ + #include + #include + DBM *dbm; + ],[NULL]) + + if test "$ac_cv_func_dbm_firstkey" = "yes"; then + if test "$ac_cv_funclib_dbm_firstkey" != "yes"; then + NDBMLIB="$ac_cv_funclib_dbm_firstkey" + else + NDBMLIB="" + fi + AC_DEFINE(HAVE_NDBM, 1, [define if you have a ndbm library])dnl + have_ndbm=yes + if test "$db_type" = "unknown"; then + db_type=ndbm + fi + fi + fi + fi #enable_ndbm_db +fi # unknown + +if test "$have_ndbm" = "yes"; then + AC_MSG_CHECKING([if ndbm is implemented with db]) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#include +#include +#if defined(HAVE_GDBM_NDBM_H) +#include +#elif defined(HAVE_NDBM_H) +#include +#elif defined(HAVE_DBM_H) +#include +#endif +int main(int argc, char **argv) +{ + DBM *d; + + d = dbm_open("conftest", O_RDWR | O_CREAT, 0666); + if (d == NULL) + return 1; + dbm_close(d); + return 0; +}]])],[ + if test -f conftest.db; then + AC_MSG_RESULT([yes]) + AC_DEFINE(HAVE_NEW_DB, 1, [Define if NDBM really is DB (creates files *.db)]) + else + AC_MSG_RESULT([no]) + fi],[AC_MSG_RESULT([no])],[AC_MSG_RESULT([no-cross])]) +fi + +AM_CONDITIONAL(HAVE_DB1, test "$have_db1" = yes)dnl +AM_CONDITIONAL(HAVE_DB3, test "$have_db3" = yes)dnl +AM_CONDITIONAL(HAVE_LMDB, test "$have_lmdb" = yes)dnl +AM_CONDITIONAL(HAVE_NDBM, test "$have_ndbm" = yes)dnl +AM_CONDITIONAL(HAVE_DBHEADER, test "$dbheader" != "")dnl + +## it's probably not correct to include LDFLAGS here, but we might +## need it, for now just add any possible -L +z="" +for i in $LDFLAGS; do + case "$i" in + -L*) z="$z $i";; + esac +done +DB3LIB="$z $DB3LIB" +DB1LIB="$z $DB1LIB" +LMDBLIB="$z $LMDBLIB" +NDMBLIB="$z $NDBMLIB" +AC_SUBST(DB3LIB)dnl +AC_SUBST(DB1LIB)dnl +AC_SUBST(LMDBLIB)dnl +AC_SUBST(NDBMLIB)dnl +AC_SUBST(NDBMLIB)dnl +AC_SUBST(db_type)dnl +AC_SUBST(db_type_preference)dnl +]) diff --git a/third_party/heimdal/cf/destdirs.m4 b/third_party/heimdal/cf/destdirs.m4 new file mode 100644 index 0000000..36baafd --- /dev/null +++ b/third_party/heimdal/cf/destdirs.m4 @@ -0,0 +1,18 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_DESTDIRS], [ +# This is done by AC_OUTPUT but we need the result here. +test "x$prefix" = xNONE && prefix=$ac_default_prefix +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +AC_FOREACH([rk_dir], [bin lib libexec localstate sbin sysconf], [ + x="${rk_dir[]dir}" + eval y="$x" + while test "x$y" != "x$x"; do + x="$y" + eval y="$x" + done + AC_DEFINE_UNQUOTED(AS_TR_CPP(rk_dir[]dir), "$x", [path to ]rk_dir[])]) +]) diff --git a/third_party/heimdal/cf/dispatch.m4 b/third_party/heimdal/cf/dispatch.m4 new file mode 100644 index 0000000..76c5f47 --- /dev/null +++ b/third_party/heimdal/cf/dispatch.m4 @@ -0,0 +1,23 @@ + +AC_DEFUN([rk_LIBDISPATCH],[ + +AC_CHECK_PROGS(GCD_MIG, mig, no) + +if test "$GCD_MIG" != no; then + AC_CHECK_HEADERS([dispatch/dispatch.h]) + AC_FIND_FUNC_NO_LIBS(dispatch_async_f, dispatch, + [#ifdef HAVE_DISPATCH_DISPATCH_H + #include + #endif],[0,0,0]) + + if test "$ac_cv_func_dispatch_async_f" = yes -a "$GCD_MIG" != no; then + AC_DEFINE([HAVE_GCD], 1, [Define if os support gcd.]) + libdispatch=yes + else + libdispatch=no + fi + +fi +AM_CONDITIONAL(have_gcd, test "$libdispatch" = yes -a "$GCD_MIG" != no) + +]) diff --git a/third_party/heimdal/cf/dlopen.m4 b/third_party/heimdal/cf/dlopen.m4 new file mode 100644 index 0000000..1756843 --- /dev/null +++ b/third_party/heimdal/cf/dlopen.m4 @@ -0,0 +1,19 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_DLOPEN], [ + AC_FIND_FUNC_NO_LIBS(dlopen, dl,[ +#ifdef HAVE_DLFCN_H +#include +#endif],[0,0]) + AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no) +]) + +AC_DEFUN([rk_DLADDR], [ + AC_FIND_FUNC_NO_LIBS(dladdr, dl,[ +#ifdef HAVE_DLFCN_H +#include +#endif],[0,0]) + AM_CONDITIONAL(HAVE_DLADDR, test "$ac_cv_funclib_dladdr" != no) +]) diff --git a/third_party/heimdal/cf/find-func-no-libs.m4 b/third_party/heimdal/cf/find-func-no-libs.m4 new file mode 100644 index 0000000..f341340 --- /dev/null +++ b/third_party/heimdal/cf/find-func-no-libs.m4 @@ -0,0 +1,9 @@ +dnl $Id$ +dnl +dnl +dnl Look for function in any of the specified libraries +dnl + +dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args) +AC_DEFUN([AC_FIND_FUNC_NO_LIBS], [ +AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])]) diff --git a/third_party/heimdal/cf/find-func-no-libs2.m4 b/third_party/heimdal/cf/find-func-no-libs2.m4 new file mode 100644 index 0000000..5e5ed0e --- /dev/null +++ b/third_party/heimdal/cf/find-func-no-libs2.m4 @@ -0,0 +1,62 @@ +dnl $Id$ +dnl +dnl +dnl Look for function in any of the specified libraries +dnl + +dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args) +AC_DEFUN([AC_FIND_FUNC_NO_LIBS2], [ + +AC_MSG_CHECKING([for $1]) +AC_CACHE_VAL(ac_cv_funclib_$1, +[ +if eval "test \"\$ac_cv_func_$1\" != yes" ; then + ac_save_LIBS="$LIBS" + for ac_lib in $2; do + case "$ac_lib" in + "") ;; + yes) ac_lib="" ;; + no) continue ;; + -l*) ;; + *) ac_lib="-l$ac_lib" ;; + esac + LIBS="$6 $ac_lib $5 $ac_save_LIBS" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[$3]],[[$1($4)]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break]) + done + eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}" + LIBS="$ac_save_LIBS" +fi +]) + +eval "ac_res=\$ac_cv_funclib_$1" + +if false; then + AC_CHECK_FUNCS($1) +dnl AC_CHECK_LIBS($2, foo) +fi +# $1 +eval "ac_tr_func=HAVE_[]upcase($1)" +eval "ac_tr_lib=HAVE_LIB[]upcase($ac_res | sed -e 's/-l//')" +eval "LIB_$1=$ac_res" + +case "$ac_res" in + yes) + eval "ac_cv_func_$1=yes" + eval "LIB_$1=" + AC_DEFINE_UNQUOTED($ac_tr_func) + AC_MSG_RESULT([yes]) + ;; + no) + eval "ac_cv_func_$1=no" + eval "LIB_$1=" + AC_MSG_RESULT([no]) + ;; + *) + eval "ac_cv_func_$1=yes" + AC_DEFINE_UNQUOTED($ac_tr_func) + AC_DEFINE_UNQUOTED($ac_tr_lib) + AC_MSG_RESULT([yes, in $ac_res]) + ;; +esac +AC_SUBST(LIB_$1) +]) diff --git a/third_party/heimdal/cf/find-func.m4 b/third_party/heimdal/cf/find-func.m4 new file mode 100644 index 0000000..865772a --- /dev/null +++ b/third_party/heimdal/cf/find-func.m4 @@ -0,0 +1,9 @@ +dnl $Id$ +dnl +dnl AC_FIND_FUNC(func, libraries, includes, arguments) +AC_DEFUN([AC_FIND_FUNC], [ +AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4]) +if test -n "$LIB_$1"; then + LIBS="$LIB_$1 $LIBS" +fi +]) diff --git a/third_party/heimdal/cf/find-if-not-broken.m4 b/third_party/heimdal/cf/find-if-not-broken.m4 new file mode 100644 index 0000000..1397616 --- /dev/null +++ b/third_party/heimdal/cf/find-if-not-broken.m4 @@ -0,0 +1,12 @@ +dnl $Id$ +dnl +dnl +dnl Mix between AC_FIND_FUNC and AC_BROKEN +dnl + +AC_DEFUN([AC_FIND_IF_NOT_BROKEN], +[AC_FIND_FUNC([$1], [$2], [$3], [$4]) +if eval "test \"$ac_cv_func_$1\" != yes"; then + rk_LIBOBJ([$1]) +fi +]) diff --git a/third_party/heimdal/cf/framework-corefoundation.m4 b/third_party/heimdal/cf/framework-corefoundation.m4 new file mode 100644 index 0000000..a23c4c7 --- /dev/null +++ b/third_party/heimdal/cf/framework-corefoundation.m4 @@ -0,0 +1,28 @@ +AC_DEFUN([rk_FRAMEWORK_COREFOUNDATION], [ + +AC_MSG_CHECKING([for framework CoreFoundation]) +AC_CACHE_VAL(rk_cv_framework_corefoundation, +[ +if test "$rk_cv_framework_corefoundation" != yes; then + ac_save_LIBS="$LIBS" + LIBS="$ac_save_LIBS -framework CoreFoundation" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include +]], +[[CFURLRef url; +char path[] = "/"; +url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *) +path, strlen(path), FALSE); +CFRelease(url); +]])],[rk_cv_framework_corefoundation=yes]) + LIBS="$ac_save_LIBS" +fi +]) + +if test "$rk_cv_framework_corefoundation" = yes; then + AC_DEFINE(HAVE_FRAMEWORK_COREFOUNDATION, 1, [Have -framework CoreFoundation]) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi +AM_CONDITIONAL(FRAMEWORK_COREFOUNDATION, test "$rk_cv_framework_corefoundation" = yes) +]) diff --git a/third_party/heimdal/cf/framework-security.m4 b/third_party/heimdal/cf/framework-security.m4 new file mode 100644 index 0000000..3358292 --- /dev/null +++ b/third_party/heimdal/cf/framework-security.m4 @@ -0,0 +1,31 @@ +AC_DEFUN([rk_FRAMEWORK_SECURITY], [ + +AC_MSG_CHECKING([for framework security]) +AC_CACHE_VAL(rk_cv_framework_security, +[ +if test "$rk_cv_framework_security" != yes; then + ac_save_LIBS="$LIBS" + LIBS="$ac_save_LIBS -framework Security -framework CoreFoundation" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include +]], +[[SecKeychainSearchRef searchRef; +SecKeychainSearchCreateFromAttributes(NULL,kSecCertificateItemClass,NULL, &searchRef); +CFRelease(&searchRef); +]])],[rk_cv_framework_security=yes]) + LIBS="$ac_save_LIBS" +fi +]) + +if test "$rk_cv_framework_security" = yes; then + AC_DEFINE(HAVE_FRAMEWORK_SECURITY, 1, [Have -framework Security]) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi +AM_CONDITIONAL(FRAMEWORK_SECURITY, test "$rk_cv_framework_security" = yes) + +if test "$rk_cv_framework_security" = yes; then + AC_NEED_PROTO([#include ],SecKeyGetCSPHandle) +fi + +]) diff --git a/third_party/heimdal/cf/have-pragma-weak.m4 b/third_party/heimdal/cf/have-pragma-weak.m4 new file mode 100644 index 0000000..cd892bd --- /dev/null +++ b/third_party/heimdal/cf/have-pragma-weak.m4 @@ -0,0 +1,37 @@ +dnl $Id$ +dnl +AC_DEFUN([AC_HAVE_PRAGMA_WEAK], [ +if test "${enable_shared}" = "yes"; then +AC_MSG_CHECKING(for pragma weak) +AC_CACHE_VAL(ac_have_pragma_weak, [ +ac_have_pragma_weak=no +cat > conftest_foo.$ac_ext <<'EOF' +[#]line __oline__ "configure" +#include "confdefs.h" +#pragma weak foo = _foo +int _foo = 17; +EOF +cat > conftest_bar.$ac_ext <<'EOF' +[#]line __oline__ "configure" +#include "confdefs.h" +extern int foo; + +int t(void) { + return foo; +} + +int main(int argc, char **argv) { + return t(); +} +EOF +if AC_TRY_EVAL('CC -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest_foo.$ac_ext conftest_bar.$ac_ext 1>&AC_FD_CC'); then +ac_have_pragma_weak=yes +fi +rm -rf conftest* +]) +if test "$ac_have_pragma_weak" = "yes"; then + AC_DEFINE(HAVE_PRAGMA_WEAK, 1, [Define this if your compiler supports \`#pragma weak.'])dnl +fi +AC_MSG_RESULT($ac_have_pragma_weak) +fi +]) diff --git a/third_party/heimdal/cf/have-struct-field.m4 b/third_party/heimdal/cf/have-struct-field.m4 new file mode 100644 index 0000000..bb7bcef --- /dev/null +++ b/third_party/heimdal/cf/have-struct-field.m4 @@ -0,0 +1,21 @@ +dnl $Id$ +dnl +dnl check for fields in a structure +dnl +dnl AC_HAVE_STRUCT_FIELD(struct, field, headers) + +AC_DEFUN([AC_HAVE_STRUCT_FIELD], [ +define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_])) +AC_CACHE_CHECK([for $2 in $1], cache_val,[ +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$3]], + [[$1 x; memset(&x, 0, sizeof(x)); x.$2]])], + [cache_val=yes], + [cache_val=no]) +]) +if test "$cache_val" = yes; then + define(foo, translit(HAVE_$1_$2, [a-z ], [A-Z_])) + AC_DEFINE(foo, 1, [Define if $1 has field $2.]) + undefine([foo]) +fi +undefine([cache_val]) +]) diff --git a/third_party/heimdal/cf/have-type.m4 b/third_party/heimdal/cf/have-type.m4 new file mode 100644 index 0000000..4c533a6 --- /dev/null +++ b/third_party/heimdal/cf/have-type.m4 @@ -0,0 +1,30 @@ +dnl $Id$ +dnl +dnl check for existance of a type + +dnl AC_HAVE_TYPE(TYPE,INCLUDES) +AC_DEFUN([AC_HAVE_TYPE], [ +AC_REQUIRE([AC_HEADER_STDC]) +cv=`echo "$1" | sed 'y%./+- %__p__%'` +AC_MSG_CHECKING(for $1) +AC_CACHE_VAL([ac_cv_type_$cv], +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#if STDC_HEADERS +#include +#include +#endif +$2]], +[[$1 foo;]])], +[eval "ac_cv_type_$cv=yes"], +[eval "ac_cv_type_$cv=no"]))dnl +ac_foo=`eval echo \\$ac_cv_type_$cv` +AC_MSG_RESULT($ac_foo) +if test "$ac_foo" = yes; then + ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'` +if false; then + AC_CHECK_TYPES($1) +fi + AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1']) +fi +]) diff --git a/third_party/heimdal/cf/have-types.m4 b/third_party/heimdal/cf/have-types.m4 new file mode 100644 index 0000000..7e6e493 --- /dev/null +++ b/third_party/heimdal/cf/have-types.m4 @@ -0,0 +1,12 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([AC_HAVE_TYPES], [ +for i in $1; do + AC_HAVE_TYPE($i) +done +if false;then + AC_CHECK_FUNCS($1) +fi +]) diff --git a/third_party/heimdal/cf/install-catman.sh b/third_party/heimdal/cf/install-catman.sh new file mode 100644 index 0000000..f1a2581 --- /dev/null +++ b/third_party/heimdal/cf/install-catman.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# +# $Id$ +# +# install preformatted manual pages + +cmd="$1"; shift +INSTALL_DATA="$1"; shift +mkinstalldirs="$1"; shift +srcdir="$1"; shift +manbase="$1"; shift +suffix="$1"; shift +catinstall="${INSTALL_CATPAGES-yes}" + +for f in "$@"; do + echo $f + base=`echo "$f" | sed 's~\.[^.]*$~~; s~.*/~~'` + section=`echo "$f" | sed 's/^[^.]*\.//'` + mandir="$manbase/man$section" + catdir="$manbase/cat$section" + c="$base.cat$section" + + if test "$catinstall" = yes -a -f "$srcdir/$c"; then + if test "$cmd" = install ; then + if test \! -d "$catdir"; then + eval "$mkinstalldirs $catdir" + fi + eval "echo $INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" + eval "$INSTALL_DATA $srcdir/$c $catdir/$base.$suffix" + elif test "$cmd" = uninstall ; then + eval "echo rm -f $catdir/$base.$suffix" + eval "rm -f $catdir/$base.$suffix" + fi + fi + for link in `sed -n -e '/SYNOPSIS/q;/DESCRIPTION/q;s/^\.Nm \([^ ]*\).*/\1/p' $srcdir/$f`; do + if test "$link" = "$base" ; then + continue + fi + if test "$cmd" = install ; then + target="$mandir/$link.$section" + for lncmd in "ln -f $mandir/$base.$section $target" \ + "ln -s $base.$section $target" \ + "cp -f $mandir/$base.$section $target" + do + if eval "$lncmd"; then + eval echo "$lncmd" + break + fi + done + if test "$catinstall" = yes -a -f "$srcdir/$c"; then + eval target="$catdir/$link.$suffix" + eval source="$catdir/$base.$suffix" + for lncmd in "ln -f $source $target" \ + "ln -fs $source $target" \ + "cp -f $catdir/$source $target" + do + if eval "$lncmd"; then + eval echo "$lncmd" + break + fi + done + fi + elif test "$cmd" = uninstall ; then + target="$mandir/$link.$section" + eval "echo rm -f $target" + eval "rm -f $target" + if test "$catinstall" = yes; then + target="$catdir/$link.$suffix" + eval "echo rm -f $target" + eval "rm -f $target" + fi + fi + done +done diff --git a/third_party/heimdal/cf/irix.m4 b/third_party/heimdal/cf/irix.m4 new file mode 100644 index 0000000..d2b0009 --- /dev/null +++ b/third_party/heimdal/cf/irix.m4 @@ -0,0 +1,15 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_IRIX], +[ +irix=no +case "$host" in +*-*-irix*) + irix=yes + ;; +esac +AM_CONDITIONAL(IRIX, test "$irix" != no)dnl + +]) diff --git a/third_party/heimdal/cf/krb-bigendian.m4 b/third_party/heimdal/cf/krb-bigendian.m4 new file mode 100644 index 0000000..e803750 --- /dev/null +++ b/third_party/heimdal/cf/krb-bigendian.m4 @@ -0,0 +1,62 @@ +dnl +dnl $Id$ +dnl + +dnl check if this computer is little or big-endian +dnl if we can figure it out at compile-time then don't define the cpp symbol +dnl otherwise test for it and define it. also allow options for overriding +dnl it when cross-compiling + +AC_DEFUN([KRB_C_BIGENDIAN], [ +AC_ARG_ENABLE(bigendian, + AS_HELP_STRING([--enable-bigendian],[the target is big endian]), +krb_cv_c_bigendian=yes) +AC_ARG_ENABLE(littleendian, + AS_HELP_STRING([--enable-littleendian],[the target is little endian]), +krb_cv_c_bigendian=no) +AC_CACHE_CHECK([whether byte order is known at compile time], +krb_cv_c_bigendian_compile, +[AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +#include +#include +#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN + bogus endian macros +#endif]])],[krb_cv_c_bigendian_compile=yes],[krb_cv_c_bigendian_compile=no])]) +AC_CACHE_CHECK(whether byte ordering is bigendian, krb_cv_c_bigendian,[ + if test "$krb_cv_c_bigendian_compile" = "yes"; then + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ +#include +#include +#if BYTE_ORDER != BIG_ENDIAN + not big endian +#endif]])],[krb_cv_c_bigendian=yes],[krb_cv_c_bigendian=no]) + else + AC_RUN_IFELSE([AC_LANG_SOURCE([[main (int argc, char **argv) { + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long l; + char c[sizeof (long)]; + } u; + u.l = 1; + exit (u.c[sizeof (long) - 1] == 1); + }]])],[krb_cv_c_bigendian=no],[krb_cv_c_bigendian=yes], + [AC_MSG_ERROR([specify either --enable-bigendian or --enable-littleendian])]) + fi +]) +if test "$krb_cv_c_bigendian" = "yes"; then + AC_DEFINE(WORDS_BIGENDIAN, 1, [define if target is big endian])dnl +fi +if test "$krb_cv_c_bigendian_compile" = "yes"; then + AC_DEFINE(ENDIANESS_IN_SYS_PARAM_H, 1, [define if sys/param.h defines the endiness])dnl +fi +AH_BOTTOM([ +#ifdef ENDIANESS_IN_SYS_PARAM_H +# include +# include +# if BYTE_ORDER == BIG_ENDIAN +# define WORDS_BIGENDIAN 1 +# endif +#endif +]) +]) diff --git a/third_party/heimdal/cf/krb-func-getlogin.m4 b/third_party/heimdal/cf/krb-func-getlogin.m4 new file mode 100644 index 0000000..8adfddb --- /dev/null +++ b/third_party/heimdal/cf/krb-func-getlogin.m4 @@ -0,0 +1,32 @@ +dnl +dnl $Id$ +dnl +dnl test for POSIX (broken) getlogin +dnl + + +AC_DEFUN([AC_FUNC_GETLOGIN], [ +AC_CHECK_FUNCS(getlogin getlogin_r setlogin) +if test "$ac_cv_func_getlogin" = yes; then +AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [ +if test "$ac_cv_func_getlogin" = yes -a "$ac_cv_func_setlogin" = yes; then + ac_cv_func_getlogin_posix=no +else + ac_cv_func_getlogin_posix=yes +fi +]) +AC_CACHE_CHECK(if getlogin_r is posix, ac_cv_func_getlogin_r_posix, [ +if test "$ac_cv_func_getlogin_r" = yes -a "$ac_cv_func_setlogin" = yes; then + ac_cv_func_getlogin_r_posix=no +else + ac_cv_func_getlogin_r_posix=yes +fi +]) +if test "$ac_cv_func_getlogin_posix" = yes; then + AC_DEFINE(POSIX_GETLOGIN, 1, [Define if getlogin has POSIX flavour (and not BSD).]) +fi +if test "$ac_cv_func_getlogin_r_posix" = yes; then + AC_DEFINE(POSIX_GETLOGIN_R, 1, [Define if getlogin_r has POSIX flavour (and not BSD).]) +fi +fi +]) diff --git a/third_party/heimdal/cf/krb-ipv6.m4 b/third_party/heimdal/cf/krb-ipv6.m4 new file mode 100644 index 0000000..4fbe2d6 --- /dev/null +++ b/third_party/heimdal/cf/krb-ipv6.m4 @@ -0,0 +1,154 @@ +dnl $Id$ +dnl +dnl test for IPv6 +dnl +ac_cv_lib_ipv6=check + +AC_DEFUN([AC_KRB_IPV6], [ +AC_ARG_WITH(ipv6, + AS_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[ + ac_cv_lib_ipv6="$withval" +]) +save_CFLAGS="${CFLAGS}" + +if test "X$ac_cv_lib_ipv6" != "Xno"; then + + AC_CACHE_CHECK([for IPv6 stack type], rk_cv_v6type, + [dnl check for different v6 implementations (by itojun) + v6type=unknown + v6lib=none + + for i in v6d toshiba kame inria zeta linux; do + case $i in + v6d) + AC_EGREP_CPP(yes, [ +#include +#ifdef __V6D__ +yes +#endif], + [v6type=$i; v6lib=v6; + v6libdir=/usr/local/v6/lib; + CFLAGS="-I/usr/local/v6/include $CFLAGS"]) + ;; + toshiba) + AC_EGREP_CPP(yes, [ +#include +#ifdef _TOSHIBA_INET6 +yes +#endif], + [v6type=$i; v6lib=inet6; + v6libdir=/usr/local/v6/lib; + CFLAGS="-DINET6 $CFLAGS"]) + ;; + kame) + AC_EGREP_CPP(yes, [ +#include +#ifdef __KAME__ +yes +#endif], + [v6type=$i; v6lib=inet6; + v6libdir=/usr/local/v6/lib; + CFLAGS="-DINET6 $CFLAGS"]) + ;; + inria) + AC_EGREP_CPP(yes, [ +#include +#ifdef IPV6_INRIA_VERSION +yes +#endif], + [v6type=$i; CFLAGS="-DINET6 $CFLAGS"]) + ;; + zeta) + AC_EGREP_CPP(yes, [ +#include +#ifdef _ZETA_MINAMI_INET6 +yes +#endif], + [v6type=$i; v6lib=inet6; + v6libdir=/usr/local/v6/lib; + CFLAGS="-DINET6 $CFLAGS"]) + ;; + linux) + if test -d /usr/inet6; then + v6type=$i + v6lib=inet6 + v6libdir=/usr/inet6 + CFLAGS="-DINET6 $CFLAGS" + fi + ;; + esac + if test "$v6type" != "unknown"; then + break + fi + done + + if test "$v6lib" != "none"; then + for dir in $v6libdir /usr/local/v6/lib /usr/local/lib; do + if test -d $dir -a -f $dir/lib$v6lib.a; then + LIBS="-L$dir -l$v6lib $LIBS" + break + fi + done + fi]) + + AC_CACHE_CHECK([for IPv6], rk_cv_lib_ipv6, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_NETINET_IN6_H +#include +#endif +]], + [[ + struct sockaddr_in6 sin6; + int s; + + s = socket(AF_INET6, SOCK_DGRAM, 0); + + sin6.sin6_family = AF_INET6; + sin6.sin6_port = htons(17); + sin6.sin6_addr = in6addr_any; + bind(s, (struct sockaddr *)&sin6, sizeof(sin6)); +]])], + [ac_cv_lib_ipv6=yes], + [ac_cv_lib_ipv6=no])]) +fi + +if test "$ac_cv_lib_ipv6" = yes; then + AC_DEFINE(HAVE_IPV6, 1, [Define if you have IPv6.]) +else + CFLAGS="${save_CFLAGS}" +fi + +## test for AIX missing in6addr_loopback +if test "$ac_cv_lib_ipv6" = yes; then + AC_CACHE_CHECK([for in6addr_loopback],[rk_cv_var_in6addr_loopback],[ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_NETINET_IN6_H +#include +#endif]],[[ +struct sockaddr_in6 sin6; +sin6.sin6_addr = in6addr_loopback; +]])],[ac_cv_var_in6addr_loopback=yes],[ac_cv_var_in6addr_loopback=no])]) + if test "$ac_cv_var_in6addr_loopback" = yes; then + AC_DEFINE(HAVE_IN6ADDR_LOOPBACK, 1, + [Define if you have the in6addr_loopback variable]) + fi +fi +]) \ No newline at end of file diff --git a/third_party/heimdal/cf/krb-prog-ln-s.m4 b/third_party/heimdal/cf/krb-prog-ln-s.m4 new file mode 100644 index 0000000..35ab877 --- /dev/null +++ b/third_party/heimdal/cf/krb-prog-ln-s.m4 @@ -0,0 +1,28 @@ +dnl $Id$ +dnl +dnl +dnl Better test for ln -s, ln or cp +dnl + +AC_DEFUN([AC_KRB_PROG_LN_S], +[AC_MSG_CHECKING(for ln -s or something else) +AC_CACHE_VAL(ac_cv_prog_LN_S, +[rm -f conftestdata +if ln -s X conftestdata 2>/dev/null +then + rm -f conftestdata + ac_cv_prog_LN_S="ln -s" +else + touch conftestdata1 + if ln conftestdata1 conftestdata2; then + rm -f conftestdata* + ac_cv_prog_LN_S=ln + else + ac_cv_prog_LN_S=cp + fi +fi])dnl +LN_S="$ac_cv_prog_LN_S" +AC_MSG_RESULT($ac_cv_prog_LN_S) +AC_SUBST(LN_S)dnl +]) + diff --git a/third_party/heimdal/cf/krb-prog-perl.m4 b/third_party/heimdal/cf/krb-prog-perl.m4 new file mode 100644 index 0000000..b359111 --- /dev/null +++ b/third_party/heimdal/cf/krb-prog-perl.m4 @@ -0,0 +1,21 @@ +dnl +dnl perl and some of its module are required to build some headers +dnl + +AC_DEFUN([AC_KRB_PROG_PERL], +[AC_CHECK_PROGS(PERL, perl, perl) +if test "$PERL" = ""; then + AC_MSG_ERROR([perl not found - Cannot build Heimdal without perl]) +fi +]) + +AC_DEFUN([AC_KRB_PERL_MOD], +[ +AC_MSG_CHECKING([for Perl5 module $1]) +if ! $PERL -M$1 -e 'exit(0);' >/dev/null 2>&1; then + AC_MSG_RESULT([no]) + AC_MSG_ERROR([perl module $1 not found - Cannot build Heimdal without perl module $1]) +else + AC_MSG_RESULT([yes]) +fi +]) diff --git a/third_party/heimdal/cf/krb-prog-ranlib.m4 