From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- third_party/heimdal/tools/Makefile.am | 65 +++ third_party/heimdal/tools/NTMakefile | 35 ++ third_party/heimdal/tools/cov.sh | 19 + third_party/heimdal/tools/coveralls-tool | 277 +++++++++++ third_party/heimdal/tools/fixgcov-source-paths.sh | 18 + third_party/heimdal/tools/heimdal-gssapi.pc.in | 14 + .../heimdal/tools/heimdal-kadm-client.pc.in | 11 + .../heimdal/tools/heimdal-kadm-server.pc.in | 12 + third_party/heimdal/tools/heimdal-krb5.pc.in | 12 + third_party/heimdal/tools/kadm-client.pc.in | 10 + third_party/heimdal/tools/kadm-server.pc.in | 10 + third_party/heimdal/tools/kafs.pc.in | 10 + third_party/heimdal/tools/kdc-log-analyze.pl | 549 +++++++++++++++++++++ third_party/heimdal/tools/krb5-config.1 | 90 ++++ third_party/heimdal/tools/krb5-config.in | 266 ++++++++++ third_party/heimdal/tools/krb5-gssapi.pc.in | 10 + third_party/heimdal/tools/krb5.pc.in | 10 + 17 files changed, 1418 insertions(+) create mode 100644 third_party/heimdal/tools/Makefile.am create mode 100644 third_party/heimdal/tools/NTMakefile create mode 100644 third_party/heimdal/tools/cov.sh create mode 100755 third_party/heimdal/tools/coveralls-tool create mode 100755 third_party/heimdal/tools/fixgcov-source-paths.sh create mode 100644 third_party/heimdal/tools/heimdal-gssapi.pc.in create mode 100644 third_party/heimdal/tools/heimdal-kadm-client.pc.in create mode 100644 third_party/heimdal/tools/heimdal-kadm-server.pc.in create mode 100644 third_party/heimdal/tools/heimdal-krb5.pc.in create mode 100644 third_party/heimdal/tools/kadm-client.pc.in create mode 100644 third_party/heimdal/tools/kadm-server.pc.in create mode 100644 third_party/heimdal/tools/kafs.pc.in create mode 100644 third_party/heimdal/tools/kdc-log-analyze.pl create mode 100644 third_party/heimdal/tools/krb5-config.1 create mode 100644 third_party/heimdal/tools/krb5-config.in create mode 100644 third_party/heimdal/tools/krb5-gssapi.pc.in create mode 100644 third_party/heimdal/tools/krb5.pc.in (limited to 'third_party/heimdal/tools') diff --git a/third_party/heimdal/tools/Makefile.am b/third_party/heimdal/tools/Makefile.am new file mode 100644 index 0000000..7c50e46 --- /dev/null +++ b/third_party/heimdal/tools/Makefile.am @@ -0,0 +1,65 @@ +# $Id$ + +include $(top_srcdir)/Makefile.am.common + +bin_SCRIPTS = krb5-config + +pkgconfigdir = $(libdir)/pkgconfig + +pkgconfig_DATA = \ + heimdal-gssapi.pc \ + heimdal-krb5.pc \ + heimdal-kadm-client.pc \ + heimdal-kadm-server.pc \ + kafs.pc \ + kadm-client.pc \ + kadm-server.pc \ + krb5.pc \ + krb5-gssapi.pc + +man_MANS = krb5-config.1 + +if PKINIT +LIB_pkinit = -lhx509 +endif + +subst = sed -e "s!@PACKAGE\@!$(PACKAGE)!g" \ + -e "s!@VERSION\@!$(VERSION)!g" \ + -e "s!@CANONICAL_HOST\@!$(CANONICAL_HOST)!g" \ + -e "s!@prefix\@!$(prefix)!g" \ + -e "s!@exec_prefix\@!$(exec_prefix)!g" \ + -e "s!@libdir\@!$(libdir)!g" \ + -e "s!@includedir\@!$(includedir)!g" \ + -e "s!@PTHREAD_LIBADD\@!$(PTHREAD_LIBADD)!g" \ + -e "s!@LIB_crypt\@!$(LIB_crypt)!g" \ + -e "s!@LIB_dbopen\@!$(LIB_dbopen)!g" \ + -e "s!@LIB_hcrypto_appl\@!$(LIB_hcrypto_appl)!g" \ + -e "s!@LIB_dlopen\@!$(LIB_dlopen)!g" \ + -e "s!@LIB_door_create\@!$(LIB_door_create)!g" \ + -e "s!@LIB_pkinit\@!$(LIB_pkinit)!g" \ + -e "s!@LIBS\@!$(LIBS)!g" + +krb5-config: krb5-config.in + $(subst) $(srcdir)/krb5-config.in | /bin/sh > $@.new + mv $@.new $@ + chmod +x $@ + +.pc.in.pc: + $(subst) $< > $@.new + mv $@.new $@ + +EXTRA_DIST = \ + NTMakefile \ + cov.sh \ + $(man_MANS) \ + krb5-config.in \ + heimdal-gssapi.pc.in \ + kdc-log-analyze.pl \ + $(pkgconfig_DATA:.pc=.pc.in) + +CLEANFILES = \ + krb5-config \ + krb5-config.new \ + $(pkgconfig_DATA) \ + $(pkgconfig_DATA:.pc=.pc.new) + diff --git a/third_party/heimdal/tools/NTMakefile b/third_party/heimdal/tools/NTMakefile new file mode 100644 index 0000000..e4b3466 --- /dev/null +++ b/third_party/heimdal/tools/NTMakefile @@ -0,0 +1,35 @@ +######################################################################## +# +# Copyright (c) 2009, Secure Endpoints Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# - Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# - Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +RELDIR=tools + +!include ../windows/NTMakefile.w32 + diff --git a/third_party/heimdal/tools/cov.sh b/third_party/heimdal/tools/cov.sh new file mode 100644 index 0000000..8ceba2d --- /dev/null +++ b/third_party/heimdal/tools/cov.sh @@ -0,0 +1,19 @@ + +d="lib/roken lib/krb5 lib/gssapi lib/ntlm tests/kdc tests/gss kuser" + +basedir=$(basedir $0) + +${basedir}/../configure CFLAGS='-fprofile-arcs -ftest-coverage' > log + +lcov --directory . --zerocounters + +make all check > log + +lcov --directory . --capture --output-file heimdal-lcov.info + +objdir="/Volumes/data/Users/lha/obj/hg" +srcdir="/Volumes/data/Users/lha/src/heimdal/git" + +perl -pi -e "s@SF:$objdir/(.*.[ly])\$@SF:$srcdir/\$1@" heimdal-lcov.info + +genhtml heimdal-lcov.info diff --git a/third_party/heimdal/tools/coveralls-tool b/third_party/heimdal/tools/coveralls-tool new file mode 100755 index 0000000..981bd17 --- /dev/null +++ b/third_party/heimdal/tools/coveralls-tool @@ -0,0 +1,277 @@ +#!/bin/bash + +# This script collates gcov data after one has configured with --enable-gcov, +# built, and run tests. It either outputs or POSTs to Coveralls a JSON text in +# the schema for the Coveralls API, which is documented here: +# +# https://docs.coveralls.io/api-introduction +# https://docs.coveralls.io/api-reference +# +# Currently only files in source languages supported by gcov(1) are reported +# on, though this can easily be extended. Currently that's only C/C++ files. +# +# This script is specifically written for Heimdal, which is an open source C +# codebases that uses autoconf and libtool for its build system. This means +# that sometimes the gcov notes and data files are not necessarily where the +# gcov(1) utility would find them, which is why this script exists instead of +# using some other integration script. +# +# Although this is specific to Heimdal, it can be extended. +# +# Note that one side effect of running this script, gcov(1) will be run for all +# C/C++ source files in the workspace. As well, some gcov notes and data files +# maybe hard-linked to other names. However, this script should be idempotent. + +set -euo pipefail +set +o noglob + +PROG=${0##*/} + +job=${TRAVIS_JOB_ID:-} +out= +post=false +repo= +flst= +quiet=false +branch= +srcdir=$PWD +objdir= +token=${COVERALLS_REPO_TOKEN:-} +origin= +verbose=0 + +function usage { + ((${1:-1})) && exec 1>&2 + cat < 3)) && set -vx;; +*) usage 1;; +esac +done + +# Note: we don't cd to $srcdir or $objdir or anywhere, so if $out is a relative +# path, we do the right thing. + +: ${objdir:=${srcdir}} +: ${branch:=${TRAVIS_BRANCH:-$(cd "$srcdir" && git rev-parse --abbrev-ref HEAD)}} + +if [[ -z ${origin:-} ]]; then + origin=$( + git for-each-ref \ + --format="%(refname:short) %(upstream:remotename)" refs/heads | + while read gb gr; do + [[ $gb = $branch ]] || continue + printf '%s\n' "$gr" + break + done + ) +fi + +if [[ -z ${repo:-} ]]; then + if [[ -n ${TRAVIS_REPO_SLUG:-} ]]; then + repo=git@github.com:${TRAVIS_REPO_SLUG:-heimdal/heimdal} + else + repo=$(cd "$srcdir" && git remote get-url --push "$origin") + fi +fi + +if ((verbose > 1)); then + exec 3>&2 +else + exec 3>/dev/null +fi + +d= +function cleanup { + [[ -n $d ]] && rm -rf "$d" +} + +trap cleanup EXIT +d=$(mktemp -d) +touch "${d}/f" + +declare -a gcov + +(cd "$srcdir" && + if [[ -n $flst ]]; then cat "$flst"; else git ls-files -- '*.c' '*.cpp'; fi) | +while read f; do + # Remember to be careful to refer to ${srcdir}/${f} + ((verbose)) && printf 'Processing: %s\n' "$f" 1>&2 + + dir=${f%/*} + base=${f##*/} + base=${base%.