From e4cfa730eecb48698edad1bc4b0ca3d0b8721136 Mon Sep 17 00:00:00 2001 From: Heimdal SVN import Date: Mon, 13 Sep 2004 12:22:28 +0000 Subject: [PATCH] This commit was manufactured by cvs2svn to create tag 'heimdal-0-6-3'. git-svn-id: svn://svn.h5l.se/heimdal/tags/heimdal-release/heimdal-0-6-3@14226 ec53bebd-3082-4978-b11e-865c3cabbd6b --- ChangeLog | 395 ++++++++ NEWS | 39 +- acinclude.m4 | 9 - admin/get.c | 4 + appl/afsutil/ChangeLog | 9 + appl/afsutil/afslog.c | 4 +- appl/ftp/ChangeLog | 54 ++ appl/ftp/ftp/ftp.1 | 11 +- appl/ftp/ftp/ftp.c | 7 +- appl/ftp/ftp/gssapi.c | 89 +- appl/ftp/ftp/main.c | 7 + appl/ftp/ftp/security.h | 1 + appl/ftp/ftpd/extern.h | 4 - appl/ftp/ftpd/ftpcmd.y | 69 +- appl/ftp/ftpd/ftpd.8 | 13 +- appl/ftp/ftpd/ftpd.c | 379 ++++---- appl/ftp/ftpd/ftpd_locl.h | 1 - appl/kx/ChangeLog | 24 + appl/kx/krb4.c | 3 +- appl/kx/krb5.c | 138 +-- appl/kx/kxd.c | 8 +- appl/login/ChangeLog | 5 + appl/login/login.c | 24 +- appl/popper/ChangeLog | 6 + appl/popper/pop_init.c | 5 +- appl/push/ChangeLog | 4 + appl/push/push.c | 20 +- appl/rsh/rshd.c | 2 +- appl/su/ChangeLog | 5 + appl/su/su.c | 8 +- appl/telnet/ChangeLog | 18 + appl/telnet/libtelnet/kerberos5.c | 24 +- appl/telnet/telnet/main.c | 2 + appl/telnet/telnet/network.c | 14 +- appl/telnet/telnetd/state.c | 3 +- appl/telnet/telnetd/telnetd.c | 2 + appl/xnlock/ChangeLog | 22 + appl/xnlock/Makefile.am | 2 + appl/xnlock/xnlock.c | 17 +- cf/ChangeLog | 14 + cf/Makefile.am.common | 4 +- cf/aix.m4 | 2 +- cf/auth-modules.m4 | 2 +- cf/broken-getaddrinfo.m4 | 2 +- cf/broken-getnameinfo.m4 | 2 +- cf/broken-glob.m4 | 2 +- cf/broken-realloc.m4 | 2 +- cf/broken-snprintf.m4 | 4 +- cf/c-attribute.m4 | 2 +- cf/c-function.m4 | 2 +- cf/capabilities.m4 | 2 +- cf/check-compile-et.m4 | 16 +- cf/check-declaration.m4 | 2 +- cf/check-getpwnam_r-posix.m4 | 2 +- cf/check-man.m4 | 2 +- cf/check-netinet-ip-and-tcp.m4 | 2 +- cf/check-type-extra.m4 | 2 +- cf/check-x.m4 | 2 +- cf/check-xau.m4 | 2 +- cf/crypto.m4 | 1 + cf/find-func-no-libs.m4 | 2 +- cf/find-func-no-libs2.m4 | 2 +- cf/find-func.m4 | 2 +- cf/find-if-not-broken.m4 | 2 +- cf/have-pragma-weak.m4 | 2 +- cf/have-struct-field.m4 | 2 +- cf/have-type.m4 | 2 +- cf/have-types.m4 | 2 +- cf/krb-bigendian.m4 | 2 +- cf/krb-func-getcwd-broken.m4 | 2 +- cf/krb-func-getlogin.m4 | 2 +- cf/krb-ipv6.m4 | 2 +- cf/krb-prog-ln-s.m4 | 2 +- cf/krb-prog-ranlib.m4 | 2 +- cf/krb-prog-yacc.m4 | 2 +- cf/krb-readline.m4 | 2 +- cf/krb-struct-spwd.m4 | 2 +- cf/krb-struct-winsize.m4 | 2 +- cf/krb-sys-aix.m4 | 2 +- cf/krb-sys-nextstep.m4 | 2 +- cf/krb-version.m4 | 2 +- cf/mips-abi.m4 | 2 +- cf/need-proto.m4 | 2 +- cf/osfc2.m4 | 2 +- cf/proto-compat.m4 | 2 +- cf/retsigtype.m4 | 2 +- cf/roken-frag.m4 | 2 +- cf/roken.m4 | 2 +- cf/test-package.m4 | 2 +- cf/wflags.m4 | 2 +- config.guess | 318 ++++--- config.sub | 191 ++-- configure.in | 6 +- doc/Makefile.am | 2 +- doc/ack.texi | 2 +- doc/programming.texi | 2 +- doc/setup.texi | 196 +++- fix-export | 17 +- include/make_crypto.c | 5 +- install-sh | 149 +-- kadmin/ChangeLog | 7 + kadmin/kadmind.c | 4 +- kadmin/version4.c | 2 + kdc/config.c | 22 +- kdc/connect.c | 20 +- kdc/kaserver.c | 9 + kdc/kdc.8 | 6 +- kdc/kdc_locl.h | 4 + kdc/kerberos4.c | 36 +- kdc/kerberos5.c | 184 ++-- kdc/v4_dump.c | 4 +- kuser/kdestroy.c | 4 +- kuser/kinit.c | 43 +- kuser/klist.c | 30 +- lib/asn1/Makefile.am | 3 +- lib/asn1/check-gen.c | 20 +- lib/asn1/der_free.c | 5 +- lib/asn1/der_length.c | 59 +- lib/asn1/der_locl.h | 3 + lib/asn1/gen_free.c | 8 +- lib/asn1/gen_length.c | 4 + lib/asn1/k5.asn1 | 7 + lib/auth/ChangeLog | 10 + lib/auth/afskauthlib/verify.c | 80 +- lib/auth/sia/Makefile.am | 6 +- lib/gssapi/8003.c | 45 +- lib/gssapi/ChangeLog | 110 +++ lib/gssapi/Makefile.am | 9 +- lib/gssapi/accept_sec_context.c | 20 +- lib/gssapi/acquire_cred.c | 10 +- lib/gssapi/add_cred.c | 54 +- lib/gssapi/arcfour.c | 623 +++++++++++++ lib/gssapi/arcfour.h | 98 ++ lib/gssapi/compat.c | 39 +- lib/gssapi/context_time.c | 48 +- lib/gssapi/decapsulate.c | 79 ++ lib/gssapi/encapsulate.c | 20 + lib/gssapi/get_mic.c | 4 + lib/gssapi/gss_acquire_cred.3 | 21 + lib/gssapi/gssapi.3 | 31 +- lib/gssapi/gssapi.h | 18 +- lib/gssapi/gssapi_locl.h | 31 + lib/gssapi/init_sec_context.c | 41 +- lib/gssapi/krb5/8003.c | 234 ----- lib/gssapi/krb5/ChangeLog | 578 ------------ lib/gssapi/krb5/Makefile.am | 65 -- lib/gssapi/krb5/accept_sec_context.c | 431 --------- lib/gssapi/krb5/acquire_cred.c | 303 ------- lib/gssapi/krb5/add_cred.c | 216 ----- lib/gssapi/krb5/add_oid_set_member.c | 69 -- lib/gssapi/krb5/address_to_krb5addr.c | 76 -- lib/gssapi/krb5/canonicalize_name.c | 46 - lib/gssapi/krb5/compare_name.c | 51 -- lib/gssapi/krb5/compat.c | 90 -- lib/gssapi/krb5/context_time.c | 67 -- lib/gssapi/krb5/copy_ccache.c | 58 -- lib/gssapi/krb5/create_emtpy_oid_set.c | 52 -- lib/gssapi/krb5/decapsulate.c | 105 --- lib/gssapi/krb5/delete_sec_context.c | 69 -- lib/gssapi/krb5/display_name.c | 73 -- lib/gssapi/krb5/display_status.c | 187 ---- lib/gssapi/krb5/duplicate_name.c | 59 -- lib/gssapi/krb5/encapsulate.c | 102 --- lib/gssapi/krb5/export_name.c | 94 -- lib/gssapi/krb5/export_sec_context.c | 223 ----- lib/gssapi/krb5/external.c | 235 ----- lib/gssapi/krb5/get_mic.c | 291 ------ lib/gssapi/krb5/gss_acquire_cred.3 | 444 --------- lib/gssapi/krb5/gssapi.3 | 133 --- lib/gssapi/krb5/gssapi.h | 774 ---------------- lib/gssapi/krb5/gssapi_locl.h | 148 --- lib/gssapi/krb5/import_name.c | 229 ----- lib/gssapi/krb5/import_sec_context.c | 212 ----- lib/gssapi/krb5/indicate_mechs.c | 55 -- lib/gssapi/krb5/init.c | 44 - lib/gssapi/krb5/init_sec_context.c | 559 ------------ lib/gssapi/krb5/inquire_context.c | 85 -- lib/gssapi/krb5/inquire_cred.c | 97 -- lib/gssapi/krb5/inquire_cred_by_mech.c | 80 -- lib/gssapi/krb5/inquire_mechs_for_name.c | 57 -- lib/gssapi/krb5/inquire_names_for_mech.c | 80 -- lib/gssapi/krb5/process_context_token.c | 65 -- lib/gssapi/krb5/release_buffer.c | 48 - lib/gssapi/krb5/release_cred.c | 62 -- lib/gssapi/krb5/release_name.c | 50 -- lib/gssapi/krb5/release_oid_set.c | 49 - lib/gssapi/krb5/test_acquire_cred.c | 98 -- lib/gssapi/krb5/test_oid_set_member.c | 55 -- lib/gssapi/krb5/unwrap.c | 417 --------- lib/gssapi/krb5/v1.c | 104 --- lib/gssapi/krb5/verify_mic.c | 313 ------- lib/gssapi/krb5/wrap.c | 448 ---------- lib/gssapi/release_cred.c | 10 +- lib/gssapi/unwrap.c | 5 + lib/gssapi/verify_mic.c | 49 +- lib/gssapi/wrap.c | 6 + lib/hdb/Makefile.am | 2 +- lib/hdb/db3.c | 15 +- lib/hdb/hdb-ldap.c | 197 ++-- lib/hdb/hdb_locl.h | 3 + lib/kadm5/ChangeLog | 16 + lib/kadm5/Makefile.am | 4 +- lib/kadm5/chpass_s.c | 10 +- lib/kadm5/init_c.c | 23 +- lib/kadm5/ipropd_slave.c | 10 +- lib/kadm5/truncate_log.c | 3 +- lib/kafs/ChangeLog | 19 + lib/kafs/Makefile.am | 2 +- lib/kafs/afskrb5.c | 18 +- lib/kafs/afssys.c | 71 +- lib/kafs/common.c | 6 +- lib/kafs/kafs.h | 3 +- lib/krb5/Makefile.am | 3 +- lib/krb5/changepw.c | 546 +++++++++-- lib/krb5/config_file.c | 15 +- lib/krb5/context.c | 2 + lib/krb5/crypto.c | 299 ++++--- lib/krb5/eai_to_heim_errno.c | 4 + lib/krb5/fcache.c | 281 ++++-- lib/krb5/get_cred.c | 88 +- lib/krb5/get_for_creds.c | 134 ++- lib/krb5/get_in_tkt.c | 10 +- lib/krb5/init_creds_pw.c | 6 +- lib/krb5/krb5.conf.5 | 131 ++- lib/krb5/krb5.h | 9 +- lib/krb5/krb5_set_password.3 | 109 +++ lib/krb5/krbhst.c | 2 +- lib/krb5/mcache.c | 22 +- lib/krb5/mk_req_ext.c | 9 + lib/krb5/mk_safe.c | 2 +- lib/krb5/name-45-test.c | 13 +- lib/krb5/parse-name-test.c | 2 +- lib/krb5/principal.c | 7 +- lib/krb5/rd_req.c | 76 +- lib/krb5/store.c | 67 +- lib/krb5/ticket.c | 9 +- lib/krb5/transited.c | 51 +- lib/krb5/verify_krb5_conf.c | 9 +- lib/otp/Makefile.am | 2 +- lib/roken/ChangeLog | 18 + lib/roken/Makefile.am | 76 +- lib/roken/gai_strerror.c | 4 + lib/roken/ndbm_wrap.c | 5 + lib/roken/resolve.c | 8 +- lib/roken/roken-common.h | 4 +- lib/vers/print_version.c | 4 +- ltconfig | 1441 ++++++++++++------------------ ltmain.sh | 1050 ++++++++++++++++------ make-release.el | 8 +- missing | 10 +- mkinstalldirs | 212 ++--- 251 files changed, 6669 insertions(+), 11382 deletions(-) delete mode 100644 acinclude.m4 create mode 100644 lib/gssapi/arcfour.c create mode 100644 lib/gssapi/arcfour.h delete mode 100644 lib/gssapi/krb5/8003.c delete mode 100644 lib/gssapi/krb5/ChangeLog delete mode 100644 lib/gssapi/krb5/Makefile.am delete mode 100644 lib/gssapi/krb5/accept_sec_context.c delete mode 100644 lib/gssapi/krb5/acquire_cred.c delete mode 100644 lib/gssapi/krb5/add_cred.c delete mode 100644 lib/gssapi/krb5/add_oid_set_member.c delete mode 100644 lib/gssapi/krb5/address_to_krb5addr.c delete mode 100644 lib/gssapi/krb5/canonicalize_name.c delete mode 100644 lib/gssapi/krb5/compare_name.c delete mode 100644 lib/gssapi/krb5/compat.c delete mode 100644 lib/gssapi/krb5/context_time.c delete mode 100644 lib/gssapi/krb5/copy_ccache.c delete mode 100644 lib/gssapi/krb5/create_emtpy_oid_set.c delete mode 100644 lib/gssapi/krb5/decapsulate.c delete mode 100644 lib/gssapi/krb5/delete_sec_context.c delete mode 100644 lib/gssapi/krb5/display_name.c delete mode 100644 lib/gssapi/krb5/display_status.c delete mode 100644 lib/gssapi/krb5/duplicate_name.c delete mode 100644 lib/gssapi/krb5/encapsulate.c delete mode 100644 lib/gssapi/krb5/export_name.c delete mode 100644 lib/gssapi/krb5/export_sec_context.c delete mode 100644 lib/gssapi/krb5/external.c delete mode 100644 lib/gssapi/krb5/get_mic.c delete mode 100644 lib/gssapi/krb5/gss_acquire_cred.3 delete mode 100644 lib/gssapi/krb5/gssapi.3 delete mode 100644 lib/gssapi/krb5/gssapi.h delete mode 100644 lib/gssapi/krb5/gssapi_locl.h delete mode 100644 lib/gssapi/krb5/import_name.c delete mode 100644 lib/gssapi/krb5/import_sec_context.c delete mode 100644 lib/gssapi/krb5/indicate_mechs.c delete mode 100644 lib/gssapi/krb5/init.c delete mode 100644 lib/gssapi/krb5/init_sec_context.c delete mode 100644 lib/gssapi/krb5/inquire_context.c delete mode 100644 lib/gssapi/krb5/inquire_cred.c delete mode 100644 lib/gssapi/krb5/inquire_cred_by_mech.c delete mode 100644 lib/gssapi/krb5/inquire_mechs_for_name.c delete mode 100644 lib/gssapi/krb5/inquire_names_for_mech.c delete mode 100644 lib/gssapi/krb5/process_context_token.c delete mode 100644 lib/gssapi/krb5/release_buffer.c delete mode 100644 lib/gssapi/krb5/release_cred.c delete mode 100644 lib/gssapi/krb5/release_name.c delete mode 100644 lib/gssapi/krb5/release_oid_set.c delete mode 100644 lib/gssapi/krb5/test_acquire_cred.c delete mode 100644 lib/gssapi/krb5/test_oid_set_member.c delete mode 100644 lib/gssapi/krb5/unwrap.c delete mode 100644 lib/gssapi/krb5/v1.c delete mode 100644 lib/gssapi/krb5/verify_mic.c delete mode 100644 lib/gssapi/krb5/wrap.c create mode 100644 lib/krb5/krb5_set_password.3 rewrite mkinstalldirs (70%) diff --git a/ChangeLog b/ChangeLog index 1ec522569..159cf48a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,398 @@ +2004-09-13 Johan Danielsson + + * Release 0.6.3 + +2004-09-05 Love Hörnquist Åstrand + + * lib/asn1/der_get.c (decode_enumerated): check that the tag + length isn't longer the the length + +2004-08-31 Love Hörnquist Åstrand + + * lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): + kdc_reply can be set in case of failure too, clean on entry and + free the exit unconditionally to avoid memory leak + +2004-08-20 Love Hörnquist Åstrand + + * lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of + com_right nor strerror finds the error-code, return Unknown error. + +2004-08-13 Love Hörnquist Åstrand + + * kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for + dup enctypes from the client and filter them out. + +2004-06-21 Love Hörnquist Åstrand + + * admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name + +2004-06-21 Love Hörnquist Åstrand + + * lib/krb5/Makefile.am: man_MANS += krb5_set_password.3 + + * lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage + + * lib/krb5/changepw.c: 1.49: implement + krb5_set_password_using_ccache 1.47: add tcp support to the set + protocol, should be cleaned up to enable sharing code with + krb5_sendto 1.46: (process_reply): log into result_string if + something goes bad, return 0 (even on failure), not the KPASSWD + protocol error code 1.45: krb5_princ_realm -> + krb5_principal_get_realm 1.44: (setpw_send_request): free + ap_req_data on failure 1.41: ooops, remove cut and paste error + 1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the + response packet sure more constants now that they exists 1.39: + implement rfc3244, partly from shadow@dementia.org + + * lib/krb5/krb5.h: 1.211: some defines for rfc3244 + + * lib/asn1/Makefile.am: 1.71: (gen_files): + asn1_ChangePasswdDataMS.x for RFC3244 + + * lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244 + + * kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path + +2004-05-06 Johan Danielsson + + * Release 0.6.2 + +2004-04-02 Love Hörnquist Åstrand + + * kdc/connect.c: case size_t to unsigned long for LP64 platforms + +2004-04-01 Johan Danielsson + + * Release 0.6.1 + +2004-03-30 Love Hörnquist Åstrand + + * kdc/kerberos4.c: 1.46: stop the client from renewing tickets + into the future From: Jeffrey Hutzelman + +2004-03-10 Love Hörnquist Åstrand + + * lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate + krb5_config_get_bool_default' arglist + +2004-03-09 Love Hörnquist Åstrand + + * lib/krb5/krb5.conf.5: 1.44: document + [libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in + first .Nm, it confuses some locate.updatedb, use FILES section to + describe where the file is instead. + + * lib/krb5/fcache.c (fcc_store_cred): default to use old format + + * lib/krb5/fcache.c: 1.42: (fcc_store_cred): use + [libdefaults]fcc-mit-ticketflags=boolean to decide what format to + write the fcc in. Default to mit format (aka heimdal 0.7 format) + 1.41: (_krb5_xlock): handle that everything was ok, and don't put + an error in the error strings then + + * lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and + _krb5_store_creds_heimdal_pre_0_7 that store the creds in just + that format make krb5_store_creds default to mit format 1.42: + (krb5_ret_creds): Runtime detect the what is the higher bits of + the bitfield 1.41: (krb5_store_creds): add disabled code that + store the ticket flags in reverse order (bitswap32): new function + 1.40: (krb5_ret_creds): if the higher ticket flags are set, its a + mit cache, reverse the bits, bug pointed out by Sergio Gelato + + + delta modfied to not change the behavior of krb5_store_creds + +2004-03-07 Love Hörnquist Åstrand + + * lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2 + +2004-03-06 Love Hörnquist Åstrand + + * lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with + threading code pulled out; + + 1.18: (mcc_get_principal): also check for primary_principal == + NULL now that that isn't used as dead flag 1.17: don't overload + the primary_principal == NULL as dead since that doesn't always + work Based on patch from Jeffrey Hutzelman , but + tweek by me + + * lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not + modify the original data test case from Ronnie Sahlberg + + +2004-02-13 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't + check for EAI_NODATA, because its depricated in RFC3493 Pointed + out by Hajimu UMEMOTO on heimdal-discuss + + * lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and + EAI_NODATA is deprecated in RFC3493 + +2004-02-09 Love Hörnquist Åstrand + + * lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain + negative integers, it got the length wrong, fix from Panasas, Inc. + + * lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int + +2004-01-26 Love Hörnquist Åstrand + + * lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up + the size of all the elements, don't use just the size of the last + element. + + * lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume + that it means that the filesystem doesn't support locking 1.39: + (_krb5_xlock): fix compile error in last commit 1.38: internally + export x{,un}lock and thus prefix them with _krb5_ + +2004-01-13 Love Hörnquist Åstrand + + * kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and + not time specifed, use "1 month" + 1.105: make -9 work again + +2004-01-09 Love Hörnquist Åstrand + + * lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase + addr->len until in contains interesting data, use right iteration + counter when clearing the addresses 1.39: krb5_princ_realm -> + krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use + KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded + krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are + address-less, forward address-less tickets. 1.40: + (krb5_get_forwarded_creds): try to handle errors better for + previous commit 1.41: (add_addrs): don't add same address multiple + times + + * lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to + _krb5_get_krbtgt and export it + +2003-12-14 Love Hörnquist Åstrand + + * kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server + names + +2003-12-03 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded + to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize + check to avoid memory leak + +2003-12-01 Love Hörnquist Åstrand + + * kuser/kinit.c: 1.103->1.104: (main): return the return value + from simple_execvp + +2003-10-22 Love Hörnquist Åstrand + + * lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode): + always zero out encoding to make sure it have a defined value on + failure + + * lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if + num_realms == 0, set encoding and return (avoids malloc(0)) check + return value from malloc + +2003-10-21 Love Hörnquist Åstrand + + * doc/setup.texi: 1.35->1.36: spelling + + * kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited + policy + + * doc/setup.texi: 1.27->1.35: many changes + + * lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths] + section + + * lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to + verify transited realms, unless the transited-policy-checked flag + is set + + * lib/krb5/transited.c: + 1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms + 1.11: (krb5_domain_x500_decode): handle zero length tr data; + (krb5_check_transited): new function that does more useful stuff + + * kdc/kdc.8: 1.23->1.24: document enforce-transited-policy + + * kdc/config.c: 1.47->1.48: add flag to always check transited + policy + + * kdc/kerberos5.c: + 1.150: (fix_transited_encoding): also verify with policy, + unless asked not to + 1.151: always check transited policy if flag set either globally + (on principal part of patch not pulled up) + 1.152: (fix_transited_encoding): set transited type + 1.153: (fix_transited_encoding): always print cross-realm information + +2003-10-06 Love Hörnquist Åstrand + + * lib/krb5/config_file.c: 1.48->1.49: + (krb5_config_parse_file_debug): punt if there is binding before a + section declaration. + Bug found by Arkadiusz Miskiewicz + + * kdc/kaserver.c: 1.21->1.23: + (do_getticket): if times data is shorter then 8 bytes, request is + malformed. + (do_authenticate): if request length is less then 8 bytes, its a + bad request and fail. Pointed out by Marco Foglia + +2003-09-22 Love Hörnquist Åstrand + + * lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within + #if 0 From: stefan sokoll + +2003-09-19 Love Hörnquist Åstrand + + * lib/krb5/rd_req.c: + 1.47->1.48: (krb5_rd_req): allow caller to pass in a key + in the auth_context, they way processes that doesn't use the + keytab can still pass in the key of the service (matches behavior + of MIT Kerberos). + +2003-09-18 Love Hörnquist Åstrand + + * lib/krb5/crypto.c: + 1.87->1.88: (usage2arcfour): simplify, only + include special cases From: Luke Howard + 1.86->1.87: (arcfour_checksum_p): return true when is arcfour, + not when its not pointed out by Luke Howard + 1.82->1.83: Do the arcfour checksum mapping for + krb5_create_checksum and krb5_verify_checksum, From: Luke Howard + + 1.81->1.82: (hmac): make it return an error + when out of memory, update callsites to either return error or use + krb5_abortx + (krb5_hmac): expose hmac + * lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal): + when using arcfour-hmac-md5, use an unkeyed checksum + (rsa-md5), since Microsoft calculates the keyed checksum with + the subkey of the authenticator. + + * lib/krb5/get_cred.c: + 1.93->1.94 (init_tgs_req): make generation of subkey + optional on configuration parameter + [realms]realm={tgs_require_subkey=bool} + defaults to off. The RFC1510 weakly defines the correct behavior, + so old DCE secd apparently required the subkey to be there, and MS + will use it when its there. But the request isn't encrypted in the + subkey, so you get to choose if you want to talk to a MS mdc or a + old DCE secd. + + partly 1.91->1.92: (init_tgs_req): in case of error, don't + free in the req_body addresses since they where pass in by caller + + lib/krb5/get_in_tkt.c: + 1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with + the mit implemtation, don't free `creds' argument when done, its up + the the caller to do that, also allow a NULL ccache. + + * doc/ack.texi + 1.16->1.17: update Luke Howard email address + + * lib/hdb/hdb-ldap.c: + 1.13->1.14: code rewrite from Luke Howard + 1.12->1.13: (LDAP_store): log what principal/dn failed + 1.11->1.12: use int2HDBFlags/HDBFlags2int + From: Alberto Patino , + Luke Howard + Pointed out by Andrew Bartlett of Samba + 1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection + (LDAP_store): remove superfluous argument to asprintf + From Alberto Patino + + * lib/krb5/krb5.h: + 1.214->1.2015: add KEYTYPE_ARCFOUR_56 + +2003-09-12 Love Hörnquist Åstrand + + * lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg + + +2003-09-11 Love Hörnquist Åstrand + + * lib/hdb/hdb_locl.h: 1.18->1.19: include for ULONG_MAX + noted by Wissler Magnus on heimdal-discuss + +2003-08-29 Love Hörnquist Åstrand + + * lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on + heimdal-discuss From: Luke Howard 1.9->1.10: try + to include more db headers + +2003-08-25 Love Hörnquist Åstrand + + * kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom + returning 0 (connection closed) 1.91->1.92: (grow_descr): + increment the size after we succeed to allocate the space + +2003-08-15 Love Hörnquist Åstrand + + * lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be + zero, so, don't check for that + (unparse_name): make sure there are space for a NUL, set *name to NULL + when there is a failure (so caller can't get hold of a freed + pointer) + +2003-05-08 Johan Danielsson + + * Release 0.6 + +2003-05-08 Love Hörnquist Åstrand + + * kuser/klist.c: 1.68->1.69: print tokens even if there isn't v4 + support + + * kuser/kdestroy.c: 1.14->1.15: destroy tokens even if there isn't + v4 support + + * kuser/kinit.c: 1.90->1.91: print tokens even if there isn't v4 + support + +2003-05-06 Johan Danielsson + + * lib/krb5/name-45-test.c: need to use empty krb5.conf for some + tests + + * lib/asn1/check-gen.c: there is no \e escape sequence; replace + everything with hex-codes, and cast to unsigned char* to make some + compilers happy + +2003-05-06 Love Hörnquist Åstrand + + * lib/krb5/get_in_tkt.c (make_pa_enc_timestamp): make sure first + argument to krb5_us_timeofday have correct type + +2003-05-05 Assar Westerlund + + * include/make_crypto.c (main): include aes.h if ENABLE_AES + +2003-05-05 Love Hörnquist Åstrand + + * NEWS: 1.108->1.110: fix text about gssapi compat + +2003-04-28 Love Hörnquist Åstrand + + * kdc/v4_dump.c: 1.4->1.5: (v4_prop_dump): limit strings length, + from openbsd + +2003-04-24 Love Hörnquist Åstrand + + * doc/programming.texi: 1.2-1.3: s/managment/management/, from jmc + + +2003-04-22 Love Hörnquist Åstrand + + * lib/krb5/krbhst.c: 1.43->1.44: copy NUL too, from janj@wenf.org + via openbsd + 2003-04-17 Love Hörnquist Åstrand * lib/asn1/der_copy.c (copy_general_string): use strdup diff --git a/NEWS b/NEWS index 39b37518c..262038b26 100644 --- a/NEWS +++ b/NEWS @@ -1,15 +1,44 @@ +Changes in release 0.6.3 + + * fix vulnerabilities in ftpd + + * support for linux AFS /proc "syscalls" + + * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in + kpasswdd + + * fix possible KDC denial of service + + * bug fixes + +Changes in release 0.6.2 + + * Fix possible buffer overrun in v4 kadmin (which now defaults to off) + +Changes in release 0.6.1 + + * Fixed ARCFOUR suppport + + * Cross realm vulnerability + + * kdc: fix denial of service attack + + * kdc: stop clients from renewing tickets into the future + + * bug fixes + Changes in release 0.6 +* The DES3 GSS-API mechanism has been changed to inter-operate with + other GSSAPI implementations. See man page for gssapi(3) how to turn + on generation of correct MIC messages. Next major release of heimdal + will generate correct MIC by default. + * More complete GSS-API support * Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS support in applications no longer requires Kerberos 4 libs -* The DES3 GSS-API mechanism has been changed to inter-operate with - other GSSAPI implementations, this however break backward - compatibility with earlier Heimdal releases (see man page GSS-API - how to turn on backward compatibility) - * Kerberos 4 support in kdc defaults to turned off (includes ka and 524) * other bug fixes diff --git a/acinclude.m4 b/acinclude.m4 deleted file mode 100644 index 1d0197c5c..000000000 --- a/acinclude.m4 +++ /dev/null @@ -1,9 +0,0 @@ -dnl $Id$ -dnl -dnl Only put things that for some reason can't live in the `cf' -dnl directory in this file. -dnl - -dnl $xId: misc.m4,v 1.1 1997/12/14 15:59:04 joda Exp $ -dnl -define(upcase,`echo $1 | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl diff --git a/admin/get.c b/admin/get.c index c1829b0d2..33749afc3 100644 --- a/admin/get.c +++ b/admin/get.c @@ -170,6 +170,10 @@ kt_get(int argc, char **argv) krb5_keytab_entry entry; ret = krb5_parse_name(context, argv[i], &princ_ent); + if (ret) { + krb5_warn(context, ret, "can't parse principal %s", argv[i]); + continue; + } memset(&princ, 0, sizeof(princ)); princ.principal = princ_ent; mask |= KADM5_PRINCIPAL; diff --git a/appl/afsutil/ChangeLog b/appl/afsutil/ChangeLog index 3be098bb4..c3f5605e2 100644 --- a/appl/afsutil/ChangeLog +++ b/appl/afsutil/ChangeLog @@ -1,3 +1,12 @@ +2003-08-25 Love Hörnquist Åstrand + + * afslog.c: 1.22->1.23: (do_afslog): is cell is unset, set it + "" for error printing + +2003-04-23 Love Hörnquist Åstrand + + * afslog.c: 1.21->1.22: (log_func): drop the error number + 2003-04-14 Love Hörnquist Åstrand * afslog.c: set kafs log function if verbose is turned on diff --git a/appl/afsutil/afslog.c b/appl/afsutil/afslog.c index a576953c7..3141e8dae 100644 --- a/appl/afsutil/afslog.c +++ b/appl/afsutil/afslog.c @@ -246,6 +246,8 @@ do_afslog(const char *cell) return 0; } #endif + if (cell == NULL) + cell = ""; #ifdef KRB5 if (k5ret) warnx("krb5_afslog(%s): %s", cell, krb5_get_err_text(context, k5ret)); @@ -260,7 +262,7 @@ do_afslog(const char *cell) } static void -log_func(void *ctx, const char *str, int ret) +log_func(void *ctx, const char *str) { fprintf(stderr, "%s\n", str); } diff --git a/appl/ftp/ChangeLog b/appl/ftp/ChangeLog index 63abb9ec3..74ed7429d 100644 --- a/appl/ftp/ChangeLog +++ b/appl/ftp/ChangeLog @@ -1,3 +1,57 @@ +2004-08-20 Love Hörnquist Åstrand + + * ftp/ftp.c: 1.77: send ABOR protect with security layer if its there + + * ftpd/{ftpd_locl.h, extern.h, ftpcmd.y, ftpd.8, ftpd.c}: + Remove all traces of setjmp/longjmp. + Handle those command that is needed in oobhandler, + those are ABOR, STAT, ENC, CONF, MIC. + add options to turn off insecure OOB handling and document the option + + Changes inspired by openbsd and netbsd changes but quite diffrent is + most places since the code no longer look and is structured the same + way. + + extern.h: 1.25 + ftpcmd.y: 1.65 + ftpd.8: 1.22 + ftpd.c: 1.170 + ftpd_locl.h: 1.14 + +2004-06-21 Love Hörnquist Åstrand + + * ftpd/ftpcmd.y: 1.64: make cbuf 64k to handle lager tickets From: + MAAAAA MOOOR 1.63: strncasecmp returns + integer so don't compare with NULL + +2004-03-14 Love Hörnquist Åstrand + + * ftpd/ftpd.c: 1.169: (main): setpag if there is krb4 OR krb5 + support + +2003-08-20 Love Hörnquist Åstrand + + * ftpd/ftpd.8: 1.20->1.21: document --gss-bindings + + * ftpd/ftpd.c: 1.166->1.168: wrap gssapi stuff with KRB5, + (args): add gss-bindings + + * ftp/main.c: 1.33->1.35: wrap gssapi stuff with KRB5, + (args): add gss-bindings + (main): set ftp_do_gss_bindings to 1 to make client use them + + * ftp/security.h: 1.9->1.10: add ftp_do_gss_bindings + + * ftp/gssapi.c: 1.24->1.25: Optionally support gss bindings, + client does it by default, server not. This is to make it work + for clients behind NAT. + + * ftp/ftp.1: 1.12->1.15: gssapi bindings + madoc fixes + +2003-08-15 Love Hörnquist Åstrand + + * ftp/gssapi.c: 1.23->1.24: (gss_adat): fix name allocation bug + 2003-04-16 Love Hörnquist Åstrand * ftpd/ftpd.c: make sure argument to is* functions are unsigned diff --git a/appl/ftp/ftp/ftp.1 b/appl/ftp/ftp/ftp.1 index edee1826a..282aab82b 100644 --- a/appl/ftp/ftp/ftp.1 +++ b/appl/ftp/ftp/ftp.1 @@ -51,6 +51,7 @@ file transfer program .Op Fl g .Op Fl p .Op Fl l +.Op Fl -no-gss-bindings .Op Ar host .Sh DESCRIPTION .Nm Ftp @@ -97,6 +98,8 @@ Turn on passive mode. Enables debugging. .It Fl g Disables file name globbing. +.It Fl -no-gss-bindings +use GSS-API bindings when talking to peer (ie make sure IP addresses match). .It Fl l Disables command line editing. .El @@ -115,7 +118,7 @@ from the user. When .Nm ftp is awaiting commands from the user the prompt -.Ql ftp> +.Ql ftp\*[Gt] is provided to the user. The following commands are recognized by @@ -233,7 +236,7 @@ When debugging is on, .Nm ftp prints each command sent to the remote machine, preceded by the string -.Ql \-\-> +.Ql \-\-\*[Gt] .It Xo .Ic dir .Op Ar remote-directory @@ -569,7 +572,7 @@ the output filename "myfile.data" for input filenames "myfile.data" and "myfile.myfile" for the input filename ".myfile". Spaces may be included in .Ar outpattern , -as in the example: `nmap $1 sed "s/ *$//" > $1' . +as in the example: `nmap $1 sed "s/ *$//" \*[Gt] $1' . Use the `\e' character to prevent special treatment of the `$','[','[', and `,' characters. .It Ic ntrans Op Ar inchars Op Ar outchars @@ -955,7 +958,7 @@ processing. If the remote server does not support the .Dv ABOR command, an -.Ql ftp> +.Ql ftp\*[Gt] prompt will not appear until the remote server has completed sending the requested file. .Pp diff --git a/appl/ftp/ftp/ftp.c b/appl/ftp/ftp/ftp.c index 675a46d71..6cdf10638 100644 --- a/appl/ftp/ftp/ftp.c +++ b/appl/ftp/ftp/ftp.c @@ -1741,8 +1741,11 @@ abort_remote (FILE * din) snprintf (buf, sizeof (buf), "%c%c%c", IAC, IP, IAC); if (send (fileno (cout), buf, 3, MSG_OOB) != 3) warn ("abort"); - fprintf (cout, "%cABOR\r\n", DM); - fflush (cout); + fprintf (cout, "%c", DM); + sec_fprintf(cout, "ABOR"); + sec_fflush (cout); + fprintf (cout, "\r\n"); + fflush(cout); FD_ZERO (&mask); if (fileno (cin) >= FD_SETSIZE) errx (1, "fd too large"); diff --git a/appl/ftp/ftp/gssapi.c b/appl/ftp/ftp/gssapi.c index 191743540..b5ab06970 100644 --- a/appl/ftp/ftp/gssapi.c +++ b/appl/ftp/ftp/gssapi.