b/third_party/heimdal/cf/krb-prog-ranlib.m4 new file mode 100644 index 0000000..8bc5b9e --- /dev/null +++ b/third_party/heimdal/cf/krb-prog-ranlib.m4 @@ -0,0 +1,8 @@ +dnl $Id$ +dnl +dnl +dnl Also look for EMXOMF for OS/2 +dnl + +AC_DEFUN([AC_KRB_PROG_RANLIB], +[AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)]) diff --git a/third_party/heimdal/cf/krb-prog-yacc.m4 b/third_party/heimdal/cf/krb-prog-yacc.m4 new file mode 100644 index 0000000..4c0afd9 --- /dev/null +++ b/third_party/heimdal/cf/krb-prog-yacc.m4 @@ -0,0 +1,18 @@ +dnl $Id$ +dnl +dnl +dnl OLD: We prefer byacc or yacc because they do not use `alloca' +dnl +dnl CURRENT: We don't mind `alloca', but we do mind `bison -y' because +dnl newer versions of `bison', with `-y' complain about %expect and +dnl anything that yacc didn't document. Because `bison' typically +dnl also installs a `yacc' link that acts like `bison y', we put +dnl `yacc' last in this list. +dnl + +AC_DEFUN([AC_KRB_PROG_YACC], +[AC_CHECK_PROGS(YACC, 'bison -d' 'byacc -d' yacc) +if test "$YACC" = ""; then + AC_MSG_WARN([byacc and bison not found - some stuff will not build]) +fi +]) diff --git a/third_party/heimdal/cf/krb-readline.m4 b/third_party/heimdal/cf/krb-readline.m4 new file mode 100644 index 0000000..ddb94bf --- /dev/null +++ b/third_party/heimdal/cf/krb-readline.m4 @@ -0,0 +1,28 @@ +dnl $Id$ +dnl +dnl Tests for readline functions +dnl + +dnl el_init + +AC_DEFUN([KRB_READLINE],[ + +dnl readline + +ac_foo=no +build_editline=no +if test "$with_readline" = yes; then + : +elif test "$with_libedit" = yes; then + LIB_readline="${LIB_libedit}" +elif test "$ac_cv_func_readline" = yes; then + : +else + build_libedit=yes + LIB_readline="\$(top_builddir)/lib/libedit/src/libheimedit.la \$(LIB_tgetent)" +fi +AM_CONDITIONAL(LIBEDIT, test "$build_libedit" = yes) +AC_DEFINE(HAVE_READLINE, 1, + [Define if you have a readline compatible library.])dnl + +]) diff --git a/third_party/heimdal/cf/krb-struct-spwd.m4 b/third_party/heimdal/cf/krb-struct-spwd.m4 new file mode 100644 index 0000000..aebf20c --- /dev/null +++ b/third_party/heimdal/cf/krb-struct-spwd.m4 @@ -0,0 +1,21 @@ +dnl $Id$ +dnl +dnl Test for `struct spwd' + +AC_DEFUN([AC_KRB_STRUCT_SPWD], [ +AC_MSG_CHECKING(for struct spwd) +AC_CACHE_VAL(ac_cv_struct_spwd, [ +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SHADOW_H +#include +#endif]],[[struct spwd foo;]])], +[ac_cv_struct_spwd=yes], +[ac_cv_struct_spwd=no]) +]) +AC_MSG_RESULT($ac_cv_struct_spwd) + +if test "$ac_cv_struct_spwd" = "yes"; then + AC_DEFINE(HAVE_STRUCT_SPWD, 1, [define if you have struct spwd]) +fi +]) diff --git a/third_party/heimdal/cf/krb-struct-winsize.m4 b/third_party/heimdal/cf/krb-struct-winsize.m4 new file mode 100644 index 0000000..5f46b8d --- /dev/null +++ b/third_party/heimdal/cf/krb-struct-winsize.m4 @@ -0,0 +1,25 @@ +dnl $Id$ +dnl +dnl +dnl Search for struct winsize +dnl + +AC_DEFUN([AC_KRB_STRUCT_WINSIZE], [ +AC_MSG_CHECKING(for struct winsize) +AC_CACHE_VAL(ac_cv_struct_winsize, [ +ac_cv_struct_winsize=no +for i in sys/termios.h sys/ioctl.h; do +AC_EGREP_HEADER( +struct[[ ]]*winsize,dnl +$i, ac_cv_struct_winsize=yes; break)dnl +done +]) +if test "$ac_cv_struct_winsize" = "yes"; then + AC_DEFINE(HAVE_STRUCT_WINSIZE, 1, [define if struct winsize is declared in sys/termios.h]) +fi +AC_MSG_RESULT($ac_cv_struct_winsize) +AC_EGREP_HEADER(ws_xpixel, termios.h, + AC_DEFINE(HAVE_WS_XPIXEL, 1, [define if struct winsize has ws_xpixel])) +AC_EGREP_HEADER(ws_ypixel, termios.h, + AC_DEFINE(HAVE_WS_YPIXEL, 1, [define if struct winsize has ws_ypixel])) +]) diff --git a/third_party/heimdal/cf/krb-sys-aix.m4 b/third_party/heimdal/cf/krb-sys-aix.m4 new file mode 100644 index 0000000..c599ef8 --- /dev/null +++ b/third_party/heimdal/cf/krb-sys-aix.m4 @@ -0,0 +1,15 @@ +dnl $Id$ +dnl +dnl +dnl AIX have a very different syscall convention +dnl +AC_DEFUN([AC_KRB_SYS_AIX], [ +AC_MSG_CHECKING(for AIX) +AC_CACHE_VAL(krb_cv_sys_aix, +AC_EGREP_CPP(yes, +[#ifdef _AIX + yes +#endif +], krb_cv_sys_aix=yes, krb_cv_sys_aix=no) ) +AC_MSG_RESULT($krb_cv_sys_aix) +]) diff --git a/third_party/heimdal/cf/krb-sys-nextstep.m4 b/third_party/heimdal/cf/krb-sys-nextstep.m4 new file mode 100644 index 0000000..d9308a0 --- /dev/null +++ b/third_party/heimdal/cf/krb-sys-nextstep.m4 @@ -0,0 +1,18 @@ +dnl $Id$ +dnl +dnl NEXTSTEP is not posix compliant by default, +dnl you need a switch -posix to the compiler +dnl + +AC_DEFUN([rk_SYS_NEXTSTEP], [ +AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [ +AC_EGREP_CPP(yes, +[#if defined(NeXT) && !defined(__APPLE__) + yes +#endif +], rk_cv_sys_nextstep=yes, rk_cv_sys_nextstep=no)]) +if test "$rk_cv_sys_nextstep" = "yes"; then + CFLAGS="$CFLAGS -posix" + LIBS="$LIBS -posix" +fi +]) diff --git a/third_party/heimdal/cf/largefile.m4 b/third_party/heimdal/cf/largefile.m4 new file mode 100644 index 0000000..5c54897 --- /dev/null +++ b/third_party/heimdal/cf/largefile.m4 @@ -0,0 +1,16 @@ +dnl $Id$ +dnl +dnl Figure out what flags we need for 64-bit file access, and also set +dnl them on the command line. +dnl +AC_DEFUN([rk_SYS_LARGEFILE],[ +AC_REQUIRE([AC_SYS_LARGEFILE])dnl +dnl need to set this on the command line, since it might otherwise break +dnl with generated code, such as lex +if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then + CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files" +fi +if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no; then + CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits" +fi +]) diff --git a/third_party/heimdal/cf/make-proto.pl b/third_party/heimdal/cf/make-proto.pl new file mode 100644 index 0000000..36a040c --- /dev/null +++ b/third_party/heimdal/cf/make-proto.pl @@ -0,0 +1,528 @@ +# Make prototypes from .c files +# $Id$ + +use Getopt::Std; +use File::Compare; + +use JSON; + +my $comment = 0; +my $doxygen = 0; +my $funcdoc = 0; +my $if_0 = 0; +my $brace = 0; +my $line = ""; +my $debug = 0; +my $oproto = 1; +my $private_func_re = "^_"; +my %depfunction; +my %exported; +my %deprecated; +my $apple = 0; +my %documentation; + +getopts('x:m:o:p:dqE:R:P:') || die "foo"; +if($opt_a) { + $apple = 1; +} + +if($opt_a) { + $apple = 1; +} + +if($opt_d) { + $debug = 1; +} + +if($opt_q) { + $oproto = 0; +} + +if($opt_R) { + $private_func_re = $opt_R; +} +my %flags = ( + 'multiline-proto' => 1, + 'header' => 1, + 'function-blocking' => 0, + 'gnuc-attribute' => 1, + 'cxx' => 1 + ); +if($opt_m) { + foreach $i (split(/,/, $opt_m)) { + if($i eq "roken") { + $flags{"multiline-proto"} = 0; + $flags{"header"} = 0; + $flags{"function-blocking"} = 0; + $flags{"gnuc-attribute"} = 0; + $flags{"cxx"} = 0; + } else { + if(substr($i, 0, 3) eq "no-") { + $flags{substr($i, 3)} = 0; + } else { + $flags{$i} = 1; + } + } + } +} + +if($opt_x) { + my $EXP; + local $/; + open(EXP, '<', $opt_x) || die "open ${opt_x}"; + my $obj = JSON->new->utf8->decode(); + close $EXP; + + foreach my $x (keys %$obj) { + if (defined $obj->{$x}->{"export"}) { + $exported{$x} = $obj->{$x}; + } + if (defined $obj->{$x}->{"deprecated"}) { + $deprecated{$x} = $obj->{$x}->{"deprecated"}; + } + } +} + +while(<>) { + print $brace, " ", $_ if($debug); + + # Handle C comments + s@/\*.*\*/@@; + s@//.*/@@; + if ( s@/\*\*(.*)@@) { $comment = 1; $doxygen = 1; $funcdoc = $1; + } elsif ( s@/\*.*@@) { $comment = 1; + } elsif ($comment && s@.*\*/@@) { $comment = 0; $doxygen = 0; + } elsif ($doxygen) { $funcdoc .= $_; next; + } elsif ($comment) { next; } + + # Handle CPP #define's + $define = 1 if /^\s*\#\s*define/; + if ($define) { + $define = 0 if ! /\\$/; + next; + } + + if(/^\#if 0/) { + $if_0 = 1; + } + if($if_0 && /^\#endif/) { + $if_0 = 0; + } + if($if_0) { next } + if(/^\s*\#/) { + next; + } + if(/^\s*$/) { + $line = ""; + next; + } + if(/\{/){ + if (!/\}/) { + $brace++; + } + $_ = $line; + while(s/\*\//\ca/){ + s/\/\*(.|\n)*\ca//; + } + s/^\s*//; + s/\s*$//; + s/\s+/ /g; + if($_ =~ /\)$/){ + if(!/^static/ && !/^PRIVATE/){ + $attr = ""; + if(m/(.*)(__attribute__\s?\(.*\))/) { + $attr .= " $2"; + $_ = $1; + } + if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) { + $depfunction{$2} = 1; + $attr .= " $2$3"; + $_ = "$1 $4"; + } + if(m/(.*)\s(\w+DEPRECATED)(.*)/) { + $attr .= " $2"; + $_ = "$1 $3"; + } + if(m/(.*)\s(HEIMDAL_\w+_ATTRIBUTE)\s?(\(.*\))?(.*)/) { + $attr .= " $2$3"; + $_ = "$1 $4"; + } + # remove outer () + s/\s*\(//; + # remove , within () + while(s/\(([^()]*),(.*)\)/($1\$$2)/g){} + s/\<\s*void\s*\>/<>/; + # remove parameter names + if($opt_P eq "remove") { + s/(\s*)([a-zA-Z0-9_]+)([,>])/$3/g; + s/\s+\*/*/g; + s/\(\*(\s*)([a-zA-Z0-9_]+)\)/(*)/g; + } elsif($opt_P eq "comment") { + s/([a-zA-Z0-9_]+)([,>])/\/\*$1\*\/$2/g; + s/\(\*([a-zA-Z0-9_]+)\)/(*\/\*$1\*\/)/g; + } + s/\<\>//; + # add newlines before parameters + if($flags{"multiline-proto"}) { + s/,\s*/,\n\t/g; + } else { + s/,\s*/, /g; + } + # fix removed , + s/\$/,/g; + # match function name + /([a-zA-Z0-9_]+)\s*\/$RP/; + # insert newline before function name + if($flags{"multiline-proto"}) { + s/(.*)\s([a-zA-Z0-9_]+ \Q$LP\E)/$1\n$2/; + } + if($attr ne "") { + $_ .= "\n $attr"; + } + if ($funcdoc) { + $documentation{$f} = $funcdoc; + } + $funcdoc = undef; + if ($apple && exists $exported{$f}) { + $ios = $exported{$f}{ios}; + $ios = "NA" if (!defined $ios); + $mac = $exported{$f}{macos}; + $mac = "NA" if (!defined $mac); + die "$f neither" if ($mac eq "NA" and $ios eq "NA"); + $_ = $_ . " __OSX_AVAILABLE_STARTING(__MAC_${mac}, __IPHONE_${ios})"; + } + if (exists $deprecated{$f}) { + $_ = $_ . " GSSAPI_DEPRECATED_FUNCTION(\"$deprecated{$f}\")"; + $depfunction{GSSAPI_DEPRECATED_FUNCTION} = 1; + } + $_ = $_ . ";"; + $funcs{$f} = $_; + } + } + $line = ""; + } + if(/\}/){ + $brace--; + } + if(/^\}/){ + $brace = 0; + } + if($brace == 0) { + $line = $line . " " . $_; + } +} + +die "reached end of code and still in doxygen comment" if ($doxygen); +die "reached end of code and still in comment" if ($comment); + +sub foo { + local ($arg) = @_; + $_ = $arg; + s/.*\/([^\/]*)/$1/; + s/.*\\([^\\]*)/$1/; + s/[^a-zA-Z0-9]/_/g; + "__" . $_ . "__"; +} + +if($opt_o) { + open(OUT, ">${opt_o}.new"); + $block = &foo($opt_o); +} else { + $block = "__public_h__"; +} + +if($opt_p) { + open(PRIV, ">${opt_p}.new"); + $private = &foo($opt_p); +} else { + $private = "__private_h__"; +} + +$public_h = ""; +$private_h = ""; + +$public_h_header .= "/* This is a generated file */ +#ifndef $block +#define $block +#ifndef DOXY + +"; +if ($oproto) { + $public_h_header .= "#ifdef __STDC__ +#include +#ifndef __P +#define __P(x) x +#endif +#else +#ifndef __P +#define __P(x) () +#endif +#endif + +"; +} else { + $public_h_header .= "#include + +"; +} +$public_h_trailer = ""; + +$private_h_header = "/* This is a generated file */ +#ifndef $private +#define $private + +"; +if($oproto) { + $private_h_header .= "#ifdef __STDC__ +#include +#ifndef __P +#define __P(x) x +#endif +#else +#ifndef __P +#define __P(x) () +#endif +#endif + +"; +} else { + $private_h_header .= "#include + +"; +} +$private_h_trailer = ""; + + +foreach(sort keys %funcs){ + if(/^(DllMain|main)$/) { next } + if ($funcs{$_} =~ /\^/) { + $beginblock = "#ifdef __BLOCKS__\n"; + $endblock = "#endif /* __BLOCKS__ */\n"; + } else { + $beginblock = $endblock = ""; + } + # if we have an export table and doesn't have content, or matches private RE + if((scalar(keys(%exported)) ne 0 && !exists $exported{$_} ) || /$private_func_re/) { + $private_h .= $beginblock; +# if ($apple and not /$private_func_re/) { +# $private_h .= "#define $_ __ApplePrivate_${_}\n"; +# } + $private_h .= $funcs{$_} . "\n" ; + $private_h .= $endblock . "\n"; + if($funcs{$_} =~ /__attribute__/) { + $private_attribute_seen = 1; + } + } else { + if($documentation{$_}) { + $public_h .= "/**\n"; + $public_h .= "$documentation{$_}"; + $public_h .= " */\n\n"; + } + if($flags{"function-blocking"}) { + $fupper = uc $_; + if($exported{$_} =~ /proto/) { + $public_h .= "#if !defined(HAVE_$fupper) || defined(NEED_${fupper}_PROTO)\n"; + } else { + $public_h .= "#ifndef HAVE_$fupper\n"; + } + } + $public_h .= $beginblock . $funcs{$_} . "\n" . $endblock; + if($funcs{$_} =~ /__attribute__/) { + $public_attribute_seen = 1; + } + if($flags{"function-blocking"}) { + $public_h .= "#endif\n"; + } + $public_h .= "\n"; + } +} + +if($flags{"gnuc-attribute"}) { + if ($public_attribute_seen) { + $public_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) +#define __attribute__(x) +#endif + +"; + } + + if ($private_attribute_seen) { + $private_h_header .= "#if !defined(__GNUC__) && !defined(__attribute__) +#define __attribute__(x) +#endif + +"; + } +} + +my $depstr = ""; +my $undepstr = ""; +foreach (keys %depfunction) { + $depstr .= "#ifndef $_ +#ifndef __has_extension +#define __has_extension(x) 0 +#define ${_}has_extension 1 +#endif +#if __has_extension(attribute_deprecated_with_message) +#define $_(x) __attribute__((__deprecated__(x))) +#elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 ))) +#define $_(X) __attribute__((__deprecated__)) +#else +#define $_(X) +#endif +#ifdef ${_}has_extension +#undef __has_extension +#undef ${_}has_extension +#endif +#endif /* $_ */ + + +"; + $public_h_trailer .= "#undef $_ + +"; + $private_h_trailer .= "#undef $_ +#define $_(X) + +"; +} + +$public_h_header .= $depstr; +$private_h_header .= $depstr; + + +if($flags{"cxx"}) { + $public_h_header .= "#ifdef __cplusplus +extern \"C\" { +#endif + +"; + $public_h_trailer = "#ifdef __cplusplus +} +#endif + +" . $public_h_trailer; + +} +if ($opt_E) { + $public_h_header .= "#ifndef $opt_E + #ifndef ${opt_E}_FUNCTION + #if defined(_WIN32) + #define ${opt_E}_FUNCTION __declspec(dllimport) + #else + #define ${opt_E}_FUNCTION + #endif + #endif + #ifndef ${opt_E}_NORETURN_FUNCTION + #if defined(_WIN32) + #define ${opt_E}_NORETURN_FUNCTION __declspec(dllimport noreturn) + #else + #define ${opt_E}_NORETURN_FUNCTION + #endif + #endif + #ifndef ${opt_E}_CALL + #if defined(_WIN32) + #define ${opt_E}_CALL __stdcall + #else + #define ${opt_E}_CALL + #endif + #endif + #ifndef ${opt_E}_VARIABLE + #if defined(_WIN32) + #define ${opt_E}_VARIABLE __declspec(dllimport) + #else + #define ${opt_E}_VARIABLE + #endif + #endif +#endif +"; + + $private_h_header .= "#ifndef $opt_E + #ifndef ${opt_E}_FUNCTION + #if defined(_WIN32) + #define ${opt_E}_FUNCTION __declspec(dllimport) + #else + #define ${opt_E}_FUNCTION + #endif + #endif + #ifndef ${opt_E}_NORETURN_FUNCTION + #if defined(_WIN32) + #define ${opt_E}_NORETURN_FUNCTION __declspec(dllimport noreturn) + #else + #define ${opt_E}_NORETURN_FUNCTION + #endif + #endif + #ifndef ${opt_E}_CALL + #if defined(_WIN32) + #define ${opt_E}_CALL __stdcall + #else + #define ${opt_E}_CALL + #endif + #endif + #ifndef ${opt_E}_VARIABLE + #if defined(_WIN32) + #define ${opt_E}_VARIABLE __declspec(dllimport) + #else + #define ${opt_E}_VARIABLE + #endif + #endif +#endif +"; +} + +$public_h_trailer .= $undepstr; +$private_h_trailer .= $undepstr; + +if ($public_h ne "" && $flags{"header"}) { + $public_h = $public_h_header . $public_h . + $public_h_trailer . "#endif /* DOXY */\n#endif /* $block */\n"; +} +if ($private_h ne "" && $flags{"header"}) { + $private_h = $private_h_header . $private_h . + $private_h_trailer . "#endif /* $private */\n"; +} + +if($opt_o) { + print OUT $public_h; +} +if($opt_p) { + print PRIV $private_h; +} + +close OUT; +close PRIV; + +if ($opt_o) { + + if (compare("${opt_o}.new", ${opt_o}) != 0) { + printf("updating ${opt_o}\n"); + rename("${opt_o}.new", ${opt_o}); + } else { + unlink("${opt_o}.new"); + } +} + +if ($opt_p) { + if (compare("${opt_p}.new", ${opt_p}) != 0) { + printf("updating ${opt_p}\n"); + rename("${opt_p}.new", ${opt_p}); + } else { + unlink("${opt_p}.new"); + } +} diff --git a/third_party/heimdal/cf/maybe-valgrind.sh b/third_party/heimdal/cf/maybe-valgrind.sh new file mode 100755 index 0000000..5e20d98 --- /dev/null +++ b/third_party/heimdal/cf/maybe-valgrind.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + +while true +do + case $1 in + -s) tsrcdir="$2"; shift 2;; + -o) tobjdir="$2"; shift 2;; + -*) echo "$0: Bad option $1"; echo $usage; exit 1;; + *) break;; + esac +done + +if [ X"${tobjdir}" = "X" -o X"${tsrcdir}" = X ] ; then + echo "tobjdir or tsrcdir not defined" + exit 1 +fi + +if [ ! -f "${tobjdir}/libtool" ]; then + echo "libtool missing from \"${tobjdir}\"" + exit 1 +fi + +doit=1 + +libtool="${tobjdir}/libtool --mode=execute" + +valgrind="valgrind --leak-check=full --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions" + +if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then + uselibtool=1 +elif head -10 "$1" | grep 'bin/sh' > /dev/null ; then + libtool= + valgrind= +fi + +exec $libtool $valgrind "$@" diff --git a/third_party/heimdal/cf/mips-abi.m4 b/third_party/heimdal/cf/mips-abi.m4 new file mode 100644 index 0000000..20035be --- /dev/null +++ b/third_party/heimdal/cf/mips-abi.m4 @@ -0,0 +1,87 @@ +dnl $Id$ +dnl +dnl +dnl Check for MIPS/IRIX ABI flags. Sets $abi and $abilibdirext to some +dnl value. + +AC_DEFUN([AC_MIPS_ABI], [ +AC_ARG_WITH(mips_abi, + AS_HELP_STRING([--with-mips-abi=abi],[ABI to use for IRIX (32, n32, or 64)])) + +case "$host_os" in +irix*) +with_mips_abi="${with_mips_abi:-yes}" +if test -n "$GCC"; then + +# GCC < 2.8 only supports the O32 ABI. GCC >= 2.8 has a flag to select +# which ABI to use, but only supports (as of 2.8.1) the N32 and 64 ABIs. +# +# Default to N32, but if GCC doesn't grok -mabi=n32, we assume an old +# GCC and revert back to O32. The same goes if O32 is asked for - old +# GCCs doesn't like the -mabi option, and new GCCs can't output O32. +# +# Don't you just love *all* the different SGI ABIs? + +case "${with_mips_abi}" in + 32|o32) abi='-mabi=32'; abilibdirext='' ;; + n32|yes) abi='-mabi=n32'; abilibdirext='32' ;; + 64) abi='-mabi=64'; abilibdirext='64' ;; + no) abi=''; abilibdirext='';; + *) AC_MSG_ERROR("Invalid ABI specified") ;; +esac +if test -n "$abi" ; then +ac_foo=krb_cv_gcc_`echo $abi | tr =- __` +dnl +dnl can't use AC_CACHE_CHECK here, since it doesn't quote CACHE-ID to +dnl AC_MSG_RESULT +dnl +AC_MSG_CHECKING([if $CC supports the $abi option]) +AC_CACHE_VAL($ac_foo, [ +save_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $abi" +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[eval $ac_foo=yes], [eval $ac_foo=no])dnl +CFLAGS="$save_CFLAGS" +]) +ac_res=`eval echo \\\$$ac_foo` +AC_MSG_RESULT($ac_res) +if test $ac_res = no; then +# Try to figure out why that failed... +case $abi in + -mabi=32) + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -mabi=n32" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x;]])],[ac_res=yes],[ac_res=no])dnl + CLAGS="$save_CFLAGS" + if test $ac_res = yes; then + # New GCC + AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) + fi + # Old GCC + abi='' + abilibdirext='' + ;; + -mabi=n32|-mabi=64) + if test $with_mips_abi = yes; then + # Old GCC, default to O32 + abi='' + abilibdirext='' + else + # Some broken GCC + AC_MSG_ERROR([$CC does not support the $with_mips_abi ABI]) + fi + ;; +esac +fi #if test $ac_res = no; then +fi #if test -n "$abi" ; then +else +case "${with_mips_abi}" in + 32|o32) abi='-32'; abilibdirext='' ;; + n32|yes) abi='-n32'; abilibdirext='32' ;; + 64) abi='-64'; abilibdirext='64' ;; + no) abi=''; abilibdirext='';; + *) AC_MSG_ERROR("Invalid ABI specified") ;; +esac +fi #if test -n "$GCC"; then +;; +esac +]) diff --git a/third_party/heimdal/cf/misc.m4 b/third_party/heimdal/cf/misc.m4 new file mode 100644 index 0000000..c6d8827 --- /dev/null +++ b/third_party/heimdal/cf/misc.m4 @@ -0,0 +1,15 @@ + +dnl $Id$ +dnl +AC_DEFUN([upcase],[`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`])dnl +AC_DEFUN([rk_LIBOBJ],[AC_LIBOBJ([$1])])dnl +AC_DEFUN([rk_CONFIG_HEADER],[AH_TOP([#ifndef RCSID +#define RCSID(msg) \ +static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg } +#endif + +/* Maximum values on all known systems */ +#define MaxHostNameLen (64+4) +#define MaxPathLen (1024+4) + +])]) \ No newline at end of file diff --git a/third_party/heimdal/cf/need-proto.m4 b/third_party/heimdal/cf/need-proto.m4 new file mode 100644 index 0000000..2f7a221 --- /dev/null +++ b/third_party/heimdal/cf/need-proto.m4 @@ -0,0 +1,22 @@ +dnl $Id$ +dnl +dnl +dnl Check if we need the prototype for a function +dnl + +dnl AC_NEED_PROTO(includes, function) + +AC_DEFUN([AC_NEED_PROTO], [ +if test "$ac_cv_func_$2+set" != set -o "$ac_cv_func_$2" = yes; then +AC_CACHE_CHECK([if $2 needs a prototype], ac_cv_func_$2_noproto, +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1 +struct foo { int foo; } xx; +extern int $2 (struct foo*);]],[[$2(&xx)]])], +[eval "ac_cv_func_$2_noproto=yes"], +[eval "ac_cv_func_$2_noproto=no"])) +if test "$ac_cv_func_$2_noproto" = yes; then + AC_DEFINE(AS_TR_CPP(NEED_[]$2[]_PROTO), 1, + [define if the system is missing a prototype for $2()]) +fi +fi +]) diff --git a/third_party/heimdal/cf/osfc2.m4 b/third_party/heimdal/cf/osfc2.m4 new file mode 100644 index 0000000..cb8768a --- /dev/null +++ b/third_party/heimdal/cf/osfc2.m4 @@ -0,0 +1,14 @@ +dnl $Id$ +dnl +dnl enable OSF C2 stuff + +AC_DEFUN([AC_CHECK_OSFC2],[ +AC_ARG_ENABLE(osfc2, + AS_HELP_STRING([--enable-osfc2],[enable some OSF C2 support])) +LIB_security= +if test "$enable_osfc2" = yes; then + AC_DEFINE(HAVE_OSFC2, 1, [Define to enable basic OSF C2 support.]) + LIB_security=-lsecurity +fi +AC_SUBST(LIB_security) +]) diff --git a/third_party/heimdal/cf/otp.m4 b/third_party/heimdal/cf/otp.m4 new file mode 100644 index 0000000..d354515 --- /dev/null +++ b/third_party/heimdal/cf/otp.m4 @@ -0,0 +1,27 @@ +dnl $Id$ +dnl +dnl check requirements for OTP library +dnl +AC_DEFUN([rk_OTP],[ +AC_REQUIRE([rk_DB])dnl +AC_ARG_ENABLE(otp, + AS_HELP_STRING([--disable-otp],[if you don't want OTP support])) +if test "$enable_otp" = yes -a "$db_type" = unknown; then + AC_MSG_ERROR([OTP requires a NDBM/DB compatible library]) +fi +if test "$enable_otp" != no; then + if test "$db_type" != unknown; then + enable_otp=yes + else + enable_otp=no + fi +fi +if test "$enable_otp" = yes; then + AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.]) + LIB_otp='$(top_builddir)/lib/otp/libotp.la' + AC_SUBST(LIB_otp) +fi +AC_MSG_CHECKING([whether to enable OTP library]) +AC_MSG_RESULT($enable_otp) +AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl +]) diff --git a/third_party/heimdal/cf/pkg.m4 b/third_party/heimdal/cf/pkg.m4 new file mode 100644 index 0000000..8cdc5e4 --- /dev/null +++ b/third_party/heimdal/cf/pkg.m4 @@ -0,0 +1,157 @@ +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# +# Copyright 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi + +fi[]dnl +])# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# +# Similar to PKG_CHECK_MODULES, make sure that the first instance of +# this or PKG_CHECK_MODULES is called, or make sure to call +# PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_ifval([$2], [$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) + + +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +m4_define([_PKG_CONFIG], +[if test -n "$PKG_CONFIG"; then + if test -n "$$1"; then + pkg_cv_[]$1="$$1" + else + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + fi +else + pkg_failed=untried +fi[]dnl +])# _PKG_CONFIG + +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])# _PKG_SHORT_ERRORS_SUPPORTED + + +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl + +pkg_failed=no +AC_MSG_CHECKING([for $1]) + +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) + +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD + + ifelse([$4], , [AC_MSG_ERROR(dnl +[Package requirements ($2) were not met: + +$$1_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT +])], + [AC_MSG_RESULT([no]) + $4]) +elif test $pkg_failed = untried; then + ifelse([$4], , [AC_MSG_FAILURE(dnl +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT + +To get pkg-config, see .])], + [$4]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + ifelse([$3], , :, [$3]) +fi[]dnl +])# PKG_CHECK_MODULES diff --git a/third_party/heimdal/cf/proto-compat.m4 b/third_party/heimdal/cf/proto-compat.m4 new file mode 100644 index 0000000..7d0fd70 --- /dev/null +++ b/third_party/heimdal/cf/proto-compat.m4 @@ -0,0 +1,21 @@ +dnl $Id$ +dnl +dnl +dnl Check if the prototype of a function is compatible with another one +dnl + +dnl AC_PROTO_COMPAT(includes, function, prototype) + +AC_DEFUN([AC_PROTO_COMPAT], [ +AC_CACHE_CHECK([if $2 is compatible with system prototype], +ac_cv_func_$2_proto_compat, +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$1]],[[$3]])], +[eval "ac_cv_func_$2_proto_compat=yes"], +[eval "ac_cv_func_$2_proto_compat=no"])) +define([foo], translit($2, [a-z], [A-Z])[_PROTO_COMPATIBLE]) +if test "$ac_cv_func_$2_proto_compat" = yes; then + AC_DEFINE(foo, 1, [define if prototype of $2 is compatible with + $3]) +fi +undefine([foo]) +]) \ No newline at end of file diff --git a/third_party/heimdal/cf/pthreads.m4 b/third_party/heimdal/cf/pthreads.m4 new file mode 100644 index 0000000..4d84395 --- /dev/null +++ b/third_party/heimdal/cf/pthreads.m4 @@ -0,0 +1,117 @@ +Dnl $Id$ + +AC_DEFUN([KRB_PTHREADS], [ +AC_MSG_CHECKING(if compiling threadsafe libraries) + +AC_ARG_ENABLE(pthread-support, + AS_HELP_STRING([--enable-pthread-support], + [if you want thread safe libraries]), + [],[enable_pthread_support=maybe]) + +case "$host" in +*-*-solaris2*) + native_pthread_support=yes + if test "$GCC" = yes; then + PTHREAD_CFLAGS="-D_REENTRANT -D_TS_ERRNO" + PTHREAD_LIBADD=-lpthread + else + PTHREAD_CFLAGS="-mt -D_REENTRANT -D_TS_ERRNO" + PTHREAD_LDADD=-mt + PTHREAD_LIBADD="-mt -lpthread" + fi + ;; +*-*-netbsd[[12]]*) + native_pthread_support="if running netbsd 1.6T or newer" + dnl heim_threads.h knows this + PTHREAD_LIBADD="-lpthread" + ;; +*-*-netbsd[[3456789]]*) + native_pthread_support="netbsd 3 uses explict pthread" + dnl heim_threads.h knows this + PTHREAD_LIBADD="-lpthread" + ;; +*-*-freebsd[[1234]]) + ;; +*-*-freebsd*) + native_pthread_support=yes + PTHREAD_LIBADD="-pthread" + ;; +*-*-openbsd*) + native_pthread_support=yes + PTHREAD_CFLAGS=-pthread + PTHREAD_LIBADD=-pthread + ;; +*-*-gnu*) + native_pthread_support=yes + PTHREADS_CFLAGS=-pthread + PTHREAD_LIBADD="-pthread -lpthread" + ;; +*-*-linux* | *-*-linux-gnu) + case `uname -r` in + 2.*|3.*) + native_pthread_support=yes + PTHREAD_CFLAGS=-pthread + PTHREAD_LIBADD=-pthread + ;; + esac + ;; +*-*-kfreebsd*-gnu*) + native_pthread_support=yes + PTHREAD_CFLAGS=-pthread + PTHREAD_LIBADD=-pthread + ;; +*-*-aix*) + dnl AIX is disabled since we don't handle the utmp/utmpx + dnl problems that aix causes when compiling with pthread support + dnl (2016-11-14, we longer use utmp). Original logic was: + dnl if test "$GCC" = yes; then + dnl native_pthread_support=yes + dnl PTHREADS_LIBS="-pthread" + dnl elif expr "$CC" : ".*_r" > /dev/null ; then + dnl native_pthread_support=yes + dnl PTHREADS_CFLAGS="" + dnl PTHREADS_LIBS="" + dnl else + dnl native_pthread_support=no + dnl fi + native_pthread_support=no + ;; +mips-sgi-irix6.[[5-9]]) # maybe works for earlier versions too + native_pthread_support=yes + PTHREAD_LIBADD="-lpthread" + ;; +*-*-darwin*) + native_pthread_support=yes + ;; +*) + native_pthread_support=no + ;; +esac + +if test "$enable_pthread_support" = maybe ; then + enable_pthread_support="$native_pthread_support" +fi + +if test "$enable_pthread_support" != no; then + AC_DEFINE(ENABLE_PTHREAD_SUPPORT, 1, + [Define if you want have a thread safe libraries]) + dnl This sucks, but libtool doesn't save the depenecy on -pthread + dnl for libraries. + LIBS="$PTHREAD_LIBADD $LIBS" +else + PTHREAD_CFLAGS="" + PTHREAD_LIBADD="" +fi + +AM_CONDITIONAL(ENABLE_PTHREAD_SUPPORT, test "$enable_pthread_support" != no) + +CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +LDADD="$LDADD $PTHREAD_LDADD" +LIBADD="$LIBADD $PTHREAD_LIBADD" + +AC_SUBST(PTHREAD_CFLAGS) +AC_SUBST(PTHREAD_LDADD) +AC_SUBST(PTHREAD_LIBADD) + +AC_MSG_RESULT($enable_pthread_support) +]) diff --git a/third_party/heimdal/cf/resolv.m4 b/third_party/heimdal/cf/resolv.m4 new file mode 100644 index 0000000..49c868a --- /dev/null +++ b/third_party/heimdal/cf/resolv.m4 @@ -0,0 +1,118 @@ +dnl stuff used by DNS resolv code in roken +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_RESOLV],[ + +AC_CHECK_HEADERS([arpa/nameser.h dns.h]) + +AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +]) + +AC_FIND_FUNC(res_search, resolv, +[ +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif +], +[0,0,0,0,0]) + +AC_FIND_FUNC(res_nsearch, resolv, +[ +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif +], +[0,0,0,0,0,0]) + +AC_FIND_FUNC(res_ndestroy, resolv, +[ +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif +], +[0]) + +AC_FIND_FUNC_NO_LIBS(dns_search,, +[ +#ifdef HAVE_DNS_H +#include +#endif +], +[0,0,0,0,0,0,0,0]) + + +AC_FIND_FUNC(dn_expand, resolv, +[ +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif +], +[0,0,0,0,0]) + +rk_CHECK_VAR(_res, +[#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif +#ifdef HAVE_RESOLV_H +#include +#endif]) + +]) diff --git a/third_party/heimdal/cf/retsigtype.m4 b/third_party/heimdal/cf/retsigtype.m4 new file mode 100644 index 0000000..5dfd820 --- /dev/null +++ b/third_party/heimdal/cf/retsigtype.m4 @@ -0,0 +1,18 @@ +dnl +dnl $Id$ +dnl +dnl Figure out return type of signal handlers, and define SIGRETURN macro +dnl that can be used to return from one +dnl +AC_DEFUN([rk_RETSIGTYPE],[ +AC_TYPE_SIGNAL +if test "$ac_cv_type_signal" = "void" ; then + AC_DEFINE(VOID_RETSIGTYPE, 1, [Define if signal handlers return void.]) +fi + +AH_BOTTOM([#ifdef VOID_RETSIGTYPE +#define SIGRETURN(x) return +#else +#define SIGRETURN(x) return (RETSIGTYPE)(x) +#endif]) +]) \ No newline at end of file diff --git a/third_party/heimdal/cf/roken-frag.m4 b/third_party/heimdal/cf/roken-frag.m4 new file mode 100644 index 0000000..2c2ef83 --- /dev/null +++ b/third_party/heimdal/cf/roken-frag.m4 @@ -0,0 +1,766 @@ +dnl $Id$ +dnl +dnl some code to get roken working +dnl +dnl rk_ROKEN(subdir) +dnl +AC_DEFUN([rk_ROKEN], [ + +AC_REQUIRE([rk_CONFIG_HEADER]) + +DIR_roken=roken +LIB_roken='$(top_builddir)/$1/libroken.la' +INCLUDES_roken='-I$(top_builddir)/$1 -I$(top_srcdir)/$1' + +dnl Checks for programs +AC_REQUIRE([AC_PROG_CC]) +AC_REQUIRE([AC_PROG_AWK]) +AC_REQUIRE([AC_OBJEXT]) +AC_REQUIRE([AC_EXEEXT]) +AC_REQUIRE([LT_INIT]) + +AC_REQUIRE([AC_MIPS_ABI]) + +AC_DEFINE(rk_PATH_DELIM, '/', [Path name delimiter]) + +dnl C characteristics + +AC_REQUIRE([AC_C___ATTRIBUTE__]) +AC_REQUIRE([AC_C_INLINE]) +AC_REQUIRE([AC_C_CONST]) +rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow) + +dnl -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes +dnl -Wcast-qual -Wswitch -Wformat=2 -Wwrite-strings + +AC_REQUIRE([rk_DB]) + +dnl C types + +AC_REQUIRE([AC_TYPE_SIZE_T]) +AC_HAVE_TYPE([ssize_t],[#include ]) +AC_REQUIRE([AC_TYPE_PID_T]) +AC_REQUIRE([AC_TYPE_UID_T]) +AC_HAVE_TYPE([long long]) + +AC_REQUIRE([rk_RETSIGTYPE]) + +dnl Checks for header files. +AC_REQUIRE([AC_HEADER_STDC]) +AC_REQUIRE([AC_HEADER_TIME]) + +AC_CHECK_HEADERS([\ + auxv.h \ + arpa/inet.h \ + config.h \ + crypt.h \ + dirent.h \ + errno.h \ + err.h \ + fcntl.h \ + fnmatch.h \ + grp.h \ + ifaddrs.h \ + netinet/in.h \ + netinet/in6.h \ + netinet/in_systm.h \ + netinet6/in6.h \ + paths.h \ + poll.h \ + pwd.h \ + rpcsvc/ypclnt.h \ + search.h \ + shadow.h \ + stdint.h \ + sys/auxv.h \ + sys/bswap.h \ + sys/errno.h \ + sys/exec_elf.h \ + sys/ioctl.h \ + sys/mman.h \ + sys/param.h \ + sys/resource.h \ + sys/sockio.h \ + sys/stat.h \ + sys/time.h \ + sys/tty.h \ + sys/types.h \ + sys/uio.h \ + sys/utsname.h \ + sys/wait.h \ + syslog.h \ + termios.h \ + winsock2.h \ + ws2tcpip.h \ + unistd.h \ + userconf.h \ + usersec.h \ + util.h \ +]) + +AC_HAVE_TYPE([auxv_t],[#ifdef HAVE_AUXV_H +#include +#endif +#ifdef HAVE_SYS_AUXV_H +#include +#endif +]) + +AC_HAVE_TYPE([uintptr_t],[#ifdef HAVE_STDINT_H +#include +#endif]) + +dnl Sunpro 5.2 has a vis.h which is something different. +AC_CHECK_HEADERS(vis.h, , , [ +#include +#ifndef VIS_SP +#error invis +#endif]) + +AC_CHECK_HEADERS(netdb.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_TYPES_H +#include +#endif +]) + +AC_CHECK_HEADERS(sys/socket.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_TYPES_H +#include +#endif +]) + +AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_SOCKET_H +#include +#endif]) + +AC_CHECK_HEADERS(netinet6/in6_var.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET6_IN6_H +#include +#endif +]) + +AC_CHECK_HEADERS(sys/sysctl.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_PARAM_H +#include +#endif +]) + +AC_CHECK_HEADERS(sys/proc.h, , , [AC_INCLUDES_DEFAULT +#ifdef HAVE_SYS_PARAM_H +#include +#endif +]) + +AC_REQUIRE([CHECK_NETINET_IP_AND_TCP]) + +AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes) +AM_CONDITIONAL(have_ifaddrs_h, test "$ac_cv_header_ifaddrs_h" = yes) +AM_CONDITIONAL(have_search_h, test "$ac_cv_header_search_h" = yes) +AM_CONDITIONAL(have_vis_h, test "$ac_cv_header_vis_h" = yes) + +dnl Check for functions and libraries + +AC_KRB_IPV6 + +AC_FIND_FUNC(gethostbyname2, inet6 ip6) + +rk_RESOLV + +AC_BROKEN_SNPRINTF +AC_BROKEN_VSNPRINTF + +AC_CHECK_FUNCS([ \ + asnprintf \ + asprintf \ + atexit \ + getauxval \ + getconfattr \ + getprogname \ + getrlimit \ + issetugid \ + memmem \ + mkdtemp \ + mkostemp \ + on_exit \ + poll \ + random \ + secure_getenv \ + setprogname \ + strsvis \ + strsvisx \ + strunvis \ + strvis \ + strvisx \ + svis \ + sysconf \ + sysctl \ + tdelete \ + tfind \ + twalk \ + uname \ + unlinkat \ + unvis \ + vasnprintf \ + vasprintf \ + vis \ +]) + +AC_REQUIRE([AC_FUNC_GETLOGIN]) + +AC_REQUIRE([AC_FUNC_MMAP]) + +AC_FIND_FUNC_NO_LIBS(getsockopt,, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif], +[0,0,0,0,0]) +AC_FIND_FUNC_NO_LIBS(setsockopt,, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif], +[0,0,0,0,0]) + +AC_FIND_IF_NOT_BROKEN(hstrerror, resolv, +[#ifdef HAVE_NETDB_H +#include +#endif], +17) +AC_NEED_PROTO([ +#ifdef HAVE_NETDB_H +#include +#endif], +hstrerror) + +AC_FOREACH([rk_func], [asprintf vasprintf asnprintf vasnprintf], + [AC_NEED_PROTO([ + #include + #include ], + rk_func)]) + +AC_FIND_FUNC_NO_LIBS(bswap16,, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_BSWAP_H +#include +#endif],0) + +AC_FIND_FUNC_NO_LIBS(bswap32,, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_BSWAP_H +#include +#endif],0) + +AC_FIND_FUNC_NO_LIBS(bswap64,, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_BSWAP_H +#include +#endif],0) + +AC_FIND_FUNC_NO_LIBS(pidfile,util, +[#ifdef HAVE_UTIL_H +#include +#endif],0) + +AC_FIND_IF_NOT_BROKEN(getaddrinfo,, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif],[0,0,0,0]) + +AC_FIND_IF_NOT_BROKEN(getnameinfo,, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif],[0,0,0,0,0,0,0]) + +AC_FIND_IF_NOT_BROKEN(freeaddrinfo,, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif],[0]) + +AC_FIND_IF_NOT_BROKEN(gai_strerror,, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif],[0]) + +AC_CHECK_LIB(util, emalloc) + +case "$host_os" in + darwin*) + ;; + *) + AC_BROKEN([daemon]) ;; +esac + +AC_BROKEN([ \ + chown \ + copyhostent \ + closefrom \ + ecalloc \ + emalloc \ + erealloc \ + estrdup \ + err \ + errx \ + fchown \ + flock \ + fnmatch \ + freehostent \ + getcwd \ + getdtablesize \ + getegid \ + geteuid \ + getgid \ + gethostname \ + getifaddrs \ + getipnodebyaddr \ + getipnodebyname \ + getopt \ + gettimeofday \ + getuid \ + getusershell \ + initgroups \ + innetgr \ + localtime_r \ + lstat \ + memmove \ + memset_s \ + mergesort \ + mergesort_r \ + mkstemp \ + putenv \ + rcmd \ + readv \ + recvmsg \ + sendmsg \ + setegid \ + setenv \ + seteuid \ + strcasecmp \ + strdup \ + strerror \ + strftime \ + strlcat \ + strlcpy \ + strlwr \ + strncasecmp \ + strndup \ + strnlen \ + strptime \ + strsep \ + strsep_copy \ + strtok_r \ + strtoll \ + strtoull \ + strupr \ + swab \ + tsearch \ + timegm \ + unsetenv \ + verr \ + verrx \ + vsyslog \ + vwarn \ + vwarnx \ + warn \ + warnx \ + writev \ +]) + +AM_CONDITIONAL(have_fnmatch_h, + test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes) + +AC_FOREACH([rk_func], [strndup strsep strtok_r], + [AC_NEED_PROTO([#include ], rk_func)]) + +AC_CHECK_FUNC([strtoll], + [AC_DEFINE_UNQUOTED(HAVE_STRTOLL, 1, + [Define if you have the function strtoll.])]) + +AC_CHECK_FUNC([strtoull], + [AC_DEFINE_UNQUOTED(HAVE_STRTOULL, 1, + [Define if you have the function strtoull.])]) + +AC_FOREACH([rk_func], [strsvis strsvisx strunvis strvis strvisx svis unvis vis], +[AC_NEED_PROTO([#ifdef HAVE_VIS_H +#include +#endif], rk_func)]) + +AC_MSG_CHECKING([checking for dirfd]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include +#ifdef HAVE_DIRENT_H +#include +#endif +]], + [[DIR *d = 0; dirfd(d);]])], + [ac_rk_have_dirfd=yes], [ac_rk_have_dirfd=no]) +if test "$ac_rk_have_dirfd" = "yes" ; then + AC_DEFINE_UNQUOTED(HAVE_DIRFD, 1, [have a dirfd function/macro]) +fi +AC_MSG_RESULT($ac_rk_have_dirfd) + +AC_HAVE_STRUCT_FIELD(DIR, dd_fd, [#include +#ifdef HAVE_DIRENT_H +#include +#endif]) + +AC_HAVE_STRUCT_FIELD(DIR, d_fd, [#include +#ifdef HAVE_DIRENT_H +#include +#endif]) + +AC_BROKEN2(inet_aton, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif], +[0,0]) + +AC_BROKEN2(inet_ntop, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif], +[0, 0, 0, 0]) + +AC_BROKEN2(inet_pton, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif], +[0,0,0]) + +dnl +dnl Check for sa_len in struct sockaddr, +dnl needs to come before the getnameinfo test +dnl +AC_HAVE_STRUCT_FIELD(struct sockaddr, sa_len, [#include +#include ]) + +if test "$ac_cv_func_getaddrinfo" = "yes"; then + rk_BROKEN_GETADDRINFO + if test "$ac_cv_func_getaddrinfo_numserv" = no; then + AC_LIBOBJ(getaddrinfo) + AC_LIBOBJ(freeaddrinfo) + fi +fi + +AC_NEED_PROTO([#include ], setenv) +AC_NEED_PROTO([#include ], unsetenv) +AC_NEED_PROTO([#include ], gethostname) +AC_NEED_PROTO([#include ], mkstemp) +AC_NEED_PROTO([#include ], getusershell) +AC_NEED_PROTO([#include ], daemon) + +AC_NEED_PROTO([ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif], +inet_aton) + +AC_FIND_FUNC_NO_LIBS(crypt, crypt)dnl + +AC_REQUIRE([rk_BROKEN_REALLOC])dnl + +dnl strerror_r is great fun, on linux it exists before sus catched up, +dnl so the return type is diffrent, lets check for both + +AC_PROTO_COMPAT([ +#include +#include +], +strerror_r, int strerror_r(int, char *, size_t)) + +AC_CHECK_FUNC([strerror_r], + [AC_DEFINE_UNQUOTED(HAVE_STRERROR_R, 1, + [Define if you have the function strerror_r.])]) + +dnl +dnl Checks for prototypes and declarations +dnl + +AC_PROTO_COMPAT([ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +], +gethostbyname, struct hostent *gethostbyname(const char *)) + +AC_PROTO_COMPAT([ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +], +gethostbyaddr, struct hostent *gethostbyaddr(const void *, size_t, int)) + +AC_PROTO_COMPAT([ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +], +getservbyname, struct servent *getservbyname(const char *, const char *)) + +AC_PROTO_COMPAT([ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +], +getsockname, int getsockname(int, struct sockaddr*, socklen_t*)) + +AC_PROTO_COMPAT([ +#ifdef HAVE_SYSLOG_H +#include +#endif +], +openlog, void openlog(const char *, int, int)) + +AC_NEED_PROTO([ +#ifdef HAVE_CRYPT_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +], +crypt) + +dnl variables + +rk_CHECK_VAR(h_errno, +[#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif +]) + +rk_CHECK_VAR(h_errlist, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) + +rk_CHECK_VAR(h_nerr, +[#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) + +rk_CHECK_VAR([__progname], +[#ifdef HAVE_ERR_H +#include +#endif]) + +AC_CHECK_DECLS([optarg, optind, opterr, optopt, environ],[],[],[ +#include +#ifdef HAVE_UNISTD_H +#include +#endif]) + +dnl +dnl Check for fields in struct tm +dnl + +AC_HAVE_STRUCT_FIELD(struct tm, tm_gmtoff, [#include ]) +AC_HAVE_STRUCT_FIELD(struct tm, tm_zone, [#include ]) + +dnl +dnl or do we have a variable `timezone' ? +dnl + +rk_CHECK_VAR(timezone,[#include ]) +rk_CHECK_VAR(altzone,[#include ]) + +AC_HAVE_TYPE([sa_family_t],[ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) +AC_HAVE_TYPE([socklen_t],[ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) +AC_HAVE_TYPE([struct sockaddr], [ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) +AC_HAVE_TYPE([struct sockaddr_storage], [ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) +AC_HAVE_TYPE([struct addrinfo], [ +#include +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) +AC_HAVE_TYPE([struct ifaddrs], [#include ]) +AC_HAVE_TYPE([struct iovec],[ +#include +#include +]) +AC_HAVE_TYPE([struct msghdr],[ +#include +#ifdef HAVE_SYS_SOCKET_H +#include +#endif +#ifdef HAVE_WS2TCPIP_H +#include +#endif]) + +dnl +dnl Check for struct winsize +dnl + +AC_KRB_STRUCT_WINSIZE + +dnl +dnl Check for struct spwd +dnl + +AC_KRB_STRUCT_SPWD + +# +# Check if we want samba's socket wrapper +# + +samba_SOCKET_WRAPPER + +dnl won't work with automake +dnl moved to AC_OUTPUT in configure.in +dnl AC_CONFIG_FILES($1/Makefile) + +LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" + +AC_SUBST(DIR_roken)dnl +AC_SUBST(LIB_roken)dnl +AC_SUBST(INCLUDES_roken)dnl +]) diff --git a/third_party/heimdal/cf/roken-h-process.pl b/third_party/heimdal/cf/roken-h-process.pl new file mode 100644 index 0000000..e797dd2 --- /dev/null +++ b/third_party/heimdal/cf/roken-h-process.pl @@ -0,0 +1,184 @@ +#!/usr/bin/perl + +use Getopt::Std; + +my $debug = 0; + +getopts('dc:p:o:') || die "foo"; + +if ($opt_d) { + $debug = 1; +} + +die "missing arg" if (!defined $opt_c || !defined $opt_p || !defined $opt_o); + +my %defines; +my $IN; +my $OUT; + +print "parse config.h\n" if ($debug); + +open IN, $opt_c || die "failed open ${opt_c}"; + +my @nesting; + +push @nesting, 1; + +while () { + if (m/\s*#ifdef\s+(.*)/) { + my $var = $1; + if (defined $defines{$var}) { + push @nesting, 1; + } else { + push @nesting, 0; + } + next; + } elsif (m/\s*#ifndef\s+(.*)/) { + my $var = $1; + if (defined $defines{$var}) { + push @nesting, 0; + } else { + push @nesting, 1; + } + next; + } elsif (m/\s*#else/) { + my $var = pop @nesting; + $var = !$var; + push @nesting, $var; + next; + } elsif ($nesting[$#nesting] and m/\s*#define\s+(\w+)\s+(\S+)/) { + my $res = $2; + $res = 1 if (!defined $res); + $defines{$1} = $res; + } +} + +close IN; + +if ($debug) { + foreach my $i (keys %defines) { + print "k: $i v: $defines{$i}\n"; + } +} + +open IN, "$opt_p" || die "failed open ${opt_p}"; +open OUT, ">$opt_o" || die "failed open ${opt_o}"; + +print "parse roken.h.in\n" if ($debug); + +print OUT "/* This is an OS dependent, generated file */\n"; +print OUT "\n"; +print OUT "\n"; +print OUT "#ifndef __ROKEN_H__\n"; +print OUT "#define __ROKEN_H__\n"; +print OUT "\n"; + +@nesting = (1); + +while () { + if (m/\s*#ifdef\s+(.*)/) { + my $var = $1; + if (defined $defines{$var}) { + push @nesting, 1; + } else { + push @nesting, 0; + } + next; + } elsif (m/\s*#ifndef\s+(.*)/) { + my $var = $1; + if (defined $defines{$var}) { + push @nesting, 0; + } else { + push @nesting, 1; + } + next; + } elsif (m/\s*#if\s+(.*)/) { + my $res = parse_if($1); + print "line = $res: $1\n" if ($debug); + push @nesting, $res; + next; + } elsif (m/\s*#elif\s+(.*)/) { + my $res = pop @nesting; + if ($res gt 0) { + $res = -1; + } else { + my $res = parse_if($1); + } + push @nesting, $res; + next; + } elsif (m/\s*#else/) { + my $var = pop @nesting; + $var = !$var; + push @nesting, $var; + next; + } elsif (m/\s*#endif/) { + pop @nesting; + next; + } + print "line: $_\n" if ($debug); + print "nesting dep $#{nesting}\n" if ($debug); + my $i = 0, $t = 1; + while ($i le $#nesting) { + $t = 0 if ($nesting[$i] le 0); + print "nesting $i val $nesting[$i] -> $t\n" if ($debug); + $i++; + } + if ($t) { + print OUT; + } +} + +print OUT "\n"; +print OUT "#endif /* __ROKEN_H__ */\n"; + + +close IN; + +exit 0; + +sub parse_if +{ + my ($neg, $var); + + $_ = shift; + + if (m/^\s*$/) { + print "end $_\n" if ($debug); + return 1; + } elsif (m/^\(([^&]+)\&\&(.*)\)\s*\|\|\s*\(([^&]+)\&\&(.*)\)$/) { + print "($1 and $2) or ($3 and $4)\n" if ($debug); + return ((parse_if($1) and parse_if($2)) or (parse_if($3) and parse_if($4))); + } elsif (m/^([^&]+)\&\&(.*)$/) { + print "$1 and $2\n" if ($debug); + return parse_if($1) and parse_if($2); + } elsif (m/^([^\|]+)\|\|(.*)$/) { + print "$1 or $2\n" if ($debug); + return (parse_if($1) or parse_if($2)); + } elsif (m/^\s*(\!)?\s*defined\((\w+)\)/) { + ($neg, $var) = ($1, $2); + print "def: ${neg}-defined(${var})\n" if ($debug); + my $res = defined $defines{$var}; + if ($neg eq "!") { + if ($res) { + $res = 0; + } else { + $res = 1; + } + } + print "res: $res\n" if ($debug); + return $res; + } elsif (m/^\s*(\!)?(\w+)/) { + ($neg, $var) = ($1, $2); + print "var: $neg $var\n" if ($debug); + my $res; + if (defined $defines{$var}) { + $res = $defines{$var}; + } else { + $res = 0; + } + $res = ! $res if ($neg =~ m/!/); + print "res: $res\n" if ($debug); + return $res; + } + die "failed parse: $_\n"; +} diff --git a/third_party/heimdal/cf/roken.m4 b/third_party/heimdal/cf/roken.m4 new file mode 100644 index 0000000..d4fedda --- /dev/null +++ b/third_party/heimdal/cf/roken.m4 @@ -0,0 +1,64 @@ +dnl $Id$ +dnl +dnl try to look for an installed roken library with sufficient stuff +dnl +dnl set LIB_roken to the what we should link with +dnl set DIR_roken to if the directory should be built +dnl set CPPFLAGS_roken to stuff to add to CPPFLAGS + +dnl AC_ROKEN(version,directory-to-try,roken-dir,fallback-library,fallback-cppflags) +AC_DEFUN([AC_ROKEN], [ + +AC_ARG_WITH(roken, + AS_HELP_STRING([--with-roken=dir],[use the roken library in dir]), +[if test "$withval" = "no"; then + AC_MSG_ERROR(roken is required) +fi]) + +save_CPPFLAGS="${CPPFLAGS}" + +case $with_roken in +yes|"") + dirs="$2" ;; +*) + dirs="$with_roken" ;; +esac + +roken_installed=no + +for i in $dirs; do + +AC_MSG_CHECKING(for roken in $i) + +CPPFLAGS="-I$i/include ${CPPFLAGS}" + +AC_PREPROC_IFELSE([AC_LANG_SOURCE([[ +#include +#if ROKEN_VERSION < $1 +#error old roken version, should be $1 +fail +#endif +]])],[roken_installed=yes; break]) + +AC_MSG_RESULT($roken_installed) + +done + +CPPFLAGS="$save_CPPFLAGS" + +if test "$roken_installed" != "yes"; then + DIR_roken="roken" + LIB_roken='$4' + CPPFLAGS_roken='$5' + AC_CONFIG_SUBDIRS(lib/roken) +else + LIB_roken="$i/lib/libroken.la" + CPPFLAGS_roken="-I$i/include" +fi + +LIB_roken="${LIB_roken} \$(LIB_crypt) \$(LIB_dbopen)" + +AC_SUBST(LIB_roken)dnl +AC_SUBST(DIR_roken)dnl +AC_SUBST(CPPFLAGS_roken)dnl +]) diff --git a/third_party/heimdal/cf/socket-wrapper.m4 b/third_party/heimdal/cf/socket-wrapper.m4 new file mode 100644 index 0000000..2804d1f --- /dev/null +++ b/third_party/heimdal/cf/socket-wrapper.m4 @@ -0,0 +1,16 @@ +dnl $Id$ +dnl +AC_DEFUN([samba_SOCKET_WRAPPER], [ + +AC_ARG_ENABLE(socket-wrapper, + AS_HELP_STRING([--enable-socket-wrapper], + [use sambas socket-wrapper for testing])) + +AM_CONDITIONAL(have_socket_wrapper, test "x$enable_socket_wrapper" = xyes)dnl + +if test "x$enable_socket_wrapper" = xyes ; then + AC_DEFINE(SOCKET_WRAPPER_REPLACE, 1, + [Define if you want to use samba socket wrappers.]) +fi + +]) diff --git a/third_party/heimdal/cf/sunos.m4 b/third_party/heimdal/cf/sunos.m4 new file mode 100644 index 0000000..938fc3a --- /dev/null +++ b/third_party/heimdal/cf/sunos.m4 @@ -0,0 +1,29 @@ +dnl +dnl $Id$ +dnl + +AC_DEFUN([rk_SUNOS],[ +sunos=no +case "$host" in +*-*-solaris2.7) + sunos=57 + ;; +*-*-solaris2.1[[1-9]]) + AC_DEFINE([__EXTENSIONS__], [1], + [Enable general extensions on Solaris.]) + AC_DEFINE([_STDC_C11_BCI], [1], + [Enable C11 prototypes for memset_s and friends]) + sunos=511 + ;; +*-*-solaris2.[[89]] | *-*-solaris2.10) + sunos=58 + ;; +*-*-solaris2*) + sunos=50 + ;; +esac +if test "$sunos" != no; then + AC_DEFINE_UNQUOTED(SunOS, $sunos, + [Define to what version of SunOS you are running.]) +fi +]) diff --git a/third_party/heimdal/cf/symbol-version.py b/third_party/heimdal/cf/symbol-version.py new file mode 100644 index 0000000..414f06f --- /dev/null +++ b/third_party/heimdal/cf/symbol-version.py @@ -0,0 +1,85 @@ +# +# Copyright (c) 2008 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + +import sys + +tokens = [ 'SYMBOL' ] +literals = ['{','}',';', ':'] + +t_SYMBOL = r'[a-zA-Z_][a-zA-Z0-9_\.]*' +t_ignore = " \t\n" + +def t_error(t): + print "Illegal character '%s'" % t.value[0] + t.lexer.skip(1) + +import ply.lex as lex +lex.lex() + +namespace = "global" +symbols = [] + +def p_syms(p): + 'syms : SYMBOL "{" elements "}"' + print "# %s" % p[1] + +def p_elements(p): + '''elements : element + | element elements''' + +def p_element(p): + '''element : SYMBOL ":" + | SYMBOL ";"''' + global namespace + if p[2] == ':': + namespace = p[1] + else: + symbols.append([namespace, p[1]]) + +def p_error(p): + if p: + print "Syntax error at '%s'" % p.value + else: + print "Syntax error at EOF" + +import ply.yacc as yacc +yacc.yacc() + +lines = sys.stdin.readlines() + +for line in lines: + yacc.parse(line) + +for symbol in symbols: + if symbol[0] == "global": + print "%s" % symbol[1] diff --git a/third_party/heimdal/cf/telnet.m4 b/third_party/heimdal/cf/telnet.m4 new file mode 100644 index 0000000..c48e5f9 --- /dev/null +++ b/third_party/heimdal/cf/telnet.m4 @@ -0,0 +1,75 @@ +dnl +dnl $Id$ +dnl +dnl stuff used by telnet + +AC_DEFUN([rk_TELNET],[ +AC_DEFINE(AUTHENTICATION, 1, + [Define if you want authentication support in telnet.])dnl +AC_DEFINE(ENCRYPTION, 1, + [Define if you want encryption support in telnet.])dnl +AC_DEFINE(DES_ENCRYPTION, 1, + [Define if you want to use DES encryption in telnet.])dnl +AC_DEFINE(DIAGNOSTICS, 1, + [Define this to enable diagnostics in telnet.])dnl +AC_DEFINE(OLD_ENVIRON, 1, + [Define this to enable old environment option in telnet.])dnl +if false; then + AC_DEFINE(ENV_HACK, 1, + [Define this if you want support for broken ENV_{VAR,VAL} telnets.]) +fi + +# Simple test for streamspty, based on the existance of getmsg(), alas +# this breaks on SunOS4 which have streams but BSD-like ptys +# +# And also something wierd has happend with dec-osf1, fallback to bsd-ptys + +case "$host" in +*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*) + ;; +*) + AC_CHECK_FUNC(getmsg) + if test "$ac_cv_func_getmsg" = "yes"; then + AC_CACHE_CHECK([if getmsg works], ac_cv_func_getmsg_works, + AC_RUN_IFELSE([AC_LANG_SOURCE([[ + #include + #include + + int main(int argc, char **argv) + { + int ret; + ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL); + if(ret < 0 && errno == ENOSYS) + return 1; + return 0; + } + ]])], [ac_cv_func_getmsg_works=yes], + [ac_cv_func_getmsg_works=no], + [ac_cv_func_getmsg_works=no])) + if test "$ac_cv_func_getmsg_works" = "yes"; then + AC_DEFINE(HAVE_GETMSG, 1, + [Define if you have a working getmsg.]) + AC_DEFINE(STREAMSPTY, 1, + [Define if you have streams ptys.]) + fi + fi + ;; +esac + +AH_BOTTOM([ + +/* Set this to the default system lead string for telnetd + * can contain %-escapes: %s=sysname, %m=machine, %r=os-release + * %v=os-version, %t=tty, %h=hostname, %d=date and time + */ +#undef USE_IM + +/* Used with login -p */ +#undef LOGIN_ARGS + +/* set this to a sensible login */ +#ifndef LOGIN_PATH +#define LOGIN_PATH BINDIR "/login" +#endif +]) +]) diff --git a/third_party/heimdal/cf/test-package.m4 b/third_party/heimdal/cf/test-package.m4 new file mode 100644 index 0000000..afada2f --- /dev/null +++ b/third_party/heimdal/cf/test-package.m4 @@ -0,0 +1,135 @@ +dnl $Id$ +dnl +dnl rk_TEST_PACKAGE(package,program,libraries,extra libs, +dnl default locations, conditional, config-program, headers) + +AC_DEFUN([rk_TEST_PACKAGE],[ +AC_ARG_WITH($1, + AS_HELP_STRING([--with-$1=dir],[use $1 in dir])) +AC_ARG_WITH($1-lib, + AS_HELP_STRING([--with-$1-lib=dir],[use $1 libraries in dir]), +[if test "$withval" = "yes" -o "$withval" = "no"; then + AC_MSG_ERROR([No argument for --with-$1-lib]) +elif test "X$with_$1" = "X"; then + with_$1=yes +fi]) +AC_ARG_WITH($1-include, + AS_HELP_STRING([--with-$1-include=dir],[use $1 headers in dir]), +[if test "$withval" = "yes" -o "$withval" = "no"; then + AC_MSG_ERROR([No argument for --with-$1-include]) +elif test "X$with_$1" = "X"; then + with_$1=yes +fi]) +AC_ARG_WITH($1-config, + AS_HELP_STRING([--with-$1-config=path],[config program for $1])) + +m4_ifval([$6], + m4_define([rk_pkgname], $6), + m4_define([rk_pkgname], AS_TR_CPP($1))) + +AC_MSG_CHECKING(for $1) + +case "$with_$1" in +yes|"") d='$5' ;; +no) d= ;; +*) d="$with_$1" ;; +esac + +header_dirs= +lib_dirs= +for i in $d; do + if test "$with_$1_include" = ""; then + if test -d "$i/include/$1"; then + header_dirs="$header_dirs $i/include/$1" + fi + if test -d "$i/include"; then + header_dirs="$header_dirs $i/include" + fi + fi + if test "$with_$1_lib" = ""; then + if test -d "$i/lib$abilibdirext"; then + lib_dirs="$lib_dirs $i/lib$abilibdirext" + fi + fi +done + +if test "$with_$1_include"; then + header_dirs="$with_$1_include $header_dirs" +fi +if test "$with_$1_lib"; then + lib_dirs="$with_$1_lib $lib_dirs" +fi + +if test "$with_$1_config" = ""; then + with_$1_config='$7' +fi + +$1_cflags= +$1_libs= + +case "$with_$1_config" in +yes|no|""|"$7") + if test -f $with_$1/bin/$7 ; then + with_$1_config=$with_$1/bin/$7 + fi + ;; +esac + +case "$with_$1_config" in +yes|no|"") + ;; +*) + $1_cflags="`$with_$1_config --cflags 2>&1`" + $1_libs="`$with_$1_config --libs 2>&1`" + ;; +esac + +found=no +if test "$with_$1" != no; then + save_CFLAGS="$CFLAGS" + save_LIBS="$LIBS" + if test "$[]$1_cflags" -a "$[]$1_libs"; then + CFLAGS="$[]$1_cflags $save_CFLAGS" + LIBS="$[]$1_libs $save_LIBS" + m4_ifval([$8],[AC_CHECK_HEADERS([[$8]])]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[ + INCLUDE_$1="$[]$1_cflags" + LIB_$1="$[]$1_libs" + AC_MSG_RESULT([from $with_$1_config]) + found=yes]) + fi + if test "$found" = no; then + ires= lres= + for i in $header_dirs; do + CFLAGS="-I$i $save_CFLAGS" + m4_ifval([$8],[AC_CHECK_HEADERS([[$8]])]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[ires=$i;break]) + done + for i in $lib_dirs; do + LIBS="-L$i $3 $4 $save_LIBS" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2]],[[]])],[lres=$i;break]) + done + if test "$ires" -a "$lres" -a "$with_$1" != "no"; then + INCLUDE_$1="-I$ires" + LIB_$1="-L$lres $3 $4" + found=yes + AC_MSG_RESULT([headers $ires, libraries $lres]) + fi + fi + CFLAGS="$save_CFLAGS" + LIBS="$save_LIBS" +fi + +if test "$found" = yes; then + AC_DEFINE_UNQUOTED(rk_pkgname, 1, [Define if you have the $1 package.]) + with_$1=yes +else + with_$1=no + INCLUDE_$1= + LIB_$1= + AC_MSG_RESULT(no) +fi + +AC_SUBST(INCLUDE_$1) +AC_SUBST(LIB_$1) +]) diff --git a/third_party/heimdal/cf/valgrind-suppressions b/third_party/heimdal/cf/valgrind-suppressions new file mode 100644 index 0000000..44f3f37 --- /dev/null +++ b/third_party/heimdal/cf/valgrind-suppressions @@ -0,0 +1,168 @@ +{ + linux db init brokenness + Memcheck:Param + pwrite64(buf) + fun:do_pwrite64 + fun:__os_io + fun:__memp_pgwrite + fun:__memp_fsync + fun:__bam_read_root + fun:__bam_open + fun:__db_dbopen + fun:__db_open + fun:DB_open +} +{ + linux strerror + Memcheck:Leak + fun:_vgrZU_libcZdsoZa_malloc + fun:rwlock_add_to_list + fun:rwlock_have_already + fun:pthread_rwlock_rdlock + fun:__dcigettext + fun:dcgettext + fun:strerror_r + fun:strerror +} +{ + linux db close brokenness + Memcheck:Param + pwrite64(buf) + fun:do_pwrite64 + fun:__os_io + fun:__memp_pgwrite + fun:__memp_fsync + fun:__db_sync + fun:__db_close + fun:DB_close +} +{ + GLIBC 2.1.2 getservbyname defect + Memcheck:Leak + fun:_vgrZU_libcZdsoZa_malloc + fun:strdup + obj:* + obj:* + fun:getservbyname_r@@GLIBC_2.1.2 + fun:getservbyname +} +{ + glibc getaddrinfo defect + Memcheck:Leak + fun:_vgrZU_libcZdsoZa_malloc + fun:__libc_res_nsend + fun:__libc_res_nquery + fun:__libc_res_nquerydomain + fun:__libc_res_nsearch + obj:* + fun:gaih_inet + fun:getaddrinfo +} +{ + glibc dlopen failure called from /bin/ls + Memcheck:Addr4 + obj:/lib/ld-2.3.6.so + obj:/lib/ld-2.3.6.so + obj:/lib/ld-2.3.6.so +} +{ + Unknown suppression in runtime link editor + Memcheck:Cond + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so +} +{ + Unknown suppression in runtime link editor + Memcheck:Addr4 + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so + obj:/lib/ld-2.5.so +} +{ + glibc sed leak 1 + Memcheck:Leak + fun:calloc + obj:/bin/sed + obj:/bin/sed + obj:/bin/sed + obj:/bin/sed + obj:/bin/sed + fun:(below main) +} +{ + Heimdal one-time init leak 1 + Memcheck:Leak + ... + fun:heim_base_once_f + ... +} +{ + Heimdal one-time init leak 2 + Memcheck:Leak + fun:pthread_once + ... +} +{ + Heimdal one-time init leak 3 + Memcheck:Leak + fun:calloc + fun:_heim_alloc_object + fun:heim_dict_create + fun:_krb5_load_plugins + fun:init_context_once + fun:once_callback_caller + fun:pthread_once + fun:heim_base_once_f + fun:krb5_init_context + fun:main +} +{ + Heimdal one-time init leak 4 + Memcheck:Leak + fun:calloc + fun:heim_dict_create + fun:_krb5_load_plugins + fun:init_context_once + fun:once_callback_caller + fun:pthread_once + fun:heim_base_once_f + fun:krb5_init_context + fun:main +} +{ + Heimdal ipropd-master leak 1 + Memcheck:Leak + ... + fun:krb5_kt_resolve + fun:main + obj:*ipropd-master +} +{ + Heimdal ipropd-master leak 2 + Memcheck:Leak + ... + fun:kadm5_init_with_skey_ctx + fun:main + obj:*ipropd-master +} +{ + Heimdal ipropd-slave leak 1 + Memcheck:Leak + ... + fun:krb5_auth_con_init + ... + fun:krb5_sendauth + fun:main + obj:*ipropd-slave +} +{ + Heimdal ipropd-slave leak 2 + Memcheck:Leak + ... + fun:kadm5_init_with_password_ctx + fun:main + obj:*ipropd-slave +} diff --git a/third_party/heimdal/cf/vararray.m4 b/third_party/heimdal/cf/vararray.m4 new file mode 100644 index 0000000..8511b16 --- /dev/null +++ b/third_party/heimdal/cf/vararray.m4 @@ -0,0 +1,16 @@ +dnl +dnl $Id$ +dnl +dnl Test for variable size arrays. +dnl + +AC_DEFUN([rk_C_VARARRAY], [ + AC_CACHE_CHECK([if the compiler supports variable-length arrays],[rk_cv_c_vararray],[ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],[[int x = 0; { int y[x]; }]])], + [rk_cv_c_vararray=yes], + [rk_cv_c_vararray=no])]) + if test "$rk_cv_c_vararray" = yes; then + AC_DEFINE([HAVE_VARIABLE_LENGTH_ARRAY], [1], + [Define if your compiler supports variable-length arrays.]) + fi +]) diff --git a/third_party/heimdal/cf/version-script.m4 b/third_party/heimdal/cf/version-script.m4 new file mode 100644 index 0000000..f08e013 --- /dev/null +++ b/third_party/heimdal/cf/version-script.m4 @@ -0,0 +1,39 @@ +dnl check if ld supports --version-script +dnl +AC_DEFUN([rk_VERSIONSCRIPT],[ +AC_CACHE_CHECK(for ld --version-script, rk_cv_version_script,[ + rk_cv_version_script=no + + cat > conftest.map < conftest.c < \$def_name, + "vs=s" => \$vs_name, + "help|?" => \$show_help) or pod2usage( -exitval => 2, + -verbose => 3 ); +pod2usage( -exitval => 1, + -verbose => 3 ) if $show_help or !$def_name or !$vs_name; + +open (my $def, '<', $def_name) or die $!; +open (my $vs, '<', $vs_name) or die $!; + +# First go through the version-script + +my $global = 0; + +while(<$vs>) +{ + next unless m/^([^#]+)/; + + @a = split(/\s+|(\{|})/,$1); + + for $f (@a) { + given ($f) { + when (/global\:/) { $global = 1; } + when (/{|}|.*\:/) { $global = 0; } + when (/(.*)\;/ and $global == 1) { + $syms{$1} = 1; + } + } + } +} + +while(<$def>) +{ + next if m/^#/; + next unless m/^;!([^;]+)/ or m/^([^;]+);?(!?)/; + + @a = split(/\s+/, $1); + + for $f (@a) { + next if $f =~ /EXPORTS/ or $f =~ /DATA/ or not $f; + + if (not exists $syms{$f} and not $2) { + print "$f: Only in DEF\n"; + ++$def_only; + } + delete $syms{$f}; + } +} + +#while (($k,$v) = each %syms) { +for $k (sort keys %syms) { + print "$k: Only in VS\n"; + ++$vs_only; +} + +close($def); +close($vs); + +if ($def_only or $vs_only) { + print "\nMismatches found.\n"; + exit(1); +} + +__END__ + +=head1 NAME + +w32-sync-exported-symbols.pl - Synchronize Windows .def with version-script + +=head1 SYNOPSIS + +w32-sync-exported-symbols.pl {options} + + Options: + --def Name of .def file + --vs Name of version-script file + +=head1 DESCRIPTION + +Verifies that all the symbols exported by the version-script is also +accounted for in the .def file. Also checks that no extra symbols are +exported by the .def file unless they are marked as safe. + +=cut + diff --git a/third_party/heimdal/cf/w32-def-from-dll.pl b/third_party/heimdal/cf/w32-def-from-dll.pl new file mode 100644 index 0000000..77fb4d9 --- /dev/null +++ b/third_party/heimdal/cf/w32-def-from-dll.pl @@ -0,0 +1,212 @@ +######################################################################## +# +# Copyright (c) 2010, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +my $show_module_name = 1; +my $use_indent = 1; +my $strip_leading_underscore = 0; +my $always_export = 0; +my $module_name = ""; +my $local_prefix = "SHIM_"; +my %forward_exports = (); +my %local_exports = (); + +sub build_forwarder_target_list($) +{ + $fn = shift; + + print STDERR "Processing defs from file [$fn]\n"; + + open(SP, '-|', "dumpbin /exports \"".$fn."\"") or die "Can't open pipe for $fn"; + + LINE: + while () { +# 112 6F 00071CDC krb5_encrypt_size + + /^ +([[:digit:]]+)\s+[[:xdigit:]]+\s[[:xdigit:]]{8,}\s+(\S+)(?:| = (\S*))$/ && do { + my ($ordinal, $symbol, $in) = ($1, $2, $3); + + if ($in eq "") { $in = $symbol }; + $forward_exports{$symbol} = $in; + }; + } + + close SP; +} + +# Dump all symbols for the given dll file that are defined and have +# external scope. + +sub build_def_file($) +{ + $fn = shift; + + print STDERR "Opening dump of DLL [$fn]\n"; + + open(SP, '-|', "dumpbin /exports \"".$fn."\"") or die "Can't open pipe for $fn"; + + LINE: + while () { +# 112 6F 00071CDC krb5_encrypt_size + + /^ +([[:digit:]]+)\s+[[:xdigit:]]+\s[[:xdigit:]]{8,}\s+(\S+)(?:| = (\S*))$/ && do { + my ($ordinal, $symbol, $in) = ($1, $2, $3); + + if ($strip_leading_underscore && $symbol =~ /_(.*)/) { + $symbol = $1; + } + if (exists $local_exports{$symbol}) { + print "\t".$symbol; + print " = ".$local_exports{$symbol}; + if ($in ne $local_exports{$symbol} and $in ne "") { + print STDERR "Incorrect calling convention for local $symbol\n"; + print STDERR " ".$in." != ".$local_exports{$symbol}."\n"; + } + print "\t@".$ordinal."\n"; + } elsif (exists $local_exports{$local_prefix.$symbol}) { + print "\t".$symbol; + print " = ".$local_exports{$local_prefix.$symbol}; + print "\t@".$ordinal."\n"; + } elsif (exists $forward_exports{$symbol}) { + print "\t".$symbol; + print " = ".$module_name; + if ($in ne $forward_exports{$symbol} and $in ne "") { + print STDERR "Incorrect calling convention for $symbol\n"; + print STDERR " ".$in." != ".$forward_exports{$symbol}."\n"; + } + my $texp = $forward_exports{$symbol}; + if ($texp =~ /^_([^@]+)$/) { $texp = $1; } + print $texp."\t@".$ordinal."\n"; + } elsif ($always_export) { + print "\t".$symbol." = ".$local_prefix.$symbol; + print "\t@".$ordinal."\n"; + } else { + print STDERR "Symbol not found: $symbol\n"; + } + }; + } + + close SP; +} + +sub build_local_exports_list($) +{ + $fn = shift; + + print STDERR "Opening dump of object [$fn]\n"; + + open(SP, '-|', "dumpbin /symbols \"".$fn."\"") or die "Can't open pipe for $fn"; + + LINE: + while () { + # 009 00000010 SECT3 notype () External | _remove_error_table@4 + m/^[[:xdigit:]]{3,}\s[[:xdigit:]]{8,}\s(\w+)\s+\w*\s+(?:\(\)| )\s+(\w+)\s+\|\s+(\S+)$/ && do { + my ($section, $visibility, $symbol) = ($1, $2, $3); + + if ($section ne "UNDEF" && $visibility eq "External") { + + my $exp_name = $symbol; + + if ($symbol =~ m/^_(\w+)(?:@.*|)$/) { + $exp_name = $1; + } + + if ($symbol =~ m/^_([^@]+)$/) { + $symbol = $1; + } + + $local_exports{$exp_name} = $symbol; + } + }; + } + + close SP; +} + +sub process_file($) +{ + $fn = shift; + + if ($fn =~ m/\.dll$/i) { + build_def_file($fn); + } elsif ($fn =~ m/\.obj$/i) { + build_local_exports_list($fn); + } else { + die "File type not recognized for $fn."; + } +} + +sub use_response_file($) +{ + $fn = shift; + + open (RF, '<', $fn) or die "Can't open response file $fn"; + + while () { + /^(\S+)$/ && do { + process_file($1); + } + } + close RF; +} + +print "; This is a generated file. Do not modify directly.\n"; +print "EXPORTS\n"; + +for (@ARGV) { + ARG: { + /^-m(.*)$/ && do { + $module_name = $1."."; + last ARG; + }; + + /^-l(.*)$/ && do { + $local_prefix = $1."_"; + last ARG; + }; + + /^-a$/ && do { + $always_export = 1; + last ARG; + }; + + /^-e(.*)$/ && do { + build_forwarder_target_list($1); + last ARG; + }; + + /^@(.*)$/ && do { + use_response_file($1); + last ARG; + }; + + process_file($_); + } +} diff --git a/third_party/heimdal/cf/w32-detect-vc-version.pl b/third_party/heimdal/cf/w32-detect-vc-version.pl new file mode 100644 index 0000000..213ca29 --- /dev/null +++ b/third_party/heimdal/cf/w32-detect-vc-version.pl @@ -0,0 +1,49 @@ +######################################################################## +# +# Copyright (c) 2010, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +# Try to detect the version of Visual C++ in use by parsing the output +# of cl.exe. + +$cl_cmd = shift; + +die "C compiler command should be specified" if ($cl_cmd eq ''); + +open(CL, '-|', $cl_cmd." 2>&1") or die "Can't run C compiler command [$cl_cmd]"; + +$verline = ; + +if ($verline =~ /(\d+).(\d+).(\d+).(\d+)/) { + print "Found Version: $1.$2.$3.$4\n"; + exit $1 + 0; +} else { + print "Mismatch"; + exit 1; +} diff --git a/third_party/heimdal/cf/w32-hh-toc-from-info.pl b/third_party/heimdal/cf/w32-hh-toc-from-info.pl new file mode 100644 index 0000000..9be8ef6 --- /dev/null +++ b/third_party/heimdal/cf/w32-hh-toc-from-info.pl @@ -0,0 +1,124 @@ +######################################################################## +# +# Copyright (c) 2010, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +use HTML::TreeBuilder; + + +my $input_file = "index.html"; +my $toc_file = "toc.hhc"; + +for (@ARGV) { + ARG: { + /-o(.*)/ && do { + $toc_file = $1; + last ARG; + }; + + $input_file = $_; + } +} + +print "Processing TOC in $input_file\n"; +print "Writing to $toc_file\n"; + +open(TOC, '>', $toc_file) or die "Can't open $toc_file\n"; + +my $tree = HTML::TreeBuilder->new(); + +$tree->parse_file($input_file); + +my $contents = $tree->look_down('class', 'contents'); +if (defined($contents)) { + my $clist = $contents->find_by_tag_name('ul'); +} + +print TOC ' + + + + + +'; + +process_ul_element($clist, 0); + +print TOC ' + + +'; + + +sub process_ul_element +{ + my $e = shift; + my $level = shift; + + return unless defined($e); + + if ($e->tag() eq "ul") { + + print TOC ' 'x$level; + print TOC "
    \n"; + + my @items = $e->content_list(); + + for (@items) { + process_li_element($_, $level + 1); + } + + print TOC ' 'x$level; + print TOC "
\n"; + } +} + +sub process_li_element +{ + my $e = shift; + my $level = shift; + + if ($e->tag() eq "li") { + my $a = $e->find_by_tag_name('a'); + + my $href = $a->attr('href'); + my @ac = $a->content_list(); + my $title = $ac[0]; + + print TOC " "x$level; + print TOC "
  • \n"; + + my @items = $e->content_list(); + + for (@items) { + process_ul_element($_, $level + 1); + } + } +} + diff --git a/third_party/heimdal/cf/w32-list-externs-from-objs.pl b/third_party/heimdal/cf/w32-list-externs-from-objs.pl new file mode 100644 index 0000000..9712120 --- /dev/null +++ b/third_party/heimdal/cf/w32-list-externs-from-objs.pl @@ -0,0 +1,114 @@ +######################################################################## +# +# Copyright (c) 2010, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +my $show_module_name = 1; +my $use_indent = 1; +my $strip_leading_underscore = 0; + +# Dump all symbols for the given object file that are defined and have +# external scope. + +sub dump_symbols_for_file($) +{ + $fn = shift; + + print STDERR "Opening dump of object [$fn]\n"; + + open(SP, '-|', "dumpbin /symbols \"".$fn."\"") or die "Can't open pipe for $fn"; + + LINE: + while () { + # 008 00000000 SECT3 notype () External | _encode_AccessDescription + + /^[[:xdigit:]]{3,}\s[[:xdigit:]]{8,}\s(\w+)\s+\w*\s+(\(\)| )\s+(\w+)\s+\|\s+([0-9a-zA-Z\@\_]+)$/ && do { + my ($section, $type, $visibility, $symbol) = ($1, $2, $3, $4); + + if ($section ne "UNDEF" && $visibility eq "External") { + print $fn if $show_module_name; + print "\t" if $use_indent || $show_module_name; + + if ($strip_leading_underscore && $symbol =~ /_(.*)/) { + $symbol = $1; + } + if ($strip_leading_underscore && $symbol =~ /(.*)\@.*$/) { + $symbol = $1; + } + print $symbol; + if ($type ne "()") { + print "\tDATA"; + } + print "\n"; + } + }; + } + + close SP; +} + +sub use_response_file($) +{ + $fn = shift; + + open (RF, '<', $fn) or die "Can't open response file $fn"; + + while () { + /(\S+)/ && do { + dump_symbols_for_file($1); + } + } + close RF; +} + +for (@ARGV) { + ARG: { + /^-q$/ && do { + $show_module_name = 0; + last ARG; + }; + + /^-1$/ && do { + $use_indent = 0; + last ARG; + }; + + /^-u$/ && do { + $strip_leading_underscore = 1; + last ARG; + }; + + /^@(.*)$/ && do { + use_response_file($1); + last ARG; + }; + + dump_symbols_for_file($_); + } +} diff --git a/third_party/heimdal/cf/wflags.m4 b/third_party/heimdal/cf/wflags.m4 new file mode 100644 index 0000000..bc128bc --- /dev/null +++ b/third_party/heimdal/cf/wflags.m4 @@ -0,0 +1,33 @@ +dnl $Id$ +dnl +dnl set WFLAGS + +AC_DEFUN([rk_WFLAGS],[ + +AC_ARG_ENABLE(developer, + AS_HELP_STRING([--enable-developer], [enable developer warnings])) +if test "X$enable_developer" = Xyes; then + dwflags="-Werror" +fi +AM_CONDITIONAL(DEVELOPER_MODE, test "X$enable_developer" = Xyes) + +WFLAGS_NOUNUSED="" +if test -z "$WFLAGS" -a "$GCC" = "yes"; then + # leave these out for now: + # -Wcast-align doesn't work well on alpha osf/1 + # -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast + # -Wmissing-declarations -Wnested-externs + # -Wstrict-overflow=5 + WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags" + + # + # WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings + # that fail for various bits of older code in appl/. Let's not use it + # for the main libraries, though. + WFLAGS_LITE="-Wno-extra -Wno-missing-field-initializers -Wno-strict-aliasing -Wno-shadow" + # -Wno-unused-result (not supported on gcc-4.2) + +fi +AC_SUBST(WFLAGS)dnl +AC_SUBST(WFLAGS_LITE)dnl +]) diff --git a/third_party/heimdal/cf/win32.m4 b/third_party/heimdal/cf/win32.m4 new file mode 100644 index 0000000..5561ad9 --- /dev/null +++ b/third_party/heimdal/cf/win32.m4 @@ -0,0 +1,16 @@ +dnl $Id$ +dnl rk_WIN32_EXPORT buildsymbol symbol-that-export +AC_DEFUN([rk_WIN32_EXPORT],[AH_TOP([#ifdef $1 +#ifndef $2 +#ifdef _WIN32_ +#define $2_FUNCTION __declspec(dllexport) +#define $2_CALL __stdcall +#define $2_VARIABLE __declspec(dllexport) +#else +#define $2_FUNCTION +#define $2_CALL +#define $2_VARIABLE +#endif +#endif +#endif +])]) diff --git a/third_party/heimdal/cf/with-all.m4 b/third_party/heimdal/cf/with-all.m4 new file mode 100644 index 0000000..adfde1f --- /dev/null +++ b/third_party/heimdal/cf/with-all.m4 @@ -0,0 +1,42 @@ +dnl +dnl $Id$ +dnl + +dnl AC_WITH_ALL(name) + +AC_DEFUN([AC_WITH_ALL], [ +AC_ARG_WITH($1, + AS_HELP_STRING([--with-$1=dir], + [use $1 in dir])) + +AC_ARG_WITH($1-lib, + AS_HELP_STRING([--with-$1-lib=dir], + [use $1 libraries in dir]), +[if test "$withval" = "yes" -o "$withval" = "no"; then + AC_MSG_ERROR([No argument for --with-$1-lib]) +elif test "X$with_$1" = "X"; then + with_$1=yes +fi]) + +AC_ARG_WITH($1-include, + AS_HELP_STRING([--with-$1-include=dir], + [use $1 headers in dir]), +[if test "$withval" = "yes" -o "$withval" = "no"; then + AC_MSG_ERROR([No argument for --with-$1-include]) +elif test "X$with_$1" = "X"; then + with_$1=yes +fi]) + +case "$with_$1" in +yes) ;; +no) ;; +"") ;; +*) if test "$with_$1_include" = ""; then + with_$1_include="$with_$1/include" + fi + if test "$with_$1_lib" = ""; then + with_$1_lib="$with_$1/lib$abilibdirext" + fi + ;; +esac +]) \ No newline at end of file diff --git a/third_party/heimdal/configure.ac b/third_party/heimdal/configure.ac new file mode 100644 index 0000000..8c0b746 --- /dev/null +++ b/third_party/heimdal/configure.ac @@ -0,0 +1,818 @@ +dnl Process this file with autoconf to produce a configure script. +AC_REVISION($Revision$) +AC_PREREQ(2.62) +test -z "$CFLAGS" && CFLAGS="-g" +AC_INIT([Heimdal],[7.99.1],[https://github.com/heimdal/heimdal/issues]) +AC_CONFIG_SRCDIR([kuser/kinit.c]) +AC_CONFIG_HEADERS(include/config.h) +AC_CONFIG_MACRO_DIR([cf]) + +AM_INIT_AUTOMAKE([foreign 1.11]) +AM_MAINTAINER_MODE + +LT_PREREQ([2.2]) +LT_INIT([shared static win32-dll]) + + +dnl Checks for programs. +AC_PROG_CC +AM_PROG_CC_C_O +AC_PROG_CPP +AM_PATH_PYTHON +AC_CHECK_PROG(CLANG_FORMAT, clang-format, [clang-format], [no]) +test "$CLANG_FORMAT" = no && CLANG_FORMAT=true + +m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + +AC_PREFIX_DEFAULT(/usr/heimdal) + +test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' +test "$localstatedir" = '${prefix}/var' && localstatedir='/var/heimdal' + +AC_CANONICAL_HOST +CANONICAL_HOST=$host +AC_SUBST(CANONICAL_HOST) + +rk_SYS_LARGEFILE + +rk_AIX +rk_IRIX +rk_SUNOS + +dnl +dnl this is needed to run the configure tests against glibc +dnl +AC_DEFINE([_GNU_SOURCE], 1, + [Define to enable extensions on glibc-based systems such as Linux.]) + +AC_OBJEXT +AC_EXEEXT + +dnl +dnl this is needed when der-protos.h or der-private.h has to be generated +dnl +if ! test -f "$srcdir/lib/asn1/der-protos.h" || + ! test -f "$srcdir/lib/asn1/der-private.h"; then + AC_KRB_PROG_PERL + AC_KRB_PERL_MOD(Getopt::Std) + AC_KRB_PERL_MOD(File::Compare) + AC_KRB_PERL_MOD(JSON) +fi + +AC_KRB_PROG_YACC +dnl AC_PROG_YACC +AM_PROG_LEX +AS_IF([$LEX --nounput -V > /dev/null 2>&1 && test $? -eq 0], + [AC_SUBST([FLEXNOUNPUTARGS], ["--nounput"])], + [AC_SUBST([FLEXNOUNPUTARGS], [""])]) +dnl AC_PROG_RANLIB +AC_PROG_AWK +AC_KRB_PROG_LN_S + +AC_MIPS_ABI +CC="$CC $abi" +libdir="$libdir$abilibdirext" + +AC_C___ATTRIBUTE__ + +AM_CONDITIONAL(ENABLE_SHARED, test "$enable_shared" = "yes") +rk_VERSIONSCRIPT + +dnl Code coverage +AC_ARG_ENABLE([gcov], + AC_HELP_STRING([--enable-gcov], [enable gcov code coverage tool])) +AM_CONDITIONAL([ENABLE_GCOV], [test "x$enable_gcov" = xyes]) + + +dnl +dnl Helper bits for cross compiling +dnl + +AM_CONDITIONAL(CROSS_COMPILE, test "${cross_compiling}" = yes) + +AC_ARG_WITH(cross-tools, + AS_HELP_STRING([--with-cross-tools=dir], [use cross tools in dir]), + [if test "$withval" = "yes"; then + AC_MSG_ERROR([Need path to cross tools]) + fi + with_cross_tools="${with_cross_tools}/" + ]) + +if test "${cross_compiling}" != yes ; then + + ASN1_COMPILE="\$(top_builddir)/lib/asn1/asn1_compile\$(EXEEXT)" + SLC="\$(top_builddir)/lib/sl/slc" + + ASN1_COMPILE_DEP="\$(ASN1_COMPILE)" + SLC_DEP="\$(SLC)" +else + ASN1_COMPILE="${with_cross_tools}asn1_compile" + SLC="${with_cross_tools}slc" + + ASN1_COMPILE_DEP= + SLC_DEP= + + ac_cv_prog_COMPILE_ET=${with_cross_tools}compile_et + +fi + +AX_CHECK_COMPILE_FLAG([-Wno-error=enum-conversion], + [WFLAGS_ENUM_CONV=-Wno-error=enum-conversion], + [WFLAGS_ENUM_CONV=], [-Werror]) +AX_CHECK_COMPILE_FLAG([-Wno-unused-but-set-variable], + [WFLAGS_UNUSED_BUT_SET_VAR=-Wno-unused-but-set-variable], + [WFLAGS_UNUSED_BUT_SET_VAR=], [-Werror]) + +AC_SUBST([WFLAGS_ENUM_CONV]) +AC_SUBST([ASN1_COMPILE]) +AC_SUBST([ASN1_COMPILE_DEP]) +AC_SUBST([SLC]) +AC_SUBST([SLC_DEP]) + +dnl --- + +AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto]) + +rk_TEST_PACKAGE(openldap, +[#include +#include ], +[-lldap -llber],,,OPENLDAP) +AM_CONDITIONAL(OPENLDAP, test "$with_openldap" != "no") + +AC_ARG_ENABLE(hdb-openldap-module, + AS_HELP_STRING([--enable-hdb-openldap-module], + [if you want support to build openldap hdb as shared object])) +if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then + AC_DEFINE(OPENLDAP_MODULE, 1, [Define if you want support for hdb ldap module]) +fi +AM_CONDITIONAL(OPENLDAP_MODULE, test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes) + +AC_ARG_ENABLE(asn1-templating, + AS_HELP_STRING([--disable-asn1-templating], + [if you want disable to use of the ASN.1 templating compiler])) +AM_CONDITIONAL(ASN1_TEMPLATING, test "x$enable_asn1_templating" != xno) + +dnl +dnl Optional modules, pk-init, digest, kx509 +dnl + +AC_ARG_ENABLE(pk-init, + AS_HELP_STRING([--disable-pk-init], + [if you want disable to PK-INIT support])) +if test "$enable_pk_init" != no ;then + AC_DEFINE([PKINIT], 1, [Define to enable PKINIT.]) +fi +AM_CONDITIONAL(PKINIT, test "$enable_pk_init" != no) + +AC_ARG_ENABLE(digest, + AS_HELP_STRING([--disable-digest], + [if you want disable to DIGEST support])) +if test "$enable_digest" != no ;then + AC_DEFINE([DIGEST], 1, [Define to enable DIGEST.]) +fi + +AC_ARG_ENABLE(kx509, + AS_HELP_STRING([--disable-kx509], + [if you want disable to kx509 support])) +if test "$enable_kx509" != no ;then + AC_DEFINE([KX509], 1, [Define to enable kx509.]) +fi + +dnl Need to test if pkg-config exists +PKG_PROG_PKG_CONFIG + +dnl libcap-ng +AC_ARG_WITH([capng], + AC_HELP_STRING([--with-capng], [use libcap-ng to drop KDC privileges @<:@default=check@:>@]), + [], + [with_capng=check]) +if test "$with_capng" != "no"; then + PKG_CHECK_MODULES([CAPNG], [libcap-ng >= 0.4.0], + [with_capng=yes],[with_capng=no]) +fi +if test "$with_capng" = "yes"; then + AC_DEFINE_UNQUOTED([HAVE_CAPNG], 1, [whether capng is available for privilege reduction]) +fi +AM_CONDITIONAL([HAVE_CAPNG], [test "$with_capng" != "no"]) +AC_SUBST([CAPNG_CFLAGS]) +AC_SUBST([CAPNG_LIBS]) + +dnl libmicrohttpd +AC_ARG_WITH([microhttpd], + AC_HELP_STRING([--with-microhttpd], [use microhttpd to serve KDC REST API @<:@default=check@:>@]), + [], + [with_microhttpd=check]) +if test "$with_microhttpd" != "no"; then + PKG_CHECK_MODULES([MICROHTTPD], [libmicrohttpd >= 0.9.37], + [with_microhttpd=yes],[with_microhttpd=no]) +fi +if test "$with_microhttpd" = "yes"; then + AC_DEFINE_UNQUOTED([HAVE_MICROHTTPD], 1, [whether libmicrohttpd is available for KDC REST API]) +fi +AM_CONDITIONAL([HAVE_MICROHTTPD], [test "$with_microhttpd" != "no"]) +AC_SUBST([MICROHTTPD_CFLAGS]) +AC_SUBST([MICROHTTPD_LIBS]) + +dnl libcjwt +AC_ARG_WITH([cjwt], + AC_HELP_STRING([--with-cjwt], [(Experimental) use cjwt to validate JWT tokens @<:@default=check@:>@]), + [], + [with_cjwt=check]) +if test "$with_cjwt" != "no"; then + PKG_CHECK_MODULES([CJWT], [libcjwt >= 1.0.0], + [with_cjwt=yes],[with_cjwt=no]) +fi +if test "$with_cjwt" = "yes"; then + AC_DEFINE_UNQUOTED([HAVE_CJWT], 1, [whether libcjwt is available for KDC REST API]) +fi +AM_CONDITIONAL([HAVE_CJWT], [test "$with_cjwt" != "no"]) +AC_SUBST([CJWT_CFLAGS]) +AC_SUBST([CJWT_LIBS]) + +dnl libcjson +AC_ARG_WITH([cjson], + AC_HELP_STRING([--with-cjson], [(Experimental) use cJSON to extract private claims from JWT tokens @<:@default=check@:>@]), + [], + [with_cjson=check]) +if test "$with_cjson" != "no"; then + PKG_CHECK_MODULES([CJSON], [libcjson >= 1.0.0], + [with_cjson=yes],[with_cjson=no]) +fi +if test "$with_cjson" = "yes"; then + AC_DEFINE_UNQUOTED([HAVE_CJSON], 1, [whether libcjson is available for KDC REST API]) +fi +AM_CONDITIONAL([HAVE_CJSON], [test "$with_cjson" != "no"]) +AC_SUBST([CJSON_CFLAGS]) +AC_SUBST([CJSON_LIBS]) + +dnl Check for sqlite +rk_TEST_PACKAGE(sqlite3, +[#include +#ifndef SQLITE_OPEN_CREATE +#error "old version" +#endif], +[-lsqlite3],,,SQLITE3) + +if test "X$with_sqlite3" != Xyes ; then + INCLUDE_sqlite3="-I\$(top_srcdir)/lib/sqlite" + LIB_sqlite3="\$(top_builddir)/lib/sqlite/libheimsqlite.la" +fi +AM_CONDITIONAL(SQLITE3, test "X$with_sqlite3" = Xyes) + +AC_DEFINE(HAVE_SQLITE3, 1, [Define if you want support for sqlite in Heimdal.]) + +AC_ARG_ENABLE(sqlite-cache, + AS_HELP_STRING([--disable-sqlite-cache],[if you want support for cache in sqlite])) +if test "$enable_sqlite_cache" != no; then + AC_DEFINE(HAVE_SCC, 1, [Define if you want support for cache in sqlite.]) +fi +AM_CONDITIONAL(have_scc, test "$enable_sqlite_cache" != no) + + +dnl check for libintl +rk_TEST_PACKAGE(libintl, +[#include ], +[-lintl],,,LIBINTL) + +dnl path where the hdb directory is stored +AC_ARG_WITH([hdbdir], + [AS_HELP_STRING([--with-hdbdir],[Default location for KDC database @<:@default=/var/heimdal@:>@])], + [], + [with_hdbdir=/var/heimdal]) +DIR_hdbdir="$with_hdbdir" +AC_SUBST([DIR_hdbdir]) + + +AM_CONDITIONAL(KRB5, true) +AM_CONDITIONAL(do_roken_rename, true) + +AC_DEFINE(SUPPORT_INETD, 1, [Enable use of inetd style startup.])dnl + + +AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl +AC_SUBST(LIB_kdb)dnl + +KRB_CRYPTO + +KRB_PTHREADS + +AC_ARG_ENABLE(dce, + AS_HELP_STRING([--enable-dce],[if you want support for DCE/DFS PAG's])) +if test "$enable_dce" = yes; then + AC_DEFINE(DCE, 1, [Define if you want support for DCE/DFS PAG's.]) +fi +AM_CONDITIONAL(DCE, test "$enable_dce" = yes) + +## XXX quite horrible: +if test -f /etc/ibmcxx.cfg; then + dpagaix_ldadd=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/libraries/{;s/^[[^=]]*=\(.*\)/\1/;s/,/ /gp;}'` + dpagaix_cflags=`sed -n '/^xlc_r4/,/^$/p' /etc/ibmcxx.cfg | sed -n -e '/options/{;s/^[[^=]]*=\(.*\)/\1/;s/-q[^,]*//;s/,/ /gp;}'` + dpagaix_ldflags= +else + dpagaix_cflags="-D_THREAD_SAFE -D_AIX_PTHREADS_D7 -D_AIX32_THREADS=1 -D_AES_SOURCE -D_AIX41 -I/usr/include/dce" + dpagaix_ldadd="-L/usr/lib/threads -ldcelibc_r -ldcepthreads -lpthreads_compat lpthreads -lc_r" + dpagaix_ldflags="-Wl,-bI:dfspag.exp" +fi +AC_SUBST(dpagaix_cflags) +AC_SUBST(dpagaix_ldadd) +AC_SUBST(dpagaix_ldflags) + +AC_ARG_ENABLE([afs-support], + AS_HELP_STRING([--disable-afs-support],[if you don't want support for AFS])) +if test "$enable_afs_support" = no; then + AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.]) + NO_AFS="1" +fi +AC_SUBST(NO_AFS)dnl +AM_CONDITIONAL(NO_AFS, test "$enable_afs_support" = no) + +rk_DB + +dnl AC_ROKEN(10,[/usr/heimdal /usr/athena],[lib/roken],[$(top_builddir)/lib/roken/libroken.la],[-I$(top_builddir)/lib/roken -I$(top_srcdir)/lib/roken]) + +rk_ROKEN(lib/roken) +LIBADD_roken="$LIB_roken" +AC_SUBST(LIBADD_roken)dnl +LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken" + +rk_OTP + +rk_LIBDISPATCH + +AC_CHECK_OSFC2 + +AC_ARG_ENABLE(mmap, + AS_HELP_STRING([--disable-mmap],[disable use of mmap])) +if test "$enable_mmap" = "no"; then + AC_DEFINE(NO_MMAP, 1, [Define if you don't want to use mmap.]) +fi + +AC_ARG_ENABLE(afs-string-to-key, + AS_HELP_STRING([--disable-afs-string-to-key], + [disable use of weak AFS string-to-key functions]), + [], [enable_afs_string_to_key=yes]) + +if test "$enable_afs_string_to_key" = "yes"; then + AC_DEFINE(ENABLE_AFS_STRING_TO_KEY, 1, [Define if want to use the weak AFS string to key functions.]) + ENABLE_AFS_STRING_TO_KEY=1 +fi +AC_SUBST(ENABLE_AFS_STRING_TO_KEY)dnl + + +rk_CHECK_MAN + +rk_TEST_PACKAGE(readline, +[#include +#if defined(HAVE_READLINE_READLINE_H) +#include +#elif defined(HAVE_READLINE_H) +#include +#endif +],-lreadline,,, READLINE,, [readline.h readline/readline.h]) + +rk_TEST_PACKAGE(libedit, +[#include +#if defined(HAVE_READLINE_READLINE_H) +#include +#elif defined(HAVE_READLINE_H) +#include +#elif defined(HAVE_EDITLINE_READLINE_H) +#include +#endif +],-ledit,,, READLINE,, [readline.h readline/readline.h editline/readline.h]) + +AC_CONFIG_SUBDIRS([lib/libedit]) + +KRB_C_BIGENDIAN +AC_C_INLINE + +dnl AM_C_PROTOTYPES + +dnl Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_TYPE_OFF_T +AC_CHECK_TYPE_EXTRA(mode_t, unsigned short, []) +AC_CHECK_TYPE_EXTRA(sig_atomic_t, int, [#include ]) +AC_HAVE_TYPE([long long]) +AC_HEADER_TIME +AC_STRUCT_TM + +dnl Checks for header files. +AC_HEADER_STDC + +AC_CHECK_HEADERS([\ + CommonCrypto/CommonDigest.h \ + CommonCrypto/CommonCryptor.h \ + arpa/telnet.h \ + bind/bitypes.h \ + bsdsetjmp.h \ + curses.h \ + dlfcn.h \ + execinfo.h \ + fnmatch.h \ + inttypes.h \ + io.h \ + keyutils.h \ + libutil.h \ + limits.h \ + maillock.h \ + netgroup.h \ + netinet/in6_machtypes.h \ + netinet/tcp.h \ + pthread.h \ + pty.h \ + sac.h \ + sgtty.h \ + siad.h \ + signal.h \ + strings.h \ + stropts.h \ + stdatomic.h \ + sys/bitypes.h \ + sys/category.h \ + sys/file.h \ + sys/filio.h \ + sys/ioccom.h \ + sys/mman.h \ + sys/param.h \ + sys/pty.h \ + sys/ptyio.h \ + sys/select.h \ + sys/socket.h \ + sys/str_tty.h \ + sys/stream.h \ + sys/stropts.h \ + sys/syscall.h \ + sys/termio.h \ + sys/timeb.h \ + sys/times.h \ + sys/types.h \ + sys/un.h \ + locale.h \ + termcap.h \ + termio.h \ + termios.h \ + time.h \ + tmpdir.h \ + udb.h \ + util.h \ +]) + +dnl On Solaris 8 there's a compilation warning for term.h because +dnl it doesn't define `bool'. +AC_CHECK_HEADERS(term.h, , , -) + +dnl aix have asl.h (A/IX screen library) that we don't want +AC_CHECK_HEADERS(asl.h, , , [ +#include +#ifndef ASL_STRING_EMERG +#error ASL_STRING_EMERG missing +#endif]) + +AC_CHECK_HEADERS(net/if.h, , , [AC_INCLUDES_DEFAULT +#if HAVE_SYS_SOCKET_H +#include +#endif]) + +AC_CHECK_HEADERS(sys/ptyvar.h, , , [AC_INCLUDES_DEFAULT +#if HAVE_SYS_TTY_H +#include +#endif]) + +AC_CHECK_HEADERS(sys/strtty.h, , , [AC_INCLUDES_DEFAULT +#if HAVE_TERMIOS_H +#include +#endif +#if HAVE_SYS_STREAM_H +#include +#endif]) + +AC_CHECK_HEADERS(sys/ucred.h, , , [AC_INCLUDES_DEFAULT +#if HAVE_SYS_TYPES_H +#include +#endif +#if HAVE_SYS_PARAM_H +#include +#endif]) + +AC_CHECK_HEADERS(security/pam_modules.h, , , [AC_INCLUDES_DEFAULT +#include +]) + +dnl export symbols +rk_WIN32_EXPORT(BUILD_KRB5_LIB, KRB5_LIB) +rk_WIN32_EXPORT(BUILD_ROKEN_LIB, ROKEN_LIB) +rk_WIN32_EXPORT(BUILD_GSSAPI_LIB, GSSAPI_LIB) +rk_WIN32_EXPORT(BUILD_KDC_LIB, KDC_LIB) + +dnl Deal with switch FALLTHROUGH +AH_TOP([ +#if defined(__GNUC__) +#if __GNUC__ >= 7 +# define fallthrough __attribute__((fallthrough)) +#else +# define fallthrough do {} while (0) /* fallthrough */ +#endif +#else +# define fallthrough do {} while (0) /* fallthrough */ +#endif +]) + +dnl Checks for libraries. + +AC_FIND_FUNC_NO_LIBS(openpty, util,[ +#ifdef HAVE_UTIL_H +#include +#endif +],[0,0,0,0,0]) + +AC_FIND_FUNC_NO_LIBS(tgetent, termcap ncurses curses tinfo,[ +#ifdef HAVE_TERMCAP_H +#include +#endif +#ifdef HAVE_CURSES_H +#include +#endif +],[0,0]) + +dnl Checks for library functions. + +AC_CHECK_FUNCS([ \ + _scrsize \ + arc4random \ + backtrace \ + fcntl \ + fork \ + fseeko \ + ftello \ + getpeereid \ + getpeerucred \ + getresgid \ + getresuid \ + grantpt \ + ptsname_r \ + rand \ + setitimer \ + setregid \ + setresgid \ + setresuid \ + setreuid \ + setsid \ + sigaction \ + unlockpt \ + waitpid \ +]) + +AC_MSG_CHECKING([checking for __sync_add_and_fetch]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[unsigned int foo, bar; bar = __sync_add_and_fetch(&foo, 1);]])], + [ac_rk_have___sync_add_and_fetch=yes], [ac_rk_have___sync_add_and_fetch=no]) +if test "$ac_rk_have___sync_add_and_fetch" = "yes" ; then + AC_DEFINE_UNQUOTED(HAVE___SYNC_ADD_AND_FETCH, 1, [have __sync_add_and_fetch]) +fi +AC_MSG_RESULT($ac_rk_have___sync_add_and_fetch) + +AC_FUNC_MMAP + +rk_DLADDR + +AC_CHECK_GETPWNAM_R_POSIX +AC_CHECK_GETPWUID_R_POSIX + +dnl detect doors on solaris +if test "$enable_pthread_support" != no; then + saved_LIBS="$LIBS" + LIBS="$LIBS $PTHREADS_LIBS" + AC_FIND_FUNC_NO_LIBS(door_create, door) + LIBS="$saved_LIBS" +fi + +AC_ARG_ENABLE(kcm, + AS_HELP_STRING([--enable-kcm],[enable Kerberos Credentials Manager]), +,[enable_kcm=yes]) + +if test "$enable_kcm" = yes ; then + if test "$ac_cv_header_sys_un_h" != yes -a "$ac_cv_funclib_door_create" != yes ; then + enable_kcm=no + fi +fi +if test "$enable_kcm" = yes; then + AC_DEFINE(HAVE_KCM, 1, + [Define if you want to use the Kerberos Credentials Manager.]) +fi +AM_CONDITIONAL(KCM, test "$enable_kcm" = yes) + +dnl detect keyring on Linux +if test "$ac_cv_header_keyutils_h" = yes; then + AC_CHECK_SIZEOF([key_serial_t],,[ + #ifdef HAVE_INTTYPES_H + #include + #endif + #ifdef HAVE_SYS_TYPES_H + #include + #endif + #include + ]) +fi + +AC_FIND_FUNC_NO_LIBS(add_key, keyutils) +if test -n "$LIB_add_key"; then + saved_LIBS="$LIBS" + LIBS="$LIBS $LIB_add_key" + AC_CHECK_FUNCS(keyctl_get_persistent) + LIBS="$saved_LIBS" +fi +AM_CONDITIONAL(HAVE_KEYUTILS, test "$ac_cv_func_keyctl_get_persistent" = yes) + +AC_CHECK_SIZEOF([time_t]) + +AX_CHECK_SIGN([time_t], + [ AC_DEFINE(TIME_T_SIGNED, 1, [Define if time_t is signed]) ], + [ AC_DEFINE(TIME_T_UNSIGNED, 1, [Define if time_t is unsigned]) ], [ +#ifdef HAVE_TIME_H +#include +#endif +]) + + +AC_CHECK_TYPES([int8_t, int16_t, int32_t, int64_t, + u_int8_t, u_int16_t, u_int32_t, u_int64_t, + uint8_t, uint16_t, uint32_t, uint64_t],,,[ +#ifdef HAVE_INTTYPES_H +#include +#endif +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_BITYPES_H +#include +#endif +#ifdef HAVE_BIND_BITYPES_H +#include +#endif +#ifdef HAVE_NETINET_IN6_MACHTYPES_H +#include +#endif +]) + +rk_FRAMEWORK_SECURITY +rk_FRAMEWORK_COREFOUNDATION + +KRB_READLINE + +rk_TELNET + +dnl Some operating systems already have com_err and compile_et +CHECK_COMPILE_ET + +rk_AUTH_MODULES([sia afskauthlib]) + +rk_DESTDIRS + +rk_WFLAGS([-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs]) + + +AH_BOTTOM([#ifdef __APPLE__ +#include +#endif]) + +AH_BOTTOM([#ifdef ROKEN_RENAME +#include "roken_rename.h" +#endif]) + +AC_ARG_ENABLE(heimdal-documentation, + AS_HELP_STRING([--disable-heimdal-documentation], + [if you want disable to heimdal documentation])) +AM_CONDITIONAL(HEIMDAL_DOCUMENTATION, test "$enable_heimdal_documentation" != no) + +AC_CONFIG_FILES(Makefile \ + etc/Makefile \ + include/Makefile \ + include/gssapi/Makefile \ + include/hcrypto/Makefile \ + include/kadm5/Makefile \ + lib/Makefile \ + lib/base/Makefile \ + lib/asn1/Makefile \ + lib/com_err/Makefile \ + lib/hcrypto/Makefile \ + lib/hx509/Makefile \ + lib/gssapi/Makefile \ + lib/ntlm/Makefile \ + lib/hdb/Makefile \ + lib/ipc/Makefile \ + lib/kadm5/Makefile \ + lib/kafs/Makefile \ + lib/kdfs/Makefile \ + lib/krb5/Makefile \ + lib/otp/Makefile \ + lib/roken/Makefile \ + lib/sl/Makefile \ + lib/sqlite/Makefile \ + lib/vers/Makefile \ + lib/wind/Makefile \ + lib/gss_preauth/Makefile \ + po/Makefile \ + kuser/Makefile \ + kpasswd/Makefile \ + kadmin/Makefile \ + admin/Makefile \ + kcm/Makefile \ + kdc/Makefile \ + appl/Makefile \ + appl/afsutil/Makefile \ + appl/dbutils/Makefile \ + appl/gssmask/Makefile \ + appl/otp/Makefile \ + appl/test/Makefile \ + appl/kf/Makefile \ + appl/dceutils/Makefile \ + tests/Makefile \ + tests/bin/Makefile \ + tests/can/Makefile \ + tests/db/Makefile \ + tests/kdc/Makefile \ + tests/ldap/Makefile \ + tests/gss/Makefile \ + tests/java/Makefile \ + tests/plugin/Makefile \ + packages/Makefile \ + packages/mac/Makefile \ + doc/Makefile \ + tools/Makefile \ +) + +AC_OUTPUT + +dnl +dnl This is the release version name-number[beta] +dnl + +if test -d "$srcdir/.git"; then + cat > include/newversion.h.in < include/newversion.h.in </dev/null || + # Linux + date -u -d "@${SOURCE_DATE_EPOCH}" 2>/dev/null || + # Illumos -- sorry, no -r/-d here + date -u || + date` + else + Date=`date -u "+%Y-%m-%dT%H:%M:%SZ"` + fi + if test -n "$SOURCE_HOST"; then + Host=$SOURCE_HOST + else + Host=`uname -n` + fi + if test -n "$SOURCE_USER"; then + User=$SOURCE_USER + else + User=${USER:-${LOGNAME:-`id -nu`}} + fi + if test -d "$srcdir/.git"; then + GitCommit=`cd $srcdir && git rev-parse HEAD` + GitBranch=`cd $srcdir && git rev-parse --abbrev-ref HEAD` + if test "x$GitBranch" = master; then + GitDesc=`cd $srcdir && git describe --all --dirty` + else + GitDesc=`cd $srcdir && \ + git describe --tags --match 'heimdal-*' --dirty` + fi + else + GitCommit='' + GitBranch='' + GitDesc='' + fi + mv -f include/newversion.h.in include/version.h.in + sed -e "s/@HOST@/$Host/" \ + -e "s;@USER@;$User;" \ + -e "s;@DATE@;$Date;" \ + -e "s;@BRANCH@;$GitBranch;" \ + -e "s;@TAG@;$GitDesc;" \ + -e "s;@COMMIT@;$GitCommit;" \ + include/version.h.in > include/version.h +fi diff --git a/third_party/heimdal/doc/Makefile.am b/third_party/heimdal/doc/Makefile.am new file mode 100644 index 0000000..ed95c30 --- /dev/null +++ b/third_party/heimdal/doc/Makefile.am @@ -0,0 +1,163 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +AUTOMAKE_OPTIONS = no-texinfo.tex + +MAKEINFOFLAGS = --css-include=$(srcdir)/heimdal.css + +TEXI2DVI = true # ARGH, make distcheck can't be disabled to not build dvifiles + +info_TEXINFOS = heimdal.texi hx509.texi + +dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \ + -e 's,[@]objdir[@],.,g' \ + -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' + +hcrypto.dxy: hcrypto.din Makefile + $(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp + chmod +x hcrypto.dxy.tmp + mv hcrypto.dxy.tmp hcrypto.dxy + +hdb.dxy: hdb.din Makefile + $(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp + chmod +x hdb.dxy.tmp + mv hdb.dxy.tmp hdb.dxy + +base.dxy: base.din Makefile + $(dxy_subst) < $(srcdir)/base.din > base.dxy.tmp + chmod +x base.dxy.tmp + mv base.dxy.tmp base.dxy + +hx509.dxy: hx509.din Makefile + $(dxy_subst) < $(srcdir)/hx509.din > hx509.dxy.tmp + chmod +x hx509.dxy.tmp + mv hx509.dxy.tmp hx509.dxy + +gssapi.dxy: gssapi.din Makefile + $(dxy_subst) < $(srcdir)/gssapi.din > gssapi.dxy.tmp + chmod +x gssapi.dxy.tmp + mv gssapi.dxy.tmp gssapi.dxy + +krb5.dxy: krb5.din Makefile + $(dxy_subst) < $(srcdir)/krb5.din > krb5.dxy.tmp + chmod +x krb5.dxy.tmp + mv krb5.dxy.tmp krb5.dxy + +ntlm.dxy: ntlm.din Makefile + $(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp + chmod +x ntlm.dxy.tmp + mv ntlm.dxy.tmp ntlm.dxy + +wind.dxy: wind.din Makefile + $(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp + chmod +x wind.dxy.tmp + mv wind.dxy.tmp wind.dxy + +texi_subst = sed -e 's,[@]dbdir[@],$(localstatedir),g' \ + -e 's,[@]dbtype[@],$(db_type),g' \ + -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' + +vars.texi: vars.tin Makefile + $(texi_subst) < $(srcdir)/vars.tin > vars.texi.tmp + chmod +x vars.texi.tmp + mv vars.texi.tmp vars.texi + +PROJECTS = base hdb hx509 gssapi krb5 ntlm wind + +PROJECTS += hcrypto + +doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy + @test -d $(srcdir)/doxyout && \ + find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \ + rm -rf $(srcdir)/doxyout ; \ + mkdir $(srcdir)/doxyout ; \ + for a in $(PROJECTS) ; do \ + echo $$a ; \ + doxygen $$a.dxy; \ + (cd $(srcdir)/doxyout && \ + find $$a/man -name '_*' -type f -print | \ + perl -lne unlink && \ + find $$a/html -name 'dir_*.html' -type f -print | \ + perl -lne unlink && \ + find $$a/man -type f > $$a/manpages ) ; \ + done + +install-data-hook: install-doxygen-manpage +uninstall-hook: uninstall-doxygen-manpage +dist-hook: doxygen + +install-doxygen-manpage: + for a in $(PROJECTS) ; do \ + f="$(srcdir)/doxyout/$$a/manpages" ; \ + test -f $$f || continue ; \ + echo "install $$a manual pages $$(wc -l < $$f)" ; \ + while read x ; do \ + section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ + $(mkinstalldirs) "$(DESTDIR)$(mandir)/man$$section" ; \ + $(INSTALL_DATA) $(srcdir)/doxyout/$$x "$(DESTDIR)$(mandir)/man$$section" ; \ + done < $$f ; \ + done ; exit 0 + +uninstall-doxygen-manpage: + @for a in $(PROJECTS) ; do \ + f="$(srcdir)/doxyout/$$a/manpages" ; \ + test -f $$f || continue ; \ + echo "removing $$a manual pages" ; \ + while read x ; do \ + section=`echo "$$x" | sed 's/.*\.\([0-9]\)/\1/'` ; \ + base=`basename $$x` ; \ + rm "$(DESTDIR)$(mandir)/man$$section/$$base" ; \ + done < $$f ; \ + done + + +heimdal_TEXINFOS = \ + ack.texi \ + apps.texi \ + copyright.texi \ + heimdal.texi \ + install.texi \ + intro.texi \ + kerberos4.texi \ + migration.texi \ + misc.texi \ + programming.texi \ + setup.texi \ + vars.texi \ + whatis.texi \ + win2k.texi + +EXTRA_DIST = \ + NTMakefile \ + doxyout \ + footer.html \ + gssapi.din \ + hdb.din \ + hcrypto.din \ + header.html \ + heimdal.css \ + base.din \ + hx509.din \ + krb5.din \ + ntlm.din \ + init-creds \ + latin1.tex \ + layman.asc \ + doxytmpl.dxy \ + wind.din \ + base.hhp \ + heimdal.hhp \ + hx509.hhp \ + vars.tin + +CLEANFILES = \ + hcrypto.dxy* \ + base.dxy* \ + hx509.dxy* \ + hdb.dxy* \ + gssapi.dxy* \ + krb5.dxy* \ + ntlm.dxy* \ + wind.dxy* \ + vars.texi* diff --git a/third_party/heimdal/doc/NTMakefile b/third_party/heimdal/doc/NTMakefile new file mode 100644 index 0000000..0299620 --- /dev/null +++ b/third_party/heimdal/doc/NTMakefile @@ -0,0 +1,126 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=doc + +!include ../windows/NTMakefile.w32 + +heimdal_TEXINFOS = \ + $(OBJ)\ack.texi \ + $(OBJ)\apps.texi \ + $(OBJ)\copyright.texi \ + $(OBJ)\heimdal.texi \ + $(OBJ)\install.texi \ + $(OBJ)\intro.texi \ + $(OBJ)\kerberos4.texi \ + $(OBJ)\migration.texi \ + $(OBJ)\misc.texi \ + $(OBJ)\programming.texi \ + $(OBJ)\setup.texi \ + $(OBJ)\vars.texi \ + $(OBJ)\whatis.texi \ + $(OBJ)\win2k.texi + +hx509_TEXINFOS = \ + $(OBJ)\hx509.texi + +{}.texi{$(OBJ)}.texi: + $(CP) $** $@ + +{}.tin{$(OBJ)}.texi: + $(SED) -e "s,[@]dbdir[@],x,g" \ + -e "s,[@]dbtype[@],sqlite,g" < $** > $@ \ + -e "s,[@]PACKAGE_VERSION[@],$(VER_PACKAGE_VERSION),g" < $** > $@ + +MAKEINFOFLAGS = --css-include=$(SRCDIR)/heimdal.css + +!ifdef APPVEYOR +MAKEINFO = $(PERL) C:\msys64\usr\bin\makeinfo +!endif + +###################################################################### +# Build heimdal.chm + +# Copyrights-and-Licenses.html is where the table of contents ends up +# when generating HTML output using makeinfo. Same goes for +# How-to-use-the-PKCS11-module.html below. + +$(OBJ)\heimdal\index.html $(OBJ)\heimdal\Copyrights-and-Licenses.html: $(heimdal_TEXINFOS) + cd $(OBJ) + $(MAKEINFO) $(MAKEINFOFLAGS) --html heimdal.texi + -$(MKDIR) heimdal + cd $(SRCDIR) + +$(OBJ)\heimdal\toc.hhc: $(OBJ)\heimdal\Copyrights-and-Licenses.html + $(PERL) $(SRC)\cf\w32-hh-toc-from-info.pl -o$@ $** + +$(OBJ)\heimdal\heimdal.hhp: heimdal.hhp + $(CP) $** $@ + +$(DOCDIR)\heimdal.chm: $(OBJ)\heimdal\heimdal.hhp $(OBJ)\heimdal\toc.hhc + cd $(OBJ)\heimdal + -$(HHC) heimdal.hhp + $(CP) heimdal.chm $@ + cd $(SRCDIR) + +###################################################################### +# Build hx509.chm + +$(OBJ)\hx509\index.html $(OBJ)\hx509\How-to-use-the-PKCS11-module.html: $(hx509_TEXINFOS) + cd $(OBJ) + $(MAKEINFO) $(MAKEINFOFLAGS) --html hx509.texi + -$(MKDIR) hx509 + cd $(SRCDIR) + +$(OBJ)\hx509\toc.hhc: $(OBJ)\hx509\How-to-use-the-PKCS11-module.html + $(PERL) $(SRC)\cf\w32-hh-toc-from-info.pl -o$@ $** + +$(OBJ)\hx509\hx509.hhp: hx509.hhp + $(CP) $** $@ + +$(DOCDIR)\hx509.chm: $(OBJ)\hx509\hx509.hhp $(OBJ)\hx509\toc.hhc + cd $(OBJ)\hx509 + -$(HHC) hx509.hhp + $(CP) hx509.chm $@ + cd $(SRCDIR) + +!ifndef NO_DOC +all:: $(OBJ)\heimdal\index.html $(OBJ)\hx509\index.html \ + $(DOCDIR)\heimdal.chm $(DOCDIR)\hx509.chm +!endif + +clean:: + -$(RM) $(OBJ)\heimdal\*.* + -$(RM) $(OBJ)\hx509\*.* + -$(RM) $(DOCDIR)\heimdal.chm + -$(RM) $(DOCDIR)\hx509.chm + +.SUFFIXES: .texi .tin diff --git a/third_party/heimdal/doc/ack.texi b/third_party/heimdal/doc/ack.texi new file mode 100644 index 0000000..89b83c1 --- /dev/null +++ b/third_party/heimdal/doc/ack.texi @@ -0,0 +1,124 @@ +@node Acknowledgments, Copyrights and Licenses, Migration, Top +@comment node-name, next, previous, up +@appendix Acknowledgments + +Eric Young wrote ``libdes''. Heimdal used to use libdes, without it +kth-krb would never have existed. Since there are no longer any Eric +Young code left in the library, we renamed it to libhcrypto. + +All functions in libhcrypto have been re-implemented or used available +public domain code. The core AES function where written by Vincent +Rijmen, Antoon Bosselaers and Paulo Barreto. The core DES SBOX +transformation was written by Richard Outerbridge. @code{imath} that +is used for public key crypto support is written by Michael +J. Fromberger. + +The University of California at Berkeley initially wrote @code{telnet}, +and @code{telnetd}. The authentication and encryption code of +@code{telnet} and @code{telnetd} was added by David Borman (then of Cray +Research, Inc). The encryption code was removed when this was exported +and then added back by Juha Eskelinen. + +The @code{popper} was also a Berkeley program initially. + +Some of the functions in @file{libroken} also come from Berkeley by way +of NetBSD/FreeBSD. + +@code{editline} was written by Simmule Turner and Rich Salz. Heimdal +contains a modifed copy. + +The @code{getifaddrs} implementation for Linux was written by Hideaki +YOSHIFUJI for the Usagi project. + +The @code{pkcs11.h} headerfile was written by the Scute project. + +Bugfixes, documentation, encouragement, and code has been contributed by: +@table @asis +@item Alexander Boström +@item Allan McRae +@item Andrew Bartlett +@item Andrew Cobaugh +@item Andrew Tridge +@item Anton Lundin +@item Asanka Herath +@item Björn Grönvall +@item Björn Sandell +@item Björn Schlögl +@item Brandon S. Allbery KF8NH +@item Brian A May +@item Buck Huppmann +@item Cacdric Schieli +@item Chaskiel M Grundman +@item Christos Zoulas +@item Cizzi Storm +@item Daniel Kouril +@item David Love +@item David Markey +@item David R Boldt +@item Derrick J Brashear +@item Donald Norwood +@item Douglas E Engert +@item Frank van der Linden +@item Gabor Gombas +@item Guido Günther +@item Guillaume Rousse +@item Harald Barth +@item Ingo Schwarze +@item Jacques A. Vidrine +@item Jaideep Padhye +@item Jan Rekorajski +@item Jason McIntyre +@item Jeffrey Altman +@item Jelmer Vernooij +@item Joerg Pulz +@item Johan Danielsson +@item Johan Gadsjö +@item Johan Ihrén +@item John Center +@item Julian Ospald +@item Jun-ichiro itojun Hagino +@item KAMADA Ken'ichi +@item Kamen Mazdrashki +@item Karolin Seeger +@item Ken Hornstein +@item Love Hörnquist Åstrand +@item Luke Howard +@item Magnus Ahltorp +@item Magnus Holmberg +@item Marc Horowitz +@item Mario Strasser +@item Mark Eichin +@item Martin von Gagern +@item Matthias Dieter Wallnöfer +@item Matthieu Patou +@item Mattias Amnefelt +@item Michael B Allen +@item Michael Fromberger +@item Michal Vocu +@item Milosz Kmieciak +@item Miroslav Ruda +@item Mustafa A. Hashmi +@item Nicolas Williams +@item Patrik Lundin +@item Petr Holub +@item Phil Fisher +@item Rafal Malinowski +@item Ragnar Sundblad +@item Rainer Toebbicke +@item Richard Nyberg +@item Roland C. Dowdeswell +@item Roman Divacky +@item Russ Allbery +@item Sho Hosoda, 細田 将 +@item Simon Wilkinson +@item Stefan Metzmacher +@item Ted Percival +@item Timothy Pearson +@item Tom Payerle +@item Victor Guerra +@item Zeqing Xia +@item Åke Sandgren +@item and we hope that those not mentioned here will forgive us. +@end table + +All bugs were introduced by ourselves. diff --git a/third_party/heimdal/doc/apps.texi b/third_party/heimdal/doc/apps.texi new file mode 100644 index 0000000..98585c4 --- /dev/null +++ b/third_party/heimdal/doc/apps.texi @@ -0,0 +1,270 @@ +@c $Id$ + +@node Applications, Things in search for a better place, Setting up a realm, Top + +@chapter Applications + +@menu +* Authentication modules:: +* AFS:: +@end menu + +@node Authentication modules, AFS, Applications, Applications +@section Authentication modules + +The problem of having different authentication mechanisms has been +recognised by several vendors, and several solutions have appeared. In +most cases these solutions involve some kind of shared modules that are +loaded at run-time. Modules for some of these systems can be found in +@file{lib/auth}. Presently there are modules for Digital's SIA, +and IRIX' @code{login} and @code{xdm} (in +@file{lib/auth/afskauthlib}). + +@menu +* Digital SIA:: +* IRIX:: +@end menu + +@node Digital SIA, IRIX, Authentication modules, Authentication modules +@subsection Digital SIA + +How to install the SIA module depends on which OS version you're +running. Tru64 5.0 has a new command, @file{siacfg}, which makes this +process quite simple. If you have this program, you should just be able +to run: +@example +siacfg -a KRB5 /usr/athena/lib/libsia_krb5.so +@end example + +On older versions, or if you want to do it by hand, you have to do the +following (not tested by us on Tru64 5.0): + +@itemize @bullet + +@item +Make sure @file{libsia_krb5.so} is available in +@file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you +might want to put it in @file{/usr/shlib} or someplace else. If you do, +you'll have to edit @file{krb5_matrix.conf} to reflect the new location +(you will also have to do this if you installed in some other directory +than @file{/usr/athena}). If you built with shared libraries, you will +have to copy the shared @file{libkrb.so}, @file{libdes.so}, +@file{libkadm.so}, and @file{libkafs.so} to a place where the loader can +find them (such as @file{/usr/shlib}). +@item +Copy (your possibly edited) @file{krb5_matrix.conf} to @file{/etc/sia}. +@item +Apply @file{security.patch} to @file{/sbin/init.d/security}. +@item +Turn on KRB5 security by issuing @kbd{rcmgr set SECURITY KRB5} and +@kbd{rcmgr set KRB5_MATRIX_CONF krb5_matrix.conf}. +@item +Digital thinks you should reboot your machine, but that really shouldn't +be necessary. It's usually sufficient just to run +@kbd{/sbin/init.d/security start} (and restart any applications that use +SIA, like @code{xdm}.) +@end itemize + +Users with local passwords (like @samp{root}) should be able to login +safely. + +When using Digital's xdm the @samp{KRB5CCNAME} environment variable isn't +passed along as it should (since xdm zaps the environment). Instead you +have to set @samp{KRB5CCNAME} to the correct value in +@file{/usr/lib/X11/xdm/Xsession}. Add a line similar to +@example +KRB5CCNAME=FILE:/tmp/krb5cc`id -u`_`ps -o ppid= -p $$`; export KRB5CCNAME +@end example +If you use CDE, @code{dtlogin} allows you to specify which additional +environment variables it should export. To add @samp{KRB5CCNAME} to this +list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of +@samp{exportList}. You want to add something like: +@example +Dtlogin.exportList: KRB5CCNAME +@end example + +@subsubheading Notes to users with Enhanced security + +Digital's @samp{ENHANCED} (C2) security, and Kerberos solve two +different problems. C2 deals with local security, adds better control of +who can do what, auditing, and similar things. Kerberos deals with +network security. + +To make C2 security work with Kerberos you will have to do the +following. + +@itemize @bullet +@item +Replace all occurrences of @file{krb5_matrix.conf} with +@file{krb5+c2_matrix.conf} in the directions above. +@item +You must enable ``vouching'' in the @samp{default} database. This will +make the OSFC2 module trust other SIA modules, so you can login without +giving your C2 password. To do this use @samp{edauth} to edit the +default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a +@samp{d_accept_alternate_vouching} capability, if not already present. +@item +For each user who does @emph{not} have a local C2 password, you should +set the password expiration field to zero. You can do this for each +user, or in the @samp{default} table. To do this use @samp{edauth} to +set (or change) the @samp{u_exp} capability to @samp{u_exp#0}. +@item +You also need to be aware that the shipped @file{login}, @file{rcp}, and +@file{rshd}, don't do any particular C2 magic (such as checking for +various forms of disabled accounts), so if you rely on those features, +you shouldn't use those programs. If you configure with +@samp{--enable-osfc2}, these programs will, however, set the login +UID. Still: use at your own risk. +@end itemize + +At present @samp{su} does not accept the vouching flag, so it will not +work as expected. + +Also, kerberised ftp will not work with C2 passwords. You can solve this +by using both Digital's ftpd and our on different ports. + +@strong{Remember}, if you do these changes you will get a system that +most certainly does @emph{not} fulfil the requirements of a C2 +system. If C2 is what you want, for instance if someone else is forcing +you to use it, you're out of luck. If you use enhanced security because +you want a system that is more secure than it would otherwise be, you +probably got an even more secure system. Passwords will not be sent in +the clear, for instance. + +@node IRIX, , Digital SIA, Authentication modules +@subsection IRIX + +The IRIX support is a module that is compatible with Transarc's +@file{afskauthlib.so}. It should work with all programs that use this +library. This should include @command{login} and @command{xdm}. + +The interface is not very documented but it seems that you have to copy +@file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to +@file{/usr/lib}, or build your @file{afskauthlib.so} statically. + +The @file{afskauthlib.so} itself is able to reside in +@file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory +(wherever that is). + +IRIX 6.4 and newer seem to have all programs (including @command{xdm} and +@command{login}) in the N32 object format, whereas in older versions they +were O32. For it to work, the @file{afskauthlib.so} library has to be in +the same object format as the program that tries to load it. This might +require that you have to configure and build for O32 in addition to the +default N32. + +Apart from this it should ``just work''; there are no configuration +files. + +Note that recent Irix 6.5 versions (at least 6.5.22) have PAM, +including a @file{pam_krb5.so} module. Not all relevant programs use +PAM, though, e.g.