*} + + if [[ ! -f ${objdir}/${dir}/.libs/${base}.gcda && ! -f ${objdir}/${dir}/${base}.gcda ]]; then + # Look for .libs/libfoo_la-${base}.gcda -- we don't know "foo", and + # there may be more than one! + gcda= + for gcda in ${objdir}/${dir}/.libs/*_la-${base}.gcda; do + break + done + gcno= + for gcno in ${objdir}/${dir}/.libs/*_la-${base}.gcno; do + break + done + [[ -n $gcno && -f $gcno ]] && ln -f "$gcno" "${objdir}/${dir}/.libs/${base}.gcno" + [[ -n $gcda && -f $gcda ]] && ln -f "$gcda" "${objdir}/${dir}/.libs/${base}.gcda" + if [[ ( -n $gcda && ! -f $gcda ) || ( -n $gcno && ! -f $gcno ) ]]; then + $quiet || printf 'Warning: %s has no gcov notes file\n' "$f" 1>&2 + continue + fi + fi + + if [[ -f ${objdir}/${dir}/.libs/${base}.gcda ]]; then + ((verbose > 1)) && printf 'Running gcov for %s using gcda from .libs\n' "$f" 1>&2 + if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov -o .libs "${f##*/}") 1>&3; then + $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2 + continue + fi + elif [[ -f ${objdir}/${dir}/${base}.gcda ]]; then + if ! (cd "${objdir}/${f%/*}"; ((verbose > 2)) && set -vx; gcov "${f##*/}") 1>&3; then + $quiet || printf 'Warning: gcov failed for %s\n' "$f" 1>&2 + continue + fi + fi + + if [[ ! -f ${objdir}/${f}.gcov ]]; then + $quiet || printf 'Warning: gcov did not produce a .gcov file for %s\n' "$f" 1>&2 + continue + fi + + md5=$(md5sum "${srcdir}/${f}") + md5=${md5%% *} + + jq -Rn --arg sum "${md5}" --arg f "$f" ' + { + name: $f, + source_digest: $sum, + coverage: [ + inputs + | split(":") + | (.[1] |= tonumber) + | select(.[1] > 0) + | if .[0]|endswith("#") + then 0 + elif .[0]|endswith("-") + then null + else .[0]|tonumber + end + ] + } + ' "${objdir}/${f}.gcov" >> "${d}/f" +done + +function make_report { + jq -s --arg job "$job" \ + --arg ci "${ci:-travis-ci}" \ + --arg token "$token" \ + --arg repo "$repo" \ + --arg branch "$branch" \ + --arg upstream "$origin" \ + --arg head "$(git log -n1 --format=%H)" \ + --arg subject "$(git log -n1 --format=%s)" \ + --arg aN "$(git log -n1 --format=%aN)" \ + --arg ae "$(git log -n1 --format=%ae)" \ + --arg cN "$(git log -n1 --format=%cN)" \ + --arg ce "$(git log -n1 --format=%ce)" \ + '{ + service_job_id: $job, + service_name: $ci, + repo_token: $token, + git: { + id: $head, + author_name: $aN, + author_email: $ae, + committer_name: $cN, + committer_email: $ce, + message: $subject, + branch: $branch, + remotes: [ { + "name": $upstream, + "url": $repo + } + ] + }, + source_files: . + }' "${d}/f" +} + +if [[ -z $out ]]; then + post=true + make_report > "${d}/out" +elif [[ $out = - ]]; then + make_report +else + make_report > "${out}" +fi + +if $post && [[ $out != /dev/stdout ]]; then + curl -sfg -X POST -F "json_file=@${d}/out" -F "Filename=json_file" \ + https://coveralls.io/api/v1/jobs +fi diff --git a/third_party/heimdal/tools/fixgcov-source-paths.sh b/third_party/heimdal/tools/fixgcov-source-paths.sh new file mode 100755 index 0000000..eaa9c9c --- /dev/null +++ b/third_party/heimdal/tools/fixgcov-source-paths.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +find ${1:-.} -name '*.gcov' -print | while read f; do + case "$f" in + */.libs/*) continue;; + *) true;; + esac + echo FIX $f + f_basename=${f%%.gcno\#\#*}.c + f_basename=${f_basename##*/} + head -1 "$f" | grep 'Source:/' > /dev/null && continue + #bname=$(head -1 "$f" | grep 'Source:/' | cut -d: -f4) + dname=$(echo "$f"|cut -d'#' -f1|sed -e 's,/[^/]*$,/,') + ex "$f" <, this program wouldn't exists +# without his help. +# + +use strict; +use Sys::Hostname; + +my $notlocal = 'not SU'; +my @local_realms = ( "SU.SE" ); +my @local_networks_re = + ( + "130\.237", + "193\.11\.3[0-9]\.", + "130.242.128", + "2001:6b0:5:" + ); + +my $as_req = 0; +my %as_req_addr; +my %as_req_addr_nonlocal; +my %as_req_client; +my %as_req_server; +my %addr_uses_des; +my %princ_uses_des; +my $five24_req = 0; +my %five24_req_addr; +my %five24_req_addr_nonlocal; +my %five24_req_server; +my %five24_req_client; +my $as_req_successful = 0; +my $as_req_error = 0; +my $no_such_princ = 0; +my %no_such_princ_princ; +my %no_such_princ_addr; +my %no_such_princ_addr_nonlocal; +my $as_req_etype_odd = 0; +my %bw_addr; +my $pa_alt_princ_request = 0; +my $pa_alt_princ_verify = 0; +my $tgs_req = 0; +my %tgs_req_addr; +my %tgs_req_addr_nonlocal; +my %tgs_req_client; +my %tgs_req_server; +my $tgs_xrealm_out = 0; +my %tgs_xrealm_out_realm; +my %tgs_xrealm_out_princ; +my $tgs_xrealm_in = 0; +my %tgs_xrealm_in_realm; +my %tgs_xrealm_in_princ; +my %enctype_session; +my %enctype_ticket; +my $restarts = 0; +my $forward_non_forward = 0; +my $v4_req = 0; +my %v4_req_addr; +my %v4_req_addr_nonlocal; +my $v4_cross = 0; +my %v4_cross_realm; +my $v5_cross = 0; +my %v5_cross_realm; +my $referrals = 0; +my %referral_princ; +my %referral_realm; +my %strange_tcp_data; +my $http_malformed = 0; +my %http_malformed_addr; +my $http_non_kdc = 0; +my %http_non_kdc_addr; +my $tcp_conn_timeout = 0; +my %tcp_conn_timeout_addr; +my $failed_processing = 0; +my %failed_processing_addr; +my $connection_closed = 0; +my %connection_closed_addr; +my $pa_failed = 0; +my %pa_failed_princ; +my %pa_failed_addr; +my %ip; + +$ip{'4'} = $ip{'6'} = 0; + +while (<>) { + process_line($_); +} + +print "Kerberos KDC Log Report for ", + hostname, " on ", scalar localtime, "\n\n"; + +print "General Statistics\n\n"; + +print "\tNumber of IPv4 requests: $ip{'4'}\n"; +print "\tNumber of IPv6 requests: $ip{'6'}\n\n"; + +print "\tNumber of restarts: $restarts\n"; +print "\tNumber of V4 requests: $v4_req\n"; +if ($v4_req > 0) { + print "\tTop ten IP addresses performing V4 requests:\n"; + topten(\%v4_req_addr); +} +if (int(keys %v4_req_addr_nonlocal) > 0) { + print "\tTop ten $notlocal IP addresses performing V4 requests:\n"; + topten(\%v4_req_addr_nonlocal); + +} +print "\n"; + +print "\tNumber of V4 cross realms (krb4 and 524) requests: $v4_cross\n"; +if ($v4_cross > 0) { + print "\tTop ten realms performing V4 cross requests:\n"; + topten(\%v4_cross_realm); +} +print "\n"; + +print "\tNumber of V45 cross realms requests: $v5_cross\n"; +if ($v5_cross > 0) { + print "\tTop ten realms performing V4 cross requests:\n"; + topten(\%v5_cross_realm); +} +print "\n"; + +print "\tNumber of failed lookups: $no_such_princ\n"; +if ($no_such_princ > 0) { + print "\tTop ten IP addresses failing to find principal:\n"; + topten(\%no_such_princ_addr); + print "\tTop ten $notlocal IP addresses failing find principal:\n"; + topten(\%no_such_princ_addr_nonlocal); + print "\tTop ten failed to find principals\n"; + topten(\%no_such_princ_princ); +} +print "\n"; + +print "\tBandwidth pigs:\n"; +topten(\%bw_addr); +print "\n"; + +print "\tStrange TCP data clients: ", int(keys %strange_tcp_data),"\n"; +topten(\%strange_tcp_data); +print "\n"; + +print "\tTimeout waiting on TCP requests: ", $tcp_conn_timeout,"\n"; +if ($tcp_conn_timeout > 0) { + print "\tTop ten TCP timeout request clients\n"; + topten(\%tcp_conn_timeout_addr); +} +print "\n"; + +print "\tFailed processing requests: ", $failed_processing,"\n"; +if ($failed_processing > 0) { + print "\tTop ten failed processing request clients\n"; + topten(\%failed_processing_addr); +} +print "\n"; + +print "\tConnection closed requests: ", $connection_closed,"\n"; +if ($connection_closed > 0) { + print "\tTop ten connection closed request clients\n"; + topten(\%connection_closed_addr); +} +print "\n"; + +print "\tMalformed HTTP requests: ", $http_malformed,"\n"; +if ($http_malformed > 0) { + print "\tTop ten malformed HTTP request clients\n"; + topten(\%http_malformed_addr); +} +print "\n"; + +print "\tHTTP non kdc requests: ", $http_non_kdc,"\n"; +if ($http_non_kdc > 0) { + print "\tTop ten HTTP non KDC request clients\n"; + topten(\%http_non_kdc_addr); +} +print "\n"; + +print "Report on AS_REQ requests\n\n"; +print "Overall AS_REQ statistics\n\n"; + +print "\tTotal number: $as_req\n"; + +print "\nAS_REQ client/server statistics\n\n"; + +print "\tDistinct IP Addresses performing requests: ", + int(keys %as_req_addr),"\n"; +print "\tOverall top ten IP addresses\n"; +topten(\%as_req_addr); + +print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", + int(keys %as_req_addr_nonlocal), "\n"; +print "\tTop ten non-local ($notlocal) IP address:\n"; +topten(\%as_req_addr_nonlocal); + +print "\n\tPreauth failed for for: ", $pa_failed, " requests\n"; +if ($pa_failed) { + print "\tPreauth failed top ten IP addresses:\n"; + topten(\%pa_failed_addr); + print "\tPreauth failed top ten principals:\n"; + topten(\%pa_failed_princ); +} + +print "\n\tDistinct clients performing requests: ", + int(keys %as_req_client), "\n"; +print "\tTop ten clients:\n"; +topten(\%as_req_client); + +print "\tDistinct services requested: ", int(keys %as_req_server), "\n"; +print "\tTop ten requested services:\n"; +topten(\%as_req_server); + +print "\n\n\nReport on TGS_REQ requests:\n\n"; +print "Overall TGS_REQ statistics\n\n"; +print "\tTotal number: $tgs_req\n"; + +print "\nTGS_REQ client/server statistics\n\n"; +print "\tDistinct IP addresses performing requests: ", + int(keys %tgs_req_addr), "\n"; +print "\tOverall top ten IP addresses\n"; +topten(\%tgs_req_addr); + +print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", + int(keys %tgs_req_addr_nonlocal), "\n"; +print "\tTop ten non-local ($notlocal) IP address:\n"; +topten(\%tgs_req_addr_nonlocal); + +print "\tDistinct clients performing requests: ", + int(keys %tgs_req_client), "\n"; +print "\tTop ten clients:\n"; +topten(\%tgs_req_client); + +print "\tDistinct services requested: ", int(keys %tgs_req_server), "\n"; +print "\tTop ten requested services:\n"; +topten(\%tgs_req_server); + +print "\n\n\nReport on 524_REQ requests:\n\n"; + +print "\t524_REQ client/server statistics\n\n"; + +print "\tDistinct IP Addresses performing requests: ", + int(keys %five24_req_addr),"\n"; +print "\tOverall top ten IP addresses\n"; +topten(\%five24_req_addr); + +print "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", + int(keys %five24_req_addr_nonlocal), "\n"; +print "\tTop ten non-local ($notlocal) IP address:\n"; +topten(\%five24_req_addr_nonlocal); + +print "\tDistinct clients performing requests: ", int(keys %five24_req_client), "\n"; +print "\tTop ten clients:\n"; +topten(\%five24_req_client); + +print "\tDistinct services requested: ", int(keys %five24_req_server), "\n"; +print "\tTop ten requested services:\n"; +topten(\%five24_req_server); +print "\n"; + +print "Cross realm statistics\n\n"; + +print "\tNumber of cross-realm tgs out: $tgs_xrealm_out\n"; +if ($tgs_xrealm_out > 0) { + print "\tTop ten realms used for out cross-realm:\n"; + topten(\%tgs_xrealm_out_realm); + print "\tTop ten principals use out cross-realm:\n"; + topten(\%tgs_xrealm_out_princ); +} +print "\tNumber of cross-realm tgs in: $tgs_xrealm_in\n"; +if ($tgs_xrealm_in > 0) { + print "\tTop ten realms used for in cross-realm:\n"; + topten(\%tgs_xrealm_in_realm); + print "\tTop ten principals use in cross-realm:\n"; + topten(\%tgs_xrealm_in_princ); +} + +print "\n\nReport on referral:\n\n"; + +print "\tNumber of referrals: $referrals\n"; +if ($referrals > 0) { + print "\tTop ten referral-ed principals:\n"; + topten(\%referral_princ); + print "\tTop ten to realm referrals:\n"; + topten(\%referral_realm); +} + +print "\n\nEnctype Statistics:\n\n"; +print "\tTop ten session enctypes:\n"; +topten(\%enctype_session); +print "\tTop ten ticket enctypes:\n"; +topten(\%enctype_ticket); + +print "\tDistinct IP addresses using DES: ", int(keys %addr_uses_des), "\n"; +print "\tTop IP addresses using DES:\n"; +topten(\%addr_uses_des); +print "\tDistinct principals using DES: ", int(keys %princ_uses_des), "\n"; +print "\tTop ten principals using DES:\n"; +topten(\%princ_uses_des); + +print "\n"; + +printf("Requests to forward non-forwardable ticket: $forward_non_forward\n"); + + +exit 0; + +my $last_addr = ""; +my $last_principal = ""; + +sub process_line { + local($_) = @_; + # + # Eat these lines that are output as a result of startup (but + # log the number of restarts) + # + if (/AS-REQ \(krb4\) (.*) from IPv([46]):([0-9\.:a-fA-F]+) for krbtgt.*$/){ + $v4_req++; + $v4_req_addr{$3}++; + $v4_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); + $last_addr = $3; + $last_principal = $1; + $ip{$2}++; + } elsif (/AS-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) { + $as_req++; + $as_req_client{$1}++; + $as_req_server{$4}++; + $as_req_addr{$3}++; + $as_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); + $last_addr = $3; + $last_principal = $1; + $ip{$2}++; + } elsif (/TGS-REQ \(krb4\)/) { + #Nothing + } elsif (/TGS-REQ (.+) from IPv([46]):([0-9\.:a-fA-F]+) for (.*?)( \[.