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -41,6 +41,8 @@ RCSID("$Id$"); +int ftp_do_gss_bindings = 0; + struct gss_data { gss_ctx_id_t context_hdl; char *client_name; @@ -169,17 +171,24 @@ gss_adat(void *app_data, void *buf, size_t len) OM_uint32 maj_stat, min_stat; gss_name_t client_name; struct gss_data *d = app_data; - struct gss_channel_bindings_struct bindings; - - sockaddr_to_gss_address (his_addr, - &bindings.initiator_addrtype, - &bindings.initiator_address); - sockaddr_to_gss_address (ctrl_addr, - &bindings.acceptor_addrtype, - &bindings.acceptor_address); + gss_channel_bindings_t bindings; - bindings.application_data.length = 0; - bindings.application_data.value = NULL; + if (ftp_do_gss_bindings) { + bindings = malloc(sizeof(*bindings)); + if (bindings == NULL) + errx(1, "out of memory"); + + sockaddr_to_gss_address (his_addr, + &bindings->initiator_addrtype, + &bindings->initiator_address); + sockaddr_to_gss_address (ctrl_addr, + &bindings->acceptor_addrtype, + &bindings->acceptor_address); + + bindings->application_data.length = 0; + bindings->application_data.value = NULL; + } else + bindings = GSS_C_NO_CHANNEL_BINDINGS; input_token.value = buf; input_token.length = len; @@ -197,7 +206,7 @@ gss_adat(void *app_data, void *buf, size_t len) &d->context_hdl, GSS_C_NO_CREDENTIAL, &input_token, - &bindings, + bindings, &client_name, NULL, &output_token, @@ -205,6 +214,9 @@ gss_adat(void *app_data, void *buf, size_t len) NULL, &d->delegated_cred_handle); + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); + if(output_token.length) { if(base64_encode(output_token.value, output_token.length, &p) < 0) { reply(535, "Out of memory base64-encoding."); @@ -228,12 +240,13 @@ gss_adat(void *app_data, void *buf, size_t len) gss_release_buffer(&min_stat, &export_name); goto out; } - name = realloc(export_name.value, export_name.length + 1); + name = malloc(export_name.length + 1); if(name == NULL) { reply(500, "Out of memory"); gss_release_buffer(&min_stat, &export_name); goto out; } + memcpy(name, export_name.value, export_name.length); name[export_name.length] = '\0'; gss_release_buffer(&min_stat, &export_name); d->client_name = name; @@ -350,17 +363,22 @@ gss_auth(void *app_data, char *host) input.length = 0; input.value = NULL; - bindings = malloc(sizeof(*bindings)); - - sockaddr_to_gss_address (myctladdr, - &bindings->initiator_addrtype, - &bindings->initiator_address); - sockaddr_to_gss_address (hisctladdr, - &bindings->acceptor_addrtype, - &bindings->acceptor_address); - - bindings->application_data.length = 0; - bindings->application_data.value = NULL; + if (ftp_do_gss_bindings) { + bindings = malloc(sizeof(*bindings)); + if (bindings == NULL) + errx(1, "out of memory"); + + sockaddr_to_gss_address (myctladdr, + &bindings->initiator_addrtype, + &bindings->initiator_address); + sockaddr_to_gss_address (hisctladdr, + &bindings->acceptor_addrtype, + &bindings->acceptor_address); + + bindings->application_data.length = 0; + bindings->application_data.value = NULL; + } else + bindings = GSS_C_NO_CHANNEL_BINDINGS; while(!context_established) { maj_stat = gss_init_sec_context(&min_stat, @@ -383,11 +401,17 @@ gss_auth(void *app_data, char *host) gss_buffer_desc status_string; if(min_stat == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN && *kname != NULL) { - if(import_name(*kname++, host, &target_name)) + if(import_name(*kname++, host, &target_name)) { + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); return AUTH_ERROR; + } continue; } + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); + gss_display_status(&new_stat, min_stat, GSS_C_MECH_CODE, @@ -400,7 +424,11 @@ gss_auth(void *app_data, char *host) return AUTH_CONTINUE; } - gss_release_buffer(&min_stat, &input); + if (input.value) { + free(input.value); + input.value = NULL; + input.length = 0; + } if (output_token.length != 0) { base64_encode(output_token.value, output_token.length, &p); gss_release_buffer(&min_stat, &output_token); @@ -419,6 +447,8 @@ gss_auth(void *app_data, char *host) if(p == NULL){ printf("Error: expected ADAT in reply. got: %s\n", reply_string); + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); return AUTH_ERROR; } else { p+=5; @@ -428,12 +458,19 @@ gss_auth(void *app_data, char *host) } else { if(code != 235) { printf("Unrecognized response code: %d\n", code); + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); return AUTH_ERROR; } context_established = 1; } } + if (bindings != GSS_C_NO_CHANNEL_BINDINGS) + free(bindings); + if (input.value) + free(input.value); + { gss_name_t targ_name; diff --git a/appl/ftp/ftp/main.c b/appl/ftp/ftp/main.c index b4eeb60eb..3c861bdb5 100644 --- a/appl/ftp/ftp/main.c +++ b/appl/ftp/ftp/main.c @@ -59,6 +59,10 @@ struct getargs getargs[] = { "passive mode", NULL}, { NULL, 't', arg_counter, &trace, "Packet tracing", NULL}, +#ifdef KRB5 + { "gss-bindings", 0, arg_negative_flag, &ftp_do_gss_bindings, + "Use GSS-API bindings", NULL}, +#endif { NULL, 'v', arg_counter, &verbose, "verbosity", NULL}, { NULL, 'K', arg_negative_flag, &use_kerberos, @@ -96,6 +100,9 @@ main(int argc, char **argv) lineedit = 1; passivemode = 0; /* passive mode not active */ use_kerberos = 1; +#ifdef KRB5 + ftp_do_gss_bindings = 1; +#endif if(getarg(getargs, num_args, argc, argv, &optind)) usage(1); diff --git a/appl/ftp/ftp/security.h b/appl/ftp/ftp/security.h index 84e5f594d..2278e6cf7 100644 --- a/appl/ftp/ftp/security.h +++ b/appl/ftp/ftp/security.h @@ -76,6 +76,7 @@ struct sec_server_mech { #define AUTH_CONTINUE 1 #define AUTH_ERROR 2 +extern int ftp_do_gss_bindings; #ifdef FTP_SERVER extern struct sec_server_mech krb4_server_mech, gss_server_mech; #else diff --git a/appl/ftp/ftpd/extern.h b/appl/ftp/ftpd/extern.h index f321e60ff..751d04cea 100644 --- a/appl/ftp/ftpd/extern.h +++ b/appl/ftp/ftpd/extern.h @@ -48,7 +48,6 @@ #include #include -#include #ifdef HAVE_PWD_H #include #endif @@ -129,10 +128,8 @@ extern struct passwd *pw; extern int guest; extern int logging; extern int type; -extern int oobflag; extern off_t file_size; extern off_t byte_count; -extern jmp_buf urgcatch; extern int form; extern int debug; @@ -142,7 +139,6 @@ extern int pdata; extern char hostname[], remotehost[]; extern char proctitle[]; extern int usedefault; -extern int transflag; extern char tmpline[]; #endif /* _EXTERN_H_ */ diff --git a/appl/ftp/ftpd/ftpcmd.y b/appl/ftp/ftpd/ftpcmd.y index 6d3ab883c..4f000aec7 100644 --- a/appl/ftp/ftpd/ftpcmd.y +++ b/appl/ftp/ftpd/ftpcmd.y @@ -47,10 +47,13 @@ RCSID("$Id$"); off_t restart_point; +static int hasyyerrored; + + static int cmd_type; static int cmd_form; static int cmd_bytesz; -char cbuf[2048]; +char cbuf[64*1024]; char *fromname; struct tab { @@ -303,15 +306,6 @@ cmd } | sTAT CRLF { - if(oobflag){ - if (file_size != (off_t) -1) - reply(213, "Status: %lu of %lu bytes transferred", - (unsigned long)byte_count, - (unsigned long)file_size); - else - reply(213, "Status: %lu bytes transferred", - (unsigned long)byte_count); - }else statcmd(); } | DELE SP pathname CRLF check_login_no_guest @@ -337,13 +331,7 @@ cmd } | ABOR CRLF { - if(oobflag){ - reply(426, "Transfer