@: @command{ssh}. In particular, for console +graphical login you need to turn off @samp{visuallogin} and turn on +@samp{xdm} with @command{chkconfig}. + +@node AFS, , Authentication modules, Applications +@section AFS + +@cindex AFS +AFS is a distributed filesystem that uses Kerberos for authentication. + +@cindex OpenAFS +@cindex Arla +For more information about AFS see OpenAFS +@url{http://www.openafs.org/} and Arla +@url{http://www.stacken.kth.se/projekt/arla/}. + +@subsection kafs and afslog +@cindex afslog + +@manpage{afslog,1} will obtains AFS tokens for a number of cells. What cells to get +tokens for can either be specified as an explicit list, as file paths to +get tokens for, or be left unspecified, in which case will use whatever +magic @manpage{kafs,3} decides upon. + +If not told what cell to get credentials for, @manpage{kafs,3} will +search for the files ThisCell and TheseCells in the locations +specified in @manpage{kafs,3} and try to get tokens for these cells +and the cells specified in $HOME/.TheseCells. + +More usefully it will look at and ~/.TheseCells in your home directory +and for each line which is a cell get afs token for these cells. + +The TheseCells file defines the the cells to which applications on the +local client machine should try to aquire tokens for. It must reside in +the directories searched by @manpage{kafs,3} on every AFS client machine. + +The file is in ASCII format and contains one character string, the cell +name, per line. Cell names are case sensitive, but most cell names +are lower case. + +See manpage for @manpage{kafs,3} for search locations of ThisCell and TheseCells. + +@subsection How to get a KeyFile + +@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM} + +or you can extract it with kadmin + +@example +kadmin> ext -k AFSKEYFILE:/usr/afs/etc/KeyFile afs@@My.CELL.NAME +@end example + +You have to make sure you have a @code{des-cbc-md5} encryption type since that +is the enctype that will be converted. + +@subsection How to convert a srvtab to a KeyFile + +You need a @file{/usr/vice/etc/ThisCell} containing the cellname of your +AFS-cell. + +@file{ktutil copy krb4:/root/afs-srvtab AFSKEYFILE:/usr/afs/etc/KeyFile}. + +If keyfile already exists, this will add the new key in afs-srvtab to +KeyFile. + +@section Using 2b tokens with AFS + +@subsection What is 2b ? + +2b is the name of the proposal that was implemented to give basic +Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support +since it still uses fcrypt for data encryption and not Kerberos +encryption types. + +Its only possible (in all cases) to do this for DES encryption types +because only then the token (the AFS equivalent of a ticket) will be +smaller than the maximum size that can fit in the token cache in the +OpenAFS/Transarc client. It is a so tight fit that some extra wrapping +on the ASN1/DER encoding is removed from the Kerberos ticket. + +2b uses a Kerberos 5 EncTicketPart instead of a Kerberos 4 ditto for +the part of the ticket that is encrypted with the service's key. The +client doesn't know what's inside the encrypted data so to the client +it doesn't matter. + +To differentiate between Kerberos 4 tickets and Kerberos 5 tickets, 2b +uses a special kvno, 213 for 2b tokens and 255 for Kerberos 5 tokens. + +Its a requirement that all AFS servers that support 2b also support +native Kerberos 5 in rxkad. + +@subsection Configuring a Heimdal kdc to use 2b tokens + +Support for 2b tokens in the kdc are turned on for specific principals +by adding them to the string list option @code{[kdc]use_2b} in the +kdc's @file{krb5.conf} file. + +@example +[kdc] + use_2b = @{ + afs@@SU.SE = yes + afs/it.su.se@@SU.SE = yes + @} +@end example + +@subsection Configuring AFS clients for 2b support + +There is no need to configure AFS clients for 2b support. The only +software that needs to be installed/upgrade is a Kerberos 5 enabled +@file{afslog}. diff --git a/third_party/heimdal/doc/base.din b/third_party/heimdal/doc/base.din new file mode 100644 index 0000000..3ef6d40 --- /dev/null +++ b/third_party/heimdal/doc/base.din @@ -0,0 +1,15 @@ +# Doxyfile 1.5.3 + +PROJECT_NAME = Heimdal base library +PROJECT_NUMBER = @PACKAGE_VERSION@ +OUTPUT_DIRECTORY = @srcdir@/doxyout/base +INPUT = @srcdir@/../lib/base + +WARN_IF_UNDOCUMENTED = YES + +PERL_PATH = /usr/bin/perl + +HTML_HEADER = "@srcdir@/header.html" +HTML_FOOTER = "@srcdir@/footer.html" + +@INCLUDE = "@srcdir@/doxytmpl.dxy" diff --git a/third_party/heimdal/doc/base.hhp b/third_party/heimdal/doc/base.hhp new file mode 100644 index 0000000..e1a3d3c --- /dev/null +++ b/third_party/heimdal/doc/base.hhp @@ -0,0 +1,8 @@ +[OPTIONS] +Compatibility=1.1 or later +Compiled file=heimbase.chm +Contents file=toc.hhc +Default topic=index.html +Display compile progress=No +Language=0x409 English (United States) +Title=Heimdal Base diff --git a/third_party/heimdal/doc/copyright.texi b/third_party/heimdal/doc/copyright.texi new file mode 100644 index 0000000..d9f1a8c --- /dev/null +++ b/third_party/heimdal/doc/copyright.texi @@ -0,0 +1,521 @@ + +@macro copynext{} +@vskip 20pt plus 1fil +@end macro + +@macro copyrightstart{} +@end macro + +@macro copyrightend{} +@end macro + + +@node Copyrights and Licenses, , Acknowledgments, Top +@comment node-name, next, previous, up +@appendix Copyrights and Licenses + +@heading Kungliga Tekniska Högskolan + +@copyrightstart +@verbatim + +Copyright (c) 1997-2011 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Portions Copyright (c) 2009 Apple Inc. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading Massachusetts Institute of Technology + +The parts of the libtelnet that handle Kerberos. + +@verbatim + +Copyright (C) 1990 by the Massachusetts Institute of Technology + +Export of this software from the United States of America may +require a specific license from the United States Government. +It is the responsibility of any person or organization contemplating +export to obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of M.I.T. not be used in advertising or publicity pertaining +to distribution of the software without specific, written prior +permission. M.I.T. makes no representations about the suitability of +this software for any purpose. It is provided "as is" without express +or implied warranty. + +@end verbatim +@copynext + +@heading The Regents of the University of California + +The parts of the libroken, most of libtelnet, telnet, ftp, +and popper. + +@verbatim + +Copyright (c) 1988, 1990, 1993 + The Regents of the University of California. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading The Regents of the University of California. + +libedit + +@verbatim + +Copyright (c) 1992, 1993 + The Regents of the University of California. All rights reserved. + +This code is derived from software contributed to Berkeley by +Christos Zoulas of Cornell University. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading TomsFastMath / LibTomMath + +Tom's fast math (bignum support) and LibTomMath + +@verbatim + +LibTomMath is hereby released into the Public Domain. + +@end verbatim + +@copynext + +@heading Doug Rabson + +GSS-API mechglue layer. + +@verbatim + +Copyright (c) 2005 Doug Rabson +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading PADL Software Pty Ltd + +@table @asis +@item GSS-API CFX, SPNEGO, naming extensions, API extensions. +@item KCM credential cache. +@item HDB LDAP backend. +@end table + +@verbatim + +Copyright (c) 2003-2011, PADL Software Pty Ltd. +Copyright (c) 2004, Andrew Bartlett. +Copyright (c) 2003 - 2008, Kungliga Tekniska Högskolan +Copyright (c) 2015, Timothy Pearson. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of PADL Software nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading Marko Kreen + +Fortuna in libhcrypto + +@verbatim + +Copyright (c) 2005 Marko Kreen +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@end verbatim +@copynext + +@heading NTT (Nippon Telegraph and Telephone Corporation) + +Camellia in libhcrypto + +@verbatim + +Copyright (c) 2006,2007 +NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer as + the first lines of this file unmodified. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +@end verbatim +@copynext + +@heading The NetBSD Foundation, Inc. + +vis.c in libroken + +@verbatim + +Copyright (c) 1999, 2005 The NetBSD Foundation, Inc. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +@end verbatim +@copynext + +@heading Vincent Rijmen, Antoon Bosselaers, Paulo Barreto + +AES in libhcrypto + +@verbatim + +rijndael-alg-fst.c + +@version 3.0 (December 2000) + +Optimised ANSI C code for the Rijndael cipher (now AES) + +@author Vincent Rijmen +@author Antoon Bosselaers +@author Paulo Barreto + +This code is hereby placed in the public domain. + +THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS +OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +@end verbatim +@copynext + +@heading Apple, Inc + +kdc/announce.c + +@verbatim + +Copyright (c) 2008 Apple Inc. All Rights Reserved. + +Export of this software from the United States of America may require +a specific license from the United States Government. It is the +responsibility of any person or organization contemplating export to +obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of Apple Inc. not be used in advertising or publicity pertaining +to distribution of the software without specific, written prior +permission. Apple Inc. makes no representations about the suitability of +this software for any purpose. It is provided "as is" without express +or implied warranty. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +@end verbatim + +@copynext + +@heading Richard Outerbridge + +DES core in libhcrypto + +@verbatim + +D3DES (V5.09) - + +A portable, public domain, version of the Data Encryption Standard. + +Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge. +Thanks to: Dan Hoey for his excellent Initial and Inverse permutation +code; Jim Gillogly & Phil Karn for the DES key schedule code; Dennis +Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau, +for humouring me on. + +Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge. +(GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992. + + +@end verbatim + +@copynext + +@heading Secure Endpoints Inc + +Windows support + +@verbatim + +Copyright (c) 2009-2015, Secure Endpoints Inc. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +- Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +- Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. + +@end verbatim + +@copynext + +@heading Novell, Inc + +lib/hcrypto/test_dh.c + +@verbatim + +Copyright (c) 2007, Novell, Inc. +Author: Matthias Koenig + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the Novell nor the names of its contributors may be used + to endorse or promote products derived from this software without specific + prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + + +@end verbatim + +@copyrightend diff --git a/third_party/heimdal/doc/doxytmpl.dxy b/third_party/heimdal/doc/doxytmpl.dxy new file mode 100644 index 0000000..1faab2f --- /dev/null +++ b/third_party/heimdal/doc/doxytmpl.dxy @@ -0,0 +1,248 @@ +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- +DOXYFILE_ENCODING = UTF-8 +CREATE_SUBDIRS = NO +OUTPUT_LANGUAGE = English +BRIEF_MEMBER_DESC = YES +REPEAT_BRIEF = YES +ABBREVIATE_BRIEF = "The $name class " \ + "The $name widget " \ + "The $name file " \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the +ALWAYS_DETAILED_SEC = NO +INLINE_INHERITED_MEMB = NO +FULL_PATH_NAMES = YES +STRIP_FROM_PATH = /Applications/ +STRIP_FROM_INC_PATH = +SHORT_NAMES = NO +JAVADOC_AUTOBRIEF = NO +QT_AUTOBRIEF = NO +MULTILINE_CPP_IS_BRIEF = NO +INHERIT_DOCS = YES +SEPARATE_MEMBER_PAGES = NO +TAB_SIZE = 8 +ALIASES = +OPTIMIZE_OUTPUT_FOR_C = YES +OPTIMIZE_OUTPUT_JAVA = NO +BUILTIN_STL_SUPPORT = NO +CPP_CLI_SUPPORT = NO +DISTRIBUTE_GROUP_DOC = NO +SUBGROUPING = YES +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- +EXTRACT_ALL = NO +EXTRACT_PRIVATE = NO +EXTRACT_STATIC = NO +EXTRACT_LOCAL_CLASSES = YES +EXTRACT_LOCAL_METHODS = NO +EXTRACT_ANON_NSPACES = NO +HIDE_UNDOC_MEMBERS = YES +HIDE_UNDOC_CLASSES = YES +HIDE_FRIEND_COMPOUNDS = NO +HIDE_IN_BODY_DOCS = NO +INTERNAL_DOCS = NO +CASE_SENSE_NAMES = NO +HIDE_SCOPE_NAMES = NO +SHOW_INCLUDE_FILES = YES +INLINE_INFO = YES +SORT_MEMBER_DOCS = YES +SORT_BRIEF_DOCS = NO +SORT_BY_SCOPE_NAME = NO +GENERATE_TODOLIST = YES +GENERATE_TESTLIST = YES +GENERATE_BUGLIST = YES +GENERATE_DEPRECATEDLIST= YES +ENABLED_SECTIONS = +MAX_INITIALIZER_LINES = 30 +SHOW_USED_FILES = YES +FILE_VERSION_FILTER = +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- +QUIET = YES +WARNINGS = YES +WARN_IF_DOC_ERROR = YES +WARN_NO_PARAMDOC = YES +WARN_FORMAT = "$file:$line: $text " +WARN_LOGFILE = +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- +INPUT_ENCODING = UTF-8 +FILE_PATTERNS = *.c \ + *.cc \ + *.cxx \ + *.cpp \ + *.c++ \ + *.d \ + *.java \ + *.ii \ + *.ixx \ + *.ipp \ + *.i++ \ + *.inl \ + *.h \ + *.hh \ + *.hxx \ + *.hpp \ + *.h++ \ + *.idl \ + *.odl \ + *.cs \ + *.php \ + *.php3 \ + *.inc \ + *.m \ + *.mm \ + *.dox +RECURSIVE = YES +EXCLUDE = +EXCLUDE_SYMLINKS = NO +EXCLUDE_PATTERNS = */.svn +EXCLUDE_SYMBOLS = +EXAMPLE_PATTERNS = * +EXAMPLE_RECURSIVE = NO +IMAGE_PATH = +INPUT_FILTER = +FILTER_PATTERNS = +FILTER_SOURCE_FILES = NO +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- +SOURCE_BROWSER = NO +INLINE_SOURCES = NO +STRIP_CODE_COMMENTS = YES +REFERENCED_BY_RELATION = NO +REFERENCES_RELATION = NO +REFERENCES_LINK_SOURCE = YES +USE_HTAGS = NO +VERBATIM_HEADERS = NO +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- +ALPHABETICAL_INDEX = NO +COLS_IN_ALPHA_INDEX = 5 +IGNORE_PREFIX = +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- +GENERATE_HTML = YES +HTML_OUTPUT = html +HTML_FILE_EXTENSION = .html +HTML_STYLESHEET = +GENERATE_HTMLHELP = NO +HTML_DYNAMIC_SECTIONS = NO +CHM_FILE = +HHC_LOCATION = +GENERATE_CHI = NO +BINARY_TOC = NO +TOC_EXPAND = NO +DISABLE_INDEX = NO +ENUM_VALUES_PER_LINE = 4 +GENERATE_TREEVIEW = NO +TREEVIEW_WIDTH = 250 +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- +GENERATE_LATEX = NO +LATEX_OUTPUT = latex +LATEX_CMD_NAME = latex +MAKEINDEX_CMD_NAME = makeindex +COMPACT_LATEX = NO +PAPER_TYPE = a4wide +EXTRA_PACKAGES = +LATEX_HEADER = +PDF_HYPERLINKS = NO +USE_PDFLATEX = NO +LATEX_BATCHMODE = NO +LATEX_HIDE_INDICES = NO +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- +GENERATE_RTF = NO +RTF_OUTPUT = rtf +COMPACT_RTF = NO +RTF_HYPERLINKS = NO +RTF_STYLESHEET_FILE = +RTF_EXTENSIONS_FILE = +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- +GENERATE_MAN = YES +MAN_OUTPUT = man +MAN_EXTENSION = .3 +MAN_LINKS = YES +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- +GENERATE_XML = NO +XML_OUTPUT = xml +XML_PROGRAMLISTING = YES +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- +GENERATE_AUTOGEN_DEF = NO +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- +GENERATE_PERLMOD = NO +PERLMOD_LATEX = NO +PERLMOD_PRETTY = YES +PERLMOD_MAKEVAR_PREFIX = +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- +ENABLE_PREPROCESSING = YES +MACRO_EXPANSION = NO +EXPAND_ONLY_PREDEF = NO +SEARCH_INCLUDES = YES +INCLUDE_PATH = +INCLUDE_FILE_PATTERNS = +PREDEFINED = DOXY +EXPAND_AS_DEFINED = +SKIP_FUNCTION_MACROS = YES +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- +TAGFILES = +GENERATE_TAGFILE = +ALLEXTERNALS = NO +EXTERNAL_GROUPS = YES +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- +CLASS_DIAGRAMS = NO +HIDE_UNDOC_RELATIONS = YES +HAVE_DOT = YES +CLASS_GRAPH = YES +COLLABORATION_GRAPH = YES +GROUP_GRAPHS = YES +UML_LOOK = NO +TEMPLATE_RELATIONS = NO +INCLUDE_GRAPH = YES +INCLUDED_BY_GRAPH = YES +CALL_GRAPH = NO +CALLER_GRAPH = NO +GRAPHICAL_HIERARCHY = YES +DIRECTORY_GRAPH = YES +DOT_IMAGE_FORMAT = png +DOTFILE_DIRS = +DOT_GRAPH_MAX_NODES = 50 +MAX_DOT_GRAPH_DEPTH = 1000 +DOT_TRANSPARENT = NO +DOT_MULTI_TARGETS = NO +GENERATE_LEGEND = YES +DOT_CLEANUP = YES +#--------------------------------------------------------------------------- +# Configuration::additions related to the search engine +#--------------------------------------------------------------------------- +SEARCHENGINE = NO diff --git a/third_party/heimdal/doc/footer.html b/third_party/heimdal/doc/footer.html new file mode 100644 index 0000000..48990ae --- /dev/null +++ b/third_party/heimdal/doc/footer.html @@ -0,0 +1,4 @@ +
    +Generated on $datetime for $projectname by doxygen $doxygenversion
    + + diff --git a/third_party/heimdal/doc/gssapi.din b/third_party/heimdal/doc/gssapi.din new file mode 100644 index 0000000..3dd8bb6 --- /dev/null +++ b/third_party/heimdal/doc/gssapi.din @@ -0,0 +1,16 @@ +# Doxyfile 1.5.3 + +PROJECT_NAME = Heimdal GSS-API library +PROJECT_NUMBER = @PACKAGE_VERSION@ +OUTPUT_DIRECTORY = @srcdir@/doxyout/gssapi +INPUT = @srcdir@/../lib/gssapi + +WARN_IF_UNDOCUMENTED = NO + +PERL_PATH = /usr/bin/perl + +HTML_HEADER = "@srcdir@/header.html" +HTML_FOOTER = "@srcdir@/footer.html" + +@INCLUDE = "@srcdir@/doxytmpl.dxy" + diff --git a/third_party/heimdal/doc/hcrypto.din b/third_party/heimdal/doc/hcrypto.din new file mode 100644 index 0000000..aeea179 --- /dev/null +++ b/third_party/heimdal/doc/hcrypto.din @@ -0,0 +1,16 @@ +# Doxyfile 1.5.3 + +PROJECT_NAME = "Heimdal crypto library" +PROJECT_NUMBER = @PACKAGE_VERSION@ +OUTPUT_DIRECTORY = @srcdir@/doxyout/hcrypto +INPUT = @srcdir@/../lib/hcrypto +EXAMPLE_PATH = @srcdir@/../lib/hcrypto + +WARN_IF_UNDOCUMENTED = YES + +PERL_PATH = /usr/bin/perl + +HTML_HEADER = "@srcdir@/header.html" +HTML_FOOTER = "@srcdir@/footer.html" + +@INCLUDE = "@srcdir@/doxytmpl.dxy" diff --git a/third_party/heimdal/doc/hdb.din b/third_party/heimdal/doc/hdb.din new file mode 100644 index 0000000..1b100f4 --- /dev/null +++ b/third_party/heimdal/doc/hdb.din @@ -0,0 +1,15 @@ +# Doxyfile 1.5.3 + +PROJECT_NAME = Heimdal hdb library +PROJECT_NUMBER = @PACKAGE_VERSION@ +OUTPUT_DIRECTORY = @srcdir@/doxyout/hdb +INPUT = @srcdir@/../lib/hdb + +WARN_IF_UNDOCUMENTED = YES + +PERL_PATH = /usr/bin/perl + +HTML_HEADER = "@srcdir@/header.html" +HTML_FOOTER = "@srcdir@/footer.html" + +@INCLUDE = "@srcdir@/doxytmpl.dxy" diff --git a/third_party/heimdal/doc/header.html b/third_party/heimdal/doc/header.html new file mode 100644 index 0000000..b3401c8 --- /dev/null +++ b/third_party/heimdal/doc/header.html @@ -0,0 +1,10 @@ + + +$title + + + +

    +keyhole logo +

    + diff --git a/third_party/heimdal/doc/heimdal.css b/third_party/heimdal/doc/heimdal.css new file mode 100644 index 0000000..2e5b374 --- /dev/null +++ b/third_party/heimdal/doc/heimdal.css @@ -0,0 +1,53 @@ +body { + color: black; + background-color: #fdfdfd; + font-family: serif; + max-width: 40em; +} +h1, h2, h3 { + font-family: sans-serif; + font-weight: bold; +} +h1 { + padding: 0.5em 0 0.5em 5%; + color: white; + background: #3366cc; + border-bottom: solid 1px black; +} +h1 { + font-size: 200%; +} +h2 { + font-size: 150%; +} +h3 { + font-size: 120%; +} +h4 { + font-weight: bold; +} +pre.example { + margin-left: 2em; + padding: 1em 0em; + border: 2px dashed #c0c0c0; + background: #f0f0f0; +} +a:link { + color: blue; + text-decoration: none; +} +a:visited { + color: red; + text-decoration: none +} +a:hover { + text-decoration: underline +} +span.literal { + font-family: monospace; +} +hr { + border-style: none; + background-color: black; + height: 1px; +} diff --git a/third_party/heimdal/doc/heimdal.hhp b/third_party/heimdal/doc/heimdal.hhp new file mode 100644 index 0000000..2996baa --- /dev/null +++ b/third_party/heimdal/doc/heimdal.hhp @@ -0,0 +1,8 @@ +[OPTIONS] +Compatibility=1.1 or later +Compiled file=heimdal.chm +Contents file=toc.hhc +Default topic=index.html +Display compile progress=No +Language=0x409 English (United States) +Title=Heimdal \ No newline at end of file diff --git a/third_party/heimdal/doc/heimdal.texi b/third_party/heimdal/doc/heimdal.texi new file mode 100644 index 0000000..c8ef249 --- /dev/null +++ b/third_party/heimdal/doc/heimdal.texi @@ -0,0 +1,153 @@ +\input texinfo @c -*- texinfo -*- +@c %**start of header +@c $Id$ +@setfilename heimdal.info +@settitle HEIMDAL +@iftex +@afourpaper +@end iftex +@c some sensible characters, please? +@tex +\input latin1.tex +@end tex +@setchapternewpage on +@syncodeindex pg cp +@c %**end of header + +@include vars.texi + +@set VERSION @value{PACKAGE_VERSION} +@set EDITION 1.0 + +@ifinfo +@dircategory Security +@direntry +* Heimdal: (heimdal). The Kerberos 5 and PKIX distribution from KTH +@end direntry +@end ifinfo + +@c title page +@titlepage +@title Heimdal +@subtitle Kerberos 5 and PKIX from KTH +@subtitle Edition @value{EDITION}, for version @value{VERSION} +@subtitle 2008 +@author Johan Danielsson +@author Love Hörnquist Åstrand +@author Assar Westerlund +@author et al + +@end titlepage + +@macro manpage{man, section} +@cite{\man\(\section\)} +@end macro + +@c Less filling! Tastes great! +@iftex +@parindent=0pt +@global@parskip 6pt plus 1pt +@global@chapheadingskip = 15pt plus 4pt minus 2pt +@global@secheadingskip = 12pt plus 3pt minus 2pt +@global@subsecheadingskip = 9pt plus 2pt minus 2pt +@end iftex +@ifinfo +@paragraphindent 0 +@end ifinfo + +@ifnottex +@node Top, Introduction, (dir), (dir) +@top Heimdal +@end ifnottex + +This manual for version @value{VERSION} of Heimdal. + +@menu +* Introduction:: +* What is Kerberos?:: +* What is PKIX?:: +* What is a Certification Authority (CA)?:: +* What is kx509?:: +* What is bx509?:: +* Building and Installing:: +* Setting up a realm:: +* Applications:: +* Things in search for a better place:: +* Kerberos 4 issues:: +* Windows compatibility:: +* Programming with Kerberos:: +* Migration:: +* Acknowledgments:: +* Copyrights and Licenses:: + +@detailmenu + --- The Detailed Node Listing --- + +Setting up a realm + +* Configuration file:: +* Creating the database:: +* Modifying the database:: +* keytabs:: +* Remote administration:: +* Password changing:: +* Testing clients and servers:: +* Slave Servers:: +* Incremental propagation:: +* Encryption types and salting:: +* Credential cache server - KCM:: +* Cross realm:: +* Transit policy:: +* Setting up DNS:: +* Using LDAP to store the database:: +* Providing Kerberos credentials to servers and programs:: +* Setting up PK-INIT:: +* Debugging Kerberos problems:: + +Applications + +* Authentication modules:: +* AFS:: + +Authentication modules + +* Digital SIA:: +* IRIX:: + +Kerberos 4 issues + +* Principal conversion issues:: +* Converting a version 4 database:: + +Windows compatibility + +* Configuring Windows to use a Heimdal KDC:: +* Inter-Realm keys (trust) between Windows and a Heimdal KDC:: +* Create account mappings:: +* Encryption types:: +* Authorisation data:: +* Quirks of Windows 2000 KDC:: +* Useful links when reading about the Windows:: + +Programming with Kerberos + +@end detailmenu +@end menu + +@include intro.texi +@include whatis.texi +@include install.texi +@include setup.texi +@include apps.texi +@include misc.texi +@include kerberos4.texi +@include win2k.texi +@include programming.texi +@include migration.texi +@include ack.texi +@include copyright.texi + +@c @shortcontents +@contents + +@bye diff --git a/third_party/heimdal/doc/hx509.din b/third_party/heimdal/doc/hx509.din new file mode 100644 index 0000000..c6d02b2 --- /dev/null +++ b/third_party/heimdal/doc/hx509.din @@ -0,0 +1,15 @@ +# Doxyfile 1.5.3 + +PROJECT_NAME = Heimdal x509 library +PROJECT_NUMBER = @PACKAGE_VERSION@ +OUTPUT_DIRECTORY = @srcdir@/doxyout/hx509 +INPUT = @srcdir@/../lib/hx509 + +WARN_IF_UNDOCUMENTED = YES + +PERL_PATH = /usr/bin/perl + +HTML_HEADER = "@srcdir@/header.html" +HTML_FOOTER = "@srcdir@/footer.html" + +@INCLUDE = "@srcdir@/doxytmpl.dxy" diff --git a/third_party/heimdal/doc/hx509.hhp b/third_party/heimdal/doc/hx509.hhp new file mode 100644 index 0000000..bce680a --- /dev/null +++ b/third_party/heimdal/doc/hx509.hhp @@ -0,0 +1,8 @@ +[OPTIONS] +Compatibility=1.1 or later +Compiled file=hx509.chm +Contents file=toc.hhc +Default topic=index.html +Display compile progress=No +Language=0x409 English (United States) +Title=HX509 \ No newline at end of file diff --git a/third_party/heimdal/doc/hx509.texi b/third_party/heimdal/doc/hx509.texi new file mode 100644 index 0000000..0a90cb7 --- /dev/null +++ b/third_party/heimdal/doc/hx509.texi @@ -0,0 +1,786 @@ +\input texinfo @c -*- texinfo -*- +@c %**start of header +@c $Id$ +@setfilename hx509.info +@settitle HX509 +@iftex +@afourpaper +@end iftex +@c some sensible characters, please? +@tex +\input latin1.tex +@end tex +@setchapternewpage on +@syncodeindex pg cp +@c %**end of header + +@include vars.texi + +@set VERSION @value{PACKAGE_VERSION} +@set EDITION 1.0 + +@ifinfo +@dircategory Security +@direntry +* hx509: (hx509). The X.509 distribution from KTH +@end direntry +@end ifinfo + +@c title page +@titlepage +@title HX509 +@subtitle X.509 distribution from KTH +@subtitle Edition @value{EDITION}, for version @value{VERSION} +@subtitle 2008 +@author Love Hörnquist Åstrand + +@iftex +@def@copynext{@vskip 20pt plus 1fil} +@def@copyrightstart{} +@def@copyrightend{} +@end iftex +@macro copynext +@end macro +@macro copyrightstart +@end macro +@macro copyrightend +@end macro + +@page +@copyrightstart +Copyright (c) 1994-2019 Kungliga Tekniska Högskolan +(Royal Institute of Technology, Stockholm, Sweden). +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@copynext + +Copyright (c) 1988, 1990, 1993 + The Regents of the University of California. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + +@copynext + +Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. + +This software is not subject to any license of the American Telephone +and Telegraph Company or of the Regents of the University of California. + +Permission is granted to anyone to use this software for any purpose on +any computer system, and to alter it and redistribute it freely, subject +to the following restrictions: + +1. The authors are not responsible for the consequences of use of this + software, no matter how awful, even if they arise from flaws in it. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. Since few users ever read sources, + credits must appear in the documentation. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. Since few users + ever read sources, credits must appear in the documentation. + +4. This notice may not be removed or altered. + +@copynext + +IMath is Copyright 2002-2005 Michael J. Fromberger +You may use it subject to the following Licensing Terms: + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +@copyrightend +@end titlepage + +@macro manpage{man, section} +@cite{\man\(\section\)} +@end macro + +@c Less filling! Tastes great! +@iftex +@parindent=0pt +@global@parskip 6pt plus 1pt +@global@chapheadingskip = 15pt plus 4pt minus 2pt +@global@secheadingskip = 12pt plus 3pt minus 2pt +@global@subsecheadingskip = 9pt plus 2pt minus 2pt +@end iftex +@ifinfo +@paragraphindent 0 +@end ifinfo + +@ifnottex +@node Top, Introduction, (dir), (dir) +@top Heimdal +@end ifnottex + +This manual is for version @value{VERSION} of hx509. + +@menu +* Introduction:: +* What are X.509 and PKIX ?:: +* Setting up a CA:: +* CMS signing and encryption:: +* Certificate matching:: +* Software PKCS 11 module:: +* Creating a CA certificate:: +* Issuing certificates:: +* Issuing CRLs:: +* Application requirements:: +* CMS background:: +* Matching syntax:: +* How to use the PKCS11 module:: + +@detailmenu + --- The Detailed Node Listing --- + +Setting up a CA + +@c * Issuing certificates:: +* Creating a CA certificate:: +* Issuing certificates:: +* Issuing CRLs:: +@c * Issuing a proxy certificate:: +@c * Creating a user certificate:: +@c * Validating a certificate:: +@c * Validating a certificate path:: +* Application requirements:: + +CMS signing and encryption + +* CMS background:: + +Certificate matching + +* Matching syntax:: + +Software PKCS 11 module + +* How to use the PKCS11 module:: + +@end detailmenu +@end menu + +@node Introduction, What are X.509 and PKIX ?, Top, Top +@chapter Introduction + +A Public Key Infrastructure (PKI) is an authentication mechanism based on +entities having certified cryptographic public keys and corresponding private +(secret) keys. + +The ITU-T PKI specifications are designated "x.509", while the IETF PKI +specifications (PKIX) are specified by a number of Internet RFCs and are based +on x.509. + +The goals of a PKI (as stated in +RFC 5280) is to meet +@emph{the needs of deterministic, automated identification, authentication, access control, and authorization}. + +The administrator should be aware of certain terminologies as explained by the aforementioned +RFC before attemping to put in place a PKI infrastructure. Briefly, these are: + +@itemize @bullet +@item CA +Certificate Authority +@item RA +Registration Authority, i.e., an optional system to which a CA delegates certain management functions. +@item Certificate +A binary document that names an entity and its public key and which is signed +by an issuing CA. +@item CRL Issuer +An optional system to which a CA delegates the publication of certificate revocation lists. +@item Repository +A system or collection of distributed systems that stores certificates and CRLs +and serves as a means of distributing these certificates and CRLs to end entities +@end itemize + +hx509 (Heimdal x509 support) is a near complete X.509/PKIX stack that can +handle CMS messages (crypto system used in S/MIME and Kerberos PK-INIT) +and basic certificate processing tasks, path construction, path +validation, OCSP and CRL validation, PKCS10 message construction, CMS +Encrypted (shared secret encrypted), CMS SignedData (certificate +signed), and CMS EnvelopedData (certificate encrypted). + +hx509 can use PKCS11 tokens, PKCS12 files, PEM files, and/or DER encoded +files. + +hx509 consists of a library (libhx509) and a command-line utility (hxtool), as +well as a RESTful, HTTPS-based service that implements an online CA. + +@node What are X.509 and PKIX ?, Setting up a CA, Introduction, Top +@chapter What are X.509 and PKIX, PKIX, PKCS7 and CMS ? + +X.509 was created by CCITT (later ITU-T) for the X.500 directory +service. Today, X.509 discussions and implementations commonly reference +the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate +standard, as specified in RFC 3280. + +ITU continues to develop the X.509 standard together with the IETF in a +rather complicated dance. + +X.509 is a public key based security system that has associated data +stored within a so called certificate. Initially, X.509 was a strict +hierarchical system with one root. However, ever evolving requiments and +technology advancements saw the inclusion of multiple policy roots, +bridges and mesh solutions. + +x.509 can also be used as a peer to peer system, though often seen as a +common scenario. + +@section Type of certificates + +There are several flavors of certificate in X.509. + +@itemize @bullet + +@item Trust anchors + +Trust anchors are strictly not certificates, but commonly stored in a +certificate format as they become easier to manage. Trust anchors are +the keys that an end entity would trust to validate other certificates. +This is done by building a path from the certificate you want to +validate to to any of the trust anchors you have. + +@item End Entity (EE) certificates + +End entity certificates are the most common types of certificates. End +entity certificates cannot issue (sign) certificate themselves and are generally +used to authenticate and authorize users and services. + +@item Certification Authority (CA) certificates + +Certificate authority certificates have the right to issue additional +certificates (be it sub-ordinate CA certificates to build an trust anchors +or end entity certificates). There is no limit to how many certificates a CA +may issue, but there might other restrictions, like the maximum path +depth. + +@item Proxy certificates + +Remember the statement "End Entity certificates cannot issue +certificates"? Well that statement is not entirely true. There is an +extension called proxy certificates defined in RFC3820, that allows +certificates to be issued by end entity certificates. The service that +receives the proxy certificates must have explicitly turned on support +for proxy certificates, so their use is somewhat limited. + +Proxy certificates can be limited by policies stored in the certificate to +what they can be used for. This allows users to delegate the proxy +certificate to services (by sending over the certificate and private +key) so the service can access services on behalf of the user. + +One example of this would be a print service. The user wants to print a +large job in the middle of the night when the printer isn't used that +much, so the user creates a proxy certificate with the policy that it +can only be used to access files related to this print job, creates the +print job description and send both the description and proxy +certificate with key over to print service. Later at night when the +print service initializes (without any user intervention), access to the files +for the print job is granted via the proxy certificate. As a result of (in-place) +policy limitations, the certificate cannot be used for any other purposes. + +@end itemize + +@section Building a path + +Before validating a certificate path (or chain), the path needs to be +constructed. Given a certificate (EE, CA, Proxy, or any other type), +the path construction algorithm will try to find a path to one of the +trust anchors. + +The process starts by looking at the issuing CA of the certificate, by +Name or Key Identifier, and tries to find that certificate while at the +same time evaluting any policies in-place. + +@node Setting up a CA, Creating a CA certificate, What are X.509 and PKIX ?, Top +@chapter Setting up a CA + +Do not let information overload scare you off! If you are simply testing +or getting started with a PKI infrastructure, skip all this and go to +the next chapter (see: @pxref{Creating a CA certificate}). + +Creating a CA certificate should be more the just creating a +certificate, CA's should define a policy. Again, if you are simply +testing a PKI, policies do not matter so much. However, when it comes to +trust in an organisation, it will probably matter more whom your users +and sysadmins will find it acceptable to trust. + +At the same time, try to keep things simple, it's not very hard to run a +Certificate authority and the process to get new certificates should be simple. + +You may find it helpful to answer the following policy questions for +your organization at a later stage: + +@itemize @bullet +@item How do you trust your CA. +@item What is the CA responsibility. +@item Review of CA activity. +@item How much process should it be to issue certificate. +@item Who is allowed to issue certificates. +@item Who is allowed to requests certificates. +@item How to handle certificate revocation, issuing CRLs and maintain OCSP services. +@end itemize + +@node Creating a CA certificate, Issuing certificates, Setting up a CA, Top +@section Creating a CA certificate + +This section describes how to create a CA certificate and what to think +about. + +@subsection Lifetime CA certificate + +You probably want to create a CA certificate with a long lifetime, 10 +years at the very minimum. This is because you don't want to push out the +certificate (as a trust anchor) to all you users again when the old +CA certificate expires. Although a trust anchor can't really expire, not all +software works in accordance with published standards. + +Keep in mind the security requirements might be different 10-20 years +into the future. For example, SHA1 is going to be withdrawn in 2010, so +make sure you have enough buffering in your choice of digest/hash +algorithms, signature algorithms and key lengths. + +@subsection Create a CA certificate + +This command below can be used to generate a self-signed CA certificate. + +@example +hxtool issue-certificate \ + --self-signed \ + --issue-ca \ + --generate-key=rsa \ + --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \ + --lifetime=10years \ + --certificate="FILE:ca.pem" +@end example + +@subsection Extending the lifetime of a CA certificate + +You just realised that your CA certificate is going to expire soon and +that you need replace it with a new CA. The easiest way to do that +is to extend the lifetime of your existing CA certificate. + +The example below will extend the CA certificate's lifetime by 10 years. +You should compare this new certificate if it contains all the +special tweaks as the old certificate had. + +@example +hxtool issue-certificate \ + --self-signed \ + --issue-ca \ + --lifetime="10years" \ + --template-certificate="FILE:ca.pem" \ + --template-fields="serialNumber,notBefore,subject,SPKI" \ + --ca-private-key=FILE:ca.pem \ + --certificate="FILE:new-ca.pem" +@end example + +@subsection Subordinate CA + +This example below creates a new subordinate certificate authority. + +@example +hxtool issue-certificate \ + --ca-certificate=FILE:ca.pem \ + --issue-ca \ + --generate-key=rsa \ + --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \ + --certificate="FILE:dev-ca.pem" +@end example + + +@node Issuing certificates, Issuing CRLs, Creating a CA certificate, Top +@section Issuing certificates + +First you'll create a CA certificate, after that you have to deal with +your users and servers and issue certificates to them. + +@c I think this section needs a bit of clarity. Can I add a separate +@c section which explains CSRs as well? + + +@itemize @bullet + +@item Do all the work themself + +Generate the key for the user. This has the problme that the the CA +knows the private key of the user. For a paranoid user this might leave +feeling of disconfort. + +@item Have the user do part of the work + +Receive PKCS10 certificate requests fromusers. PKCS10 is a request for a +certificate. The user may specify what DN they want as well as provide +a certificate signing request (CSR). To prove the user have the key, +the whole request is signed by the private key of the user. + +@end itemize + +@subsection Name space management + +@c The explanation given below is slightly unclear. I will re-read the +@c RFC and document accordingly + +What people might want to see. + +Re-issue certificates just because people moved within the organization. + +Expose privacy information. + +Using Sub-component name (+ notation). + +@subsection Certificate Revocation, CRL and OCSP + +Certificates that a CA issues may need to be revoked at some stage. As +an example, an employee leaves the organization and does not bother +handing in his smart card (or even if the smart card is handed back -- +the certificate on it must no longer be acceptable to services; the +employee has left). + +You may also want to revoke a certificate for a service which is no +longer being offered on your network. Overlooking these scenarios can +lead to security holes which will quickly become a nightmare to deal +with. + +There are two primary protocols for dealing with certificate +revokation. Namely: + +@itemize @bullet +@item Certificate Revocation List (CRL) +@item Online Certificate Status Protocol (OCSP) +@end itemize + +If however the certificate in qeustion has been destroyed, there is no +need to revoke the certificate because it can not be used by someone +else. This matter since for each certificate you add to CRL, the +download time and processing time for clients are longer. + +CRLs and OCSP responders however greatly help manage compatible services +which may authenticate and authorize users (or services) on an on-going +basis. As an example, VPN connectivity established via certificates for +connecting clients would require your VPN software to make use of a CRL +or an OCSP service to ensure revoked certificates belonging to former +clients are not allowed access to (formerly subscribed) network +services. + + +@node Issuing CRLs, Application requirements, Issuing certificates, Top +@section Issuing CRLs + +Create an empty CRL with no certificates revoked. Default expiration +value is one year from now. + +@example +hxtool crl-sign \ + --crl-file=crl.der \ + --signer=FILE:ca.pem +@end example + +Create a CRL with all certificates in the directory +@file{/path/to/revoked/dir} included in the CRL as revoked. Also make +it expire one month from now. + +@example +hxtool crl-sign \ + --crl-file=crl.der \ + --signer=FILE:ca.pem \ + --lifetime='1 month' \ + DIR:/path/to/revoked/dir +@end example + +@node Application requirements, CMS signing and encryption, Issuing CRLs, Top +@section Application requirements + +Application place different requirements on certificates. This section +tries to expand what they are and how to use hxtool to generate +certificates for those services. + +@subsection HTTPS - server + +@example +hxtool issue-certificate \ + --subject="CN=www.test.h5l.se,DC=test,DC=h5l,DC=se" \ + --type="https-server" \ + --hostname="www.test.h5l.se" \ + --hostname="www2.test.h5l.se" \ + ... +@end example + +@subsection HTTPS - client + +@example +hxtool issue-certificate \ + --subject="UID=testus,DC=test,DC=h5l,DC=se" \ + --type="https-client" \ + ... +@end example + +@subsection S/MIME - email + +There are two things that should be set in S/MIME certificates, one or +more email addresses and an extended eku usage (EKU), emailProtection. + +The email address format used in S/MIME certificates is defined in +RFC2822, section 3.4.1 and it should be an ``addr-spec''. + +There are two ways to specifify email address in certificates. The old +way is in the subject distinguished name, @emph{this should not be used}. The +new way is using a Subject Alternative Name (SAN). + +Even though the email address is stored in certificates, they don't need +to be, email reader programs are required to accept certificates that +doesn't have either of the two methods of storing email in certificates +-- in which case, the email client will try to protect the user by +printing the name of the certificate instead. + +S/MIME certificate can be used in another special way. They can be +issued with a NULL subject distinguished name plus the email in SAN, +this is a valid certificate. This is used when you wont want to share +more information then you need to. + +hx509 issue-certificate supports adding the email SAN to certificate by +using the --email option, --email also gives an implicit emailProtection +eku. If you want to create an certificate without an email address, the +option --type=email will add the emailProtection EKU. + +@example +hxtool issue-certificate \ + --subject="UID=testus-email,DC=test,DC=h5l,DC=se" \ + --type=email \ + --email="testus@@test.h5l.se" \ + ... +@end example + +An example of an certificate without and subject distinguished name with +an email address in a SAN. + +@example +hxtool issue-certificate \ + --subject="" \ + --type=email \ + --email="testus@@test.h5l.se" \ + ... +@end example + +@subsection PK-INIT + +A PK-INIT infrastructure allows users and services to pick up kerberos +credentials (tickets) based on their certificate. This, for example, +allows users to authenticate to their desktops using smartcards while +acquiring kerberos tickets in the process. + +As an example, an office network which offers centrally controlled +desktop logins, mail, messaging (xmpp) and openafs would give users +single sign-on facilities via smartcard based logins. Once the kerberos +ticket has been acquired, all kerberized services would immediately +become accessible based on deployed security policies. + +Let's go over the process of initializing a demo PK-INIT framework: + +@example +hxtool issue-certificate \ + --type="pkinit-kdc" \ + --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \ + --hostname=kerberos.test.h5l.se \ + --ca-certificate="FILE:ca.pem,ca.key" \ + --generate-key=rsa \ + --certificate="FILE:kdc.pem" \ + --subject="cn=kdc" +@end example + +How to create a certificate for a user. + +@example +hxtool issue-certificate \ + --type="pkinit-client" \ + --pk-init-principal="user@@TEST.H5L.SE" \ + --ca-certificate="FILE:ca.pem,ca.key" \ + --generate-key=rsa \ + --subject="cn=Test User" \ + --certificate="FILE:user.pem" +@end example + +The --type field can be specified multiple times. The same certificate +can hence house extensions for both pkinit-client as well as S/MIME. + +To use the PKCS11 module, please see the section: +@pxref{How to use the PKCS11 module}. + +More about how to configure the KDC, see the documentation in the +Heimdal manual to set up the KDC. + +@subsection XMPP/Jabber + +The jabber server certificate should have a dNSname that is the same as +the user entered into the application, not the same as the host name of +the machine. + +@example +hxtool issue-certificate \ + --subject="CN=xmpp1.test.h5l.se,DC=test,DC=h5l,DC=se" \ + --hostname="xmpp1.test.h5l.se" \ + --hostname="test.h5l.se" \ + ... +@end example + +The certificate may also contain a jabber identifier (JID) that, if the +receiver allows it, authorises the server or client to use that JID. + +When storing a JID inside the certificate, both for server and client, +it's stored inside a UTF8String within an otherName entity inside the +subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5). + +To read more about the requirements, see RFC3920, Extensible Messaging +and Presence Protocol (XMPP): Core. + +hxtool issue-certificate have support to add jid to the certificate +using the option @kbd{--jid}. + +@example +hxtool issue-certificate \ + --subject="CN=Love,DC=test,DC=h5l,DC=se" \ + --jid="lha@@test.h5l.se" \ + ... +@end example + + +@node CMS signing and encryption, CMS background, Application requirements, Top +@chapter CMS signing and encryption + +CMS is the Cryptographic Message System that among other, is used by +S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of +the RSA, Inc standard PKCS7. + +@node CMS background, Certificate matching, CMS signing and encryption, Top +@section CMS background + + +@node Certificate matching, Matching syntax, CMS background, Top +@chapter Certificate matching + +To match certificates hx509 have a special query language to match +certifictes in queries and ACLs. + +@node Matching syntax, Software PKCS 11 module, Certificate matching, Top +@section Matching syntax + +This is the language definitions somewhat slopply descriped: + +@example + +expr = TRUE, + FALSE, + ! expr, + expr AND expr, + expr OR expr, + ( expr ) + compare + +compare = + word == word, + word != word, + word IN ( word [, word ...]) + word IN %@{variable.subvariable@} + +word = + STRING, + %@{variable@} + +@end example + +@node Software PKCS 11 module, How to use the PKCS11 module, Matching syntax, Top +@chapter Software PKCS 11 module + +PKCS11 is a standard created by RSA, Inc to support hardware and +software encryption modules. It can be used by smartcard to expose the +crypto primitives inside without exposing the crypto keys. + +Hx509 includes a software implementation of PKCS11 that runs within the +memory space of the process and thus exposes the keys to the +application. + +@node How to use the PKCS11 module, , Software PKCS 11 module, Top +@section How to use the PKCS11 module + +@example +$ cat > ~/.soft-pkcs11.rc <