*\]){0,1}$/) { + $tgs_req++; + $tgs_req_client{$1}++; + $tgs_req_server{$4}++; + $tgs_req_addr{$3}++; + $tgs_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); + $last_addr = $3; + $last_principal = $1; + $ip{$2}++; + + my $source = $1; + my $dest = $4; + + if (!islocalrealm($source)) { + $tgs_xrealm_in++; + $tgs_xrealm_in_princ{$source}++; + if ($source =~ /[^@]+@([^@]+)/ ) { + $tgs_xrealm_in_realm{$1}++; + } + } + if ($dest =~ /krbtgt\/([^@]+)@[^@]+/) { + if (!islocalrealm($1)) { + $tgs_xrealm_out++; + $tgs_xrealm_out_realm{$1}++; + $tgs_xrealm_out_princ{$source}++; + } + } + } elsif (/524-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) { + $five24_req++; + $five24_req_client{$1}++; + $five24_req_server{$4}++; + $five24_req_addr{$3}++; + $five24_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); + $last_addr = $3; + $last_principal = $1; + $ip{$2}++; + } elsif (/TCP data of strange type from IPv[46]:([0-9\.:a-fA-F]+)/) { + $strange_tcp_data{$1}++; + } elsif (/Lookup (.*) failed: No such entry in the database/) { + $no_such_princ++; + $no_such_princ_addr{$last_addr}++; + $no_such_princ_addr_nonlocal{$last_addr}++ if (!islocaladdr($last_addr)); + $no_such_princ_princ{$1}++; + } elsif (/Lookup .* succeeded$/) { + # Nothing + } elsif (/Malformed HTTP request from IPv[46]:([0-9\.:a-fA-F]+)$/) { + $http_malformed++; + $http_malformed_addr{$1}++; + } elsif (/TCP-connection from IPv[46]:([0-9\.:a-fA-F]+) expired after [0-9]+ bytes/) { + $tcp_conn_timeout++; + $tcp_conn_timeout_addr{$1}++; + } elsif (/Failed processing [0-9]+ byte request from IPv[46]:([0-9\.:a-fA-F]+)/) { + $failed_processing++; + $failed_processing_addr{$1}++; + } elsif (/connection closed before end of data after [0-9]+ bytes from IPv[46]:([0-9\.:a-fA-F]+)/) { + $connection_closed++; + $connection_closed_addr{$1}++; + } elsif (/HTTP request from IPv[46]:([0-9\.:a-fA-F]+) is non KDC request/) { + $http_non_kdc++; + $http_non_kdc_addr{$1}++; + } elsif (/returning a referral to realm (.*) for server (.*) that was not found/) { + $referrals++; + $referral_princ{$2}++; + $referral_realm{$1}++; + } elsif (/krb4 Cross-realm (.*) -> (.*) disabled/) { + $v4_cross++; + $v4_cross_realm{$1."->".$2}++; + } elsif (/524 cross-realm (.*) -> (.*) disabled/) { + $v4_cross++; + $v4_cross_realm{$1."->".$2}++; + } elsif (/cross-realm (.*) -> (.*): no transit through realm (.*)/) { + } elsif (/cross-realm (.*) -> (.*) via \[([^\]]+)\]/) { + $v5_cross++; + $v5_cross_realm{$1."->".$2}++; + } elsif (/cross-realm (.*) -> (.*)/) { + $v5_cross++; + $v5_cross_realm{$1."->".$2}++; + } elsif (/sending ([0-9]+) bytes to IPv[46]:([0-9\.:a-fA-F]+)/) { + $bw_addr{$2} += $1; + } elsif (/Using ([-a-z0-9]+)\/([-a-z0-9]+)/) { + $enctype_ticket{$1}++; + $enctype_session{$2}++; + + my $ticket = $1; + my $session = $2; + + if ($ticket =~ /des-cbc-(crc|md4|md5)/) { + $addr_uses_des{$last_addr}++; + $princ_uses_des{$last_principal}++; + } + + } elsif (/Failed to decrypt PA-DATA -- (.+)$/) { + $pa_failed++; + $pa_failed_princ{$last_principal}++; + $pa_failed_addr{$last_addr}++; + + } elsif (/Request to forward non-forwardable ticket/) { + $forward_non_forward++; + } elsif (/HTTP request:/) { + } elsif (/krb_rd_req: Incorrect network address/) { + } elsif (/krb_rd_req: Ticket expired \(krb_rd_req\)/) { + } elsif (/Ticket expired \(.*\)/) { + } elsif (/krb_rd_req: Can't decode authenticator \(krb_rd_req\)/) { + } elsif (/Request from wrong address/) { + # XXX + } elsif (/UNKNOWN --/) { + # XXX + } elsif (/Too large time skew -- (.*)$/) { + # XXX + } elsif (/No PA-ENC-TIMESTAMP --/) { + # XXX + } elsif (/Looking for pa-data --/) { + # XXX + } elsif (/Pre-authentication succeded -- (.+)$/) { + # XXX + } elsif (/Bad request for ([,a-zA-Z0-9]+) ticket/) { + # XXX + } elsif (/Failed to verify AP-REQ: Ticket expired/) { + # XXX + } elsif (/Client not found in database:/) { + # XXX + } elsif (/Server not found in database \(krb4\)/) { + } elsif (/Server not found in database:/) { + # XXX + } elsif (/newsyslog.*logfile turned over/) { + # Nothing + } elsif (/Requested flags:/) { + # Nothing + } elsif (/shutting down/) { + # Nothing + } elsif (/listening on IP/) { + # Nothing + } elsif (/commencing operation/) { + $restarts++; + } + # + # Log it if we didn't parse the line + # + else { + print "Unknown log file line: $_"; + } +} + +sub topten { + my ($list) = @_; + my @keys; + + my $key; + + @keys = (sort {$$list{$b} <=> $$list{$a}} (keys %{$list})); + splice @keys, 10; + + foreach $key (@keys) { + print "\t\t$key - $$list{$key}\n"; + } +} + +sub islocaladdr (\$) { + my ($addr) = @_; + my $net; + + foreach $net (@local_networks_re) { + return 1 if ($addr =~ /$net/); + } + return 0; +} + +sub islocalrealm (\$) { + my ($princ) = @_; + my $realm; + + foreach $realm (@local_realms) { + return 1 if ($princ eq $realm); + return 1 if ($princ =~ /[^@]+\@${realm}/); + } + return 0; +} diff --git a/third_party/heimdal/tools/krb5-config.1 b/third_party/heimdal/tools/krb5-config.1 new file mode 100644 index 0000000..ced45de --- /dev/null +++ b/third_party/heimdal/tools/krb5-config.1 @@ -0,0 +1,90 @@ +.\" Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd November 30, 2000 +.Dt KRB5-CONFIG 1 +.Os HEIMDAL +.Sh NAME +.Nm krb5-config +.Nd "give information on how to link code against Heimdal libraries" +.Sh SYNOPSIS +.Nm +.Op Fl Fl prefix Ns Op = Ns Ar dir +.Op Fl Fl exec-prefix Ns Op = Ns Ar dir +.Op Fl Fl libs +.Op Fl Fl cflags +.Op Ar libraries +.Sh DESCRIPTION +.Nm +tells the application programmer what special flags to use to compile +and link programs against the libraries installed by Heimdal. +.Pp +Options supported: +.Bl -tag -width Ds +.It Fl Fl prefix Ns Op = Ns Ar dir +Print the prefix if no +.Ar dir +is specified, otherwise set prefix to +.Ar dir . +.It Fl Fl exec-prefix Ns Op = Ns Ar dir +Print the exec-prefix if no +.Ar dir +is specified, otherwise set exec-prefix to +.Ar dir . +.It Fl Fl libs +Output the set of libraries that should be linked against. This also +includes rpath flags with the expectation that the C compiler is used +for final link-edits. +.It Fl Fl cflags +Output the set of flags to give to the C compiler when using the +Heimdal libraries. +.El +.Pp +By default +.Nm +will output the set of flags and libraries to be used by a normal +program using the krb5 API. The user can also supply a library to be +used, the supported ones are: +.Bl -tag -width Ds +.It krb5 +(the default) +.It gssapi +use the krb5 gssapi mechanism +.It kadm-client +use the client-side kadmin libraries +.It kadm-server +use the server-side kadmin libraries +.El +.Sh SEE ALSO +.Xr cc 1 +.Sh HISTORY +.Nm +appeared in Heimdal 0.3d. diff --git a/third_party/heimdal/tools/krb5-config.in b/third_party/heimdal/tools/krb5-config.in new file mode 100644 index 0000000..6408530 --- /dev/null +++ b/third_party/heimdal/tools/krb5-config.in @@ -0,0 +1,266 @@ +#!/bin/sh + +cat <<'EOM' +#!/bin/sh +# +# Copyright (c) 2000 - 2008 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +do_all=no +do_libs=no +do_lib_deps=no +do_cflags=no +do_usage=no +print_prefix=no +print_exec_prefix=no +library= +lib_krb5=no +lib_gssapi=no +lib_kadm_client=no +lib_kadm_server=no +lib_kafs=no + +if test $# -eq 0; then + do_usage=yes + usage_exit=1 +fi + +for i in $*; do + case $i in + --help) + do_usage=yes + usage_exit=0 + ;; + --all) + do_all=yes + ;; + --vendor) + echo "Heimdal" + exit 0; + ;; + --version) + echo "@PACKAGE@ @VERSION@" + exit 0 + ;; + --prefix=*) + prefix=`echo $i | sed 's/^--prefix=//'` + ;; + --prefix) + print_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=`echo $i | sed 's/^--exec-prefix=//'` + ;; + --exec-prefix) + print_exec_prefix=yes + ;; + --libs) + do_libs=yes + ;; + --deps) + do_lib_deps=yes + ;; + --cflags) + do_cflags=yes + ;; + krb5) + library=krb5 + lib_krb5=yes + ;; + gssapi) + library=gssapi + lib_gssapi=yes + ;; + kadm-client) + library=kadm-client + lib_kadm_client=yes + ;; + kadm-server) + library=kadm-server + lib_kadm_server=yes + ;; + kafs) + library=kafs + lib_kafs=yes + ;; + *) + echo "unknown option: $i" + exit 1 + ;; + esac +done + +if test "$do_usage" = "yes"; then + echo "usage: $0 [options] [libraries]" + echo "options: [--help] show this message" + echo " [--all] display version, vendor, etc." + echo " [--version] display version information" + echo " [--prefix] display the prefix of Kerberos" + echo " [--exec-prefix] display the exec_prefix of Kerberos" + echo " [--cflags] display the CFLAGS required" + echo " [--libs] display the libraries required to link" + echo " [--deps] display the dependent libs required" + echo " for static linking" + echo + echo "libraries: krb5 Kerberos 5 applications" + echo " gssapi GSSAPI applications" + echo " kadm-client libkadm5 client" + echo " kadm-server libkadm5 server" + echo " kafs kafs" + exit $usage_exit +fi + +if test X"$library" = X; then + lib_krb5=yes +fi + +if test "$prefix" = ""; then + prefix=@prefix@ +fi +if test "$exec_prefix" = ""; then + exec_prefix=@exec_prefix@ +fi + +libdir=@libdir@ +includedir=@includedir@ + +if test "$do_all" = "yes"; then + echo "Version: @PACKAGE@ @VERSION@" + echo "Vendor: Heimdal" + echo "Prefix: $prefix" + echo "Exec_prefix: $exec_prefix" + exit 0 +fi + +if test "$print_prefix" = "yes"; then + echo $prefix + exit 0 +fi + +if test "$print_exec_prefix" = "yes"; then + echo $exec_prefix + exit 0 +fi + +# The following rpath_flag setting code is distilled from MIT Kerberos' +# src/config/shlib.conf. Some of this seems ancient and likely to be +# wrong in some cases, but right for all the cases we probably care +# about. Also, this will very likely be wrong depending on how the +# caller will be doing link-edits (with what compiler-driver or +# link-editor)! There's no fixing this. +# +# In principle this doesn't belong here: application should instead use +# krb5-config --libdir to get the directory to use for the rpath, then +# workout the rpath flags on their own. Of course, there's no --libdir +# option... And MIT's krb5-config does include rpath flags. +# +# Compatibility with MIT is the winning consideration for now. +EOM + +case "@CANONICAL_HOST@" in +alpha*-dec-osf*) + rpath_flag='-Wl,-rpath -Wl,';; +*-*-hpux*) + rpath_flag='-Wl,+b,';; +*-*-irix* | mips-*-netbsd*) + rpath_flag='-Wl,-rpath -Wl,';; +*-*-netbsd* | *-*-openbsd* | *-*-solaris*) + rpath_flag='-R';; +*-*-linux* | *-*-gnu* | *-*-k*bsd*-gnu | *-*-freebsd*) + rpath_flag='-Wl,--enable-new-dtags -Wl,-rpath -Wl,';; +*-*-aix*) + rpath_flag='-Wl,-blibpath:';; +*) +rpath_flag=;; +esac + +echo "rpath_flag='$rpath_flag'" + +cat <<'EOM' + +if test "$do_libs" = "yes"; then + deplibs="" + if test "$lib_gssapi" = yes; then + lib_flags="$lib_flags -lgssapi" + deplibs="$deplibs -lheimntlm" + if test X"$do_lib_deps" = Xyes; then + lib_krb5=yes + fi + fi + if test "$lib_kadm_client" = yes; then + lib_flags="$lib_flags -lkadm5clnt" + if test X"$do_lib_deps" = Xyes; then + lib_krb5=yes + fi + fi + if test "$lib_kadm_server" = yes; then + lib_flags="$lib_flags -lkadm5srv" + deplibs="$deplibs @LIB_dbopen@" + if test X"$do_lib_deps" = Xyes; then + lib_krb5=yes + fi + fi + if test "$lib_kafs" = yes; then + lib_flags="$lib_flags -lkafs" + if test X"$do_lib_deps" = Xyes; then + lib_krb5=yes + fi + fi + if test "$lib_krb5" = yes; then + lib_flags="$lib_flags -lkrb5" + fi + deplibs="$deplibs @LIB_pkinit@ -lcom_err" + deplibs="$deplibs @LIB_hcrypto_appl@ -lasn1 -lwind -lheimbase -lroken" + deplibs="$deplibs @LIB_crypt@ @PTHREAD_LIBADD@ @LIB_dlopen@" + deplibs="$deplibs @LIB_door_create@ @LIBS@" + if test X"$do_lib_deps" = X"yes"; then + lib_flags="$lib_flags $deplibs" + fi + if test X"$libdir" != X/usr/lib; then + lib_flags="-L${libdir} $lib_flags" + if test X"$rpath_flag" != X; then + lib_flags="${rpath_flag}${libdir} $lib_flags" + fi + fi + + echo ${lib_flags} +fi +if test "$do_cflags" = "yes"; then + cflags="" + if test X"${includedir}" != X/usr/include; then + cflags="-I${includedir} $cflags" + fi + echo $cflags +fi + +exit 0 +EOM diff --git a/third_party/heimdal/tools/krb5-gssapi.pc.in b/third_party/heimdal/tools/krb5-gssapi.pc.in new file mode 100644 index 0000000..482b78f --- /dev/null +++ b/third_party/heimdal/tools/krb5-gssapi.pc.in @@ -0,0 +1,10 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ +vendor=Heimdal + +Name: krb5-gssapi +Description: Kerberos implementation of the GSS API. +Version: @VERSION@ +Requires: heimdal-gssapi diff --git a/third_party/heimdal/tools/krb5.pc.in b/third_party/heimdal/tools/krb5.pc.in new file mode 100644 index 0000000..5ed2007 --- /dev/null +++ b/third_party/heimdal/tools/krb5.pc.in @@ -0,0 +1,10 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ +vendor=Heimdal + +Name: krb5 +Description: Heimdal implementation of the kerberos network authentication. +Version: @VERSION@ +Requires: heimdal-krb5 -- cgit v1.2.3