aborted. Data connection closed."); - reply(226, "Abort successful"); - oobflag = 0; - longjmp(urgcatch, 1); - }else - reply(225, "ABOR command successful."); + reply(225, "ABOR command successful."); } | CWD CRLF check_login { @@ -914,8 +902,6 @@ check_secure : /* empty */ %% -extern jmp_buf errcatch; - #define CMD 0 /* beginning of command */ #define ARGS 1 /* expect miscellaneous arguments */ #define STR1 2 /* expect SP followed by STRING */ @@ -1034,15 +1020,13 @@ ftpd_getline(char *s, int n) char *cs; cs = s; -/* tmpline may contain saved command from urgent mode interruption */ + + /* might still be data within the security MIC/CONF/ENC */ if(ftp_command){ - strlcpy(s, ftp_command, n); - if (debug) - syslog(LOG_DEBUG, "command: %s", s); -#ifdef XXX - fprintf(stderr, "%s\n", s); -#endif - return s; + strlcpy(s, ftp_command, n); + if (debug) + syslog(LOG_DEBUG, "command: %s", s); + return s; } while ((c = getc(stdin)) != EOF) { c &= 0377; @@ -1127,6 +1111,8 @@ yylex(void) switch (state) { case CMD: + hasyyerrored = 0; + signal(SIGALRM, toolong); alarm((unsigned) ftpd_timeout); if (ftpd_getline(cbuf, sizeof(cbuf)-1) == NULL) { @@ -1135,7 +1121,7 @@ yylex(void) } alarm(0); #ifdef HAVE_SETPROCTITLE - if (strncasecmp(cbuf, "PASS", 4) != NULL) + if (strncasecmp(cbuf, "PASS", 4) != 0) setproctitle("%s: %s", proctitle, cbuf); #endif /* HAVE_SETPROCTITLE */ if ((cp = strchr(cbuf, '\r'))) { @@ -1154,8 +1140,8 @@ yylex(void) if (p != 0) { if (p->implemented == 0) { nack(p->name); - longjmp(errcatch,0); - /* NOTREACHED */ + hasyyerrored = 1; + break; } state = p->state; yylval.s = p->name; @@ -1180,8 +1166,8 @@ yylex(void) if (p->implemented == 0) { state = CMD; nack(p->name); - longjmp(errcatch,0); - /* NOTREACHED */ + hasyyerrored = 1; + break; } state = p->state; yylval.s = p->name; @@ -1329,12 +1315,27 @@ yylex(void) default: fatal("Unknown state in scanner."); } - yyerror((char *) 0); + yyerror(NULL); state = CMD; - longjmp(errcatch,0); + return (0); } } +/* ARGSUSED */ +void +yyerror(char *s) +{ + char *cp; + + if (hasyyerrored) + return; + + if ((cp = strchr(cbuf,'\n'))) + *cp = '\0'; + reply(500, "'%s': command not understood.", cbuf); + hasyyerrored = 1; +} + static char * copy(char *s) { diff --git a/appl/ftp/ftpd/ftpd.8 b/appl/ftp/ftpd/ftpd.8 index 01f6275c8..b63064192 100644 --- a/appl/ftp/ftpd/ftpd.8 +++ b/appl/ftp/ftpd/ftpd.8 @@ -33,7 +33,7 @@ .\" .\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 .\" -.Dd April 19, 1997 +.Dd July 19, 2003 .Dt FTPD 8 .Os BSD 4.2 .Sh NAME @@ -47,6 +47,8 @@ .Op Fl p Ar port .Op Fl T Ar maxtimeout .Op Fl t Ar timeout +.Op Fl -gss-bindings +.Op Fl I | Fl -no-insecure-oob .Op Fl u Ar default umask .Op Fl B | Fl -builtin-ls .Op Fl -good-chars= Ns Ar string @@ -99,6 +101,8 @@ Debugging information is written to the syslog using LOG_FTP. .It Fl g Anonymous users will get a umask of .Ar umask . +.It Fl -gss-bindings +require the peer to use GSS-API bindings (ie make sure IP addresses match). .It Fl i Open a socket and wait for a connection. This is mainly used for debugging when ftpd isn't started by inetd. @@ -147,6 +151,13 @@ use built-in ls to list files .Fl -good-chars= Ns Ar string .Xc allowed anonymous upload filename chars +.It Xo +.Fl I +.Fl -no-insecure-oob +.Xc +don't allow insecure out of band. +Heimdal ftp client before 0.7 doesn't support secure oob, so turning +on this options makes them no longer work. .El .Pp The file diff --git a/appl/ftp/ftpd/ftpd.c b/appl/ftp/ftpd/ftpd.c index d5bb84d4b..609bb81a8 100644 --- a/appl/ftp/ftpd/ftpd.c +++ b/appl/ftp/ftpd/ftpd.c @@ -61,8 +61,6 @@ struct sockaddr_storage pasv_addr_ss; struct sockaddr *pasv_addr = (struct sockaddr *)&pasv_addr_ss; int data; -jmp_buf errcatch, urgcatch; -int oobflag; int logged_in; struct passwd *pw; int debug = 0; @@ -78,7 +76,9 @@ int stru; /* avoid C keyword */ int mode; int usedefault = 1; /* for data transfers */ int pdata = -1; /* for passive mode */ -int transflag; +int allow_insecure_oob = 1; +static int transflag; +static int urgflag; off_t file_size; off_t byte_count; #if !defined(CMASK) || CMASK == 0 @@ -134,6 +134,7 @@ char proctitle[BUFSIZ]; /* initial part of title */ static void ack (char *); static void myoob (int); +static int handleoobcmd(void); static int checkuser (char *, char *); static int checkaccess (char *); static FILE *dataconn (const char *, off_t, const char *); @@ -223,6 +224,10 @@ struct getargs args[] = { { NULL, 'v', arg_flag, &debug, "enable debugging" }, { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" }, { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" }, + { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob, "don't allow insecure OOB ABOR/STAT" }, +#ifdef KRB5 + { "gss-bindings", 0, arg_flag, &ftp_do_gss_bindings, "Require GSS-API bindings", NULL}, +#endif { "version", 0, arg_flag, &version_flag }, { "help", 'h', arg_flag, &help_flag } }; @@ -274,11 +279,11 @@ main(int argc, char **argv) "/tmp/ftp_%u", (unsigned)getpid()); krb_set_tkt_string(tkfile); #endif -#if defined(KRB4) && defined(KRB5) - if(k_hasafs()) - k_setpag(); -#endif } +#if defined(KRB4) || defined(KRB5) + if(k_hasafs()) + k_setpag(); +#endif if(getarg(args, num_args, argc, argv, &optind)) usage(1); @@ -426,7 +431,6 @@ main(int argc, char **argv) #endif ); - setjmp(errcatch); for (;;) yyparse(); /* NOTREACHED */ @@ -1361,15 +1365,13 @@ send_data(FILE *instr, FILE *outstr) static char *buf; static size_t bufsize; - transflag++; - if (setjmp(urgcatch)) { - transflag = 0; - return; - } + transflag = 1; switch (type) { case TYPE_A: while ((c = getc(instr)) != EOF) { + if (urgflag && handleoobcmd()) + return; byte_count++; if(c == '\n') sec_putc('\r', outstr); @@ -1377,6 +1379,7 @@ send_data(FILE *instr, FILE *outstr) } sec_fflush(outstr); transflag = 0; + urgflag = 0; if (ferror(instr)) goto file_err; if (ferror(outstr)) @@ -1386,6 +1389,7 @@ send_data(FILE *instr, FILE *outstr) case TYPE_I: case TYPE_L: +#if 0 /* XXX handle urg flag */ #if defined(HAVE_MMAP) && !defined(NO_MMAP) #ifndef MAP_FAILED #define MAP_FAILED (-1) @@ -1409,10 +1413,12 @@ send_data(FILE *instr, FILE *outstr) sec_fflush(outstr); byte_count = cnt; transflag = 0; + urgflag = 0; } } } #endif +#endif if(transflag) { struct stat st; @@ -1422,14 +1428,19 @@ send_data(FILE *instr, FILE *outstr) fstat(filefd, &st) >= 0 ? &st : NULL); if (buf == NULL) { transflag = 0; + urgflag = 0; perror_reply(451, "Local resource failure: malloc"); return; } while ((cnt = read(filefd, buf, bufsize)) > 0 && - sec_write(netfd, buf, cnt) == cnt) + sec_write(netfd, buf, cnt) == cnt) { byte_count += cnt; + if (urgflag && handleoobcmd()) + return; + } sec_fflush(outstr); /* to end an encrypted stream */ transflag = 0; + urgflag = 0; if (cnt != 0) { if (cnt < 0) goto file_err; @@ -1440,17 +1451,20 @@ send_data(FILE *instr, FILE *outstr) return; default: transflag = 0; + urgflag = 0; reply(550, "Unimplemented TYPE %d in send_data", type); return; } data_err: transflag = 0; + urgflag = 0; perror_reply(426, "Data connection"); return; file_err: transflag = 0; + urgflag = 0; perror_reply(551, "Error on input file"); } @@ -1468,16 +1482,13 @@ receive_data(FILE *instr, FILE *outstr) static size_t bufsize; struct stat st; - transflag++; - if (setjmp(urgcatch)) { - transflag = 0; - return (-1); - } + transflag = 1; buf = alloc_buffer (buf, &bufsize, fstat(fileno(outstr), &st) >= 0 ? &st : NULL); if (buf == NULL) { transflag = 0; + urgflag = 0; perror_reply(451, "Local resource failure: malloc"); return -1; } @@ -1490,15 +1501,19 @@ receive_data(FILE *instr, FILE *outstr) if (write(fileno(outstr), buf, cnt) != cnt) goto file_err; byte_count += cnt; + if (urgflag && handleoobcmd()) + return (-1); } if (cnt < 0) goto data_err; transflag = 0; + urgflag = 0; return (0); case TYPE_E: reply(553, "TYPE E not implemented."); transflag = 0; + urgflag = 0; return (-1); case TYPE_A: @@ -1508,6 +1523,8 @@ receive_data(FILE *instr, FILE *outstr) while ((cnt = sec_read(fileno(instr), buf + cr_flag, bufsize - cr_flag)) > 0){ + if (urgflag && handleoobcmd()) + return (-1); byte_count += cnt; cnt += cr_flag; cr_flag = 0; @@ -1539,6 +1556,7 @@ receive_data(FILE *instr, FILE *outstr) if (ferror(outstr)) goto file_err; transflag = 0; + urgflag = 0; if (bare_lfs) { lreply(226, "WARNING! %d bare linefeeds received in ASCII mode\r\n" " File may not have transferred correctly.\r\n", @@ -1549,16 +1567,19 @@ receive_data(FILE *instr, FILE *outstr) default: reply(550, "Unimplemented TYPE %d in receive_data", type); transflag = 0; + urgflag = 0; return (-1); } data_err: transflag = 0; + urgflag = 0; perror_reply(426, "Data Connection"); return (-1); file_err: transflag = 0; + urgflag = 0; perror_reply(452, "Error writing file"); return (-1); } @@ -1728,17 +1749,6 @@ nack(char *s) reply(502, "%s command not implemented.", s); } -/* ARGSUSED */ -void -yyerror(char *s) -{ - char *cp; - - if ((cp = strchr(cbuf,'\n'))) - *cp = '\0'; - reply(500, "'%s': command not understood.", cbuf); -} - void do_delete(char *name) { @@ -1877,6 +1887,7 @@ void dologout(int status) { transflag = 0; + urgflag = 0; if (logged_in) { seteuid((uid_t)0); ftpd_logwtmp(ttyline, "", ""); @@ -1894,51 +1905,72 @@ dologout(int status) void abor(void) { + if (!transflag) + return; + reply(426, "Transfer aborted. Data connection closed."); + reply(226, "Abort successful"); + transflag = 0; } static void myoob(int signo) { -#if 0 + urgflag = 1; +} + +static char * +mec_space(char *p) +{ + while(isspace(*(unsigned char *)p)) + p++; + return p; +} + +static int +handleoobcmd(void) +{ char *cp; -#endif /* only process if transfer occurring */ if (!transflag) - return; + return 0; - /* This is all XXX */ - oobflag = 1; - /* if the command resulted in a new command, - parse that as well */ - do{ - yyparse(); - } while(ftp_command); - oobflag = 0; + urgflag = 0; -#if 0 cp = tmpline; - if (ftpd_getline(cp, 7) == NULL) { + if (ftpd_getline(cp, sizeof(tmpline)) == NULL) { reply(221, "You could at least say goodbye."); dologout(0); } - upper(cp); - if (strcmp(cp, "ABOR\r\n") == 0) { - tmpline[0] = '\0'; - reply(426, "Transfer aborted. Data connection closed."); - reply(226, "Abort successful"); - longjmp(urgcatch, 1); + + if (strncasecmp("MIC", cp, 3) == 0) { + mec(mec_space(cp + 3), prot_safe); + } else if (strncasecmp("CONF", cp, 4) == 0) { + mec(mec_space(cp + 4), prot_confidential); + } else if (strncasecmp("ENC", cp, 3) == 0) { + mec(mec_space(cp + 3), prot_private); + } else if (!allow_insecure_oob) { + reply(533, "Command protection level denied " + "for paranoid reasons."); + goto out; } - if (strcmp(cp, "STAT\r\n") == 0) { + + if (secure_command()) + cp = ftp_command; + + if (strcasecmp(cp, "ABOR\r\n") == 0) { + abor(); + } else if (strcasecmp(cp, "STAT\r\n") == 0) { if (file_size != (off_t) -1) reply(213, "Status: %ld of %ld bytes transferred", (long)byte_count, (long)file_size); else - reply(213, "Status: %ld bytes transferred" + reply(213, "Status: %ld bytes transferred", (long)byte_count); } -#endif +out: + return (transflag == 0); } /* @@ -2181,139 +2213,136 @@ list_file(char *file) void send_file_list(char *whichf) { - struct stat st; - DIR *dirp = NULL; - struct dirent *dir; - FILE *dout = NULL; - char **dirlist, *dirname; - int simple = 0; - int freeglob = 0; - glob_t gl; - char buf[MaxPathLen]; - - if (strpbrk(whichf, "~{[*?") != NULL) { - int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| + struct stat st; + DIR *dirp = NULL; + struct dirent *dir; + FILE *dout = NULL; + char **dirlist, *dirname; + int simple = 0; + int freeglob = 0; + glob_t gl; + char buf[MaxPathLen]; + + if (strpbrk(whichf, "~{[*?") != NULL) { + int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| #ifdef GLOB_MAXPATH - GLOB_MAXPATH + GLOB_MAXPATH #else - GLOB_LIMIT + GLOB_LIMIT #endif - ; - - memset(&gl, 0, sizeof(gl)); - freeglob = 1; - if (glob(whichf, flags, 0, &gl)) { - reply(550, "not found"); - goto out; - } else if (gl.gl_pathc == 0) { - errno = ENOENT; - perror_reply(550, whichf); - goto out; - } - dirlist = gl.gl_pathv; - } else { - onefile[0] = whichf; - dirlist = onefile; - simple = 1; - } + ; - if (setjmp(urgcatch)) { - transflag = 0; - goto out; - } - while ((dirname = *dirlist++)) { - if (stat(dirname, &st) < 0) { - /* - * If user typed "ls -l", etc, and the client - * used NLST, do what the user meant. - */ - if (dirname[0] == '-' && *dirlist == NULL && - transflag == 0) { - list_file(dirname); - goto out; - } - perror_reply(550, whichf); - if (dout != NULL) { - fclose(dout); - transflag = 0; - data = -1; - pdata = -1; - } - goto out; + memset(&gl, 0, sizeof(gl)); + freeglob = 1; + if (glob(whichf, flags, 0, &gl)) { + reply(550, "not found"); + goto out; + } else if (gl.gl_pathc == 0) { + errno = ENOENT; + perror_reply(550, whichf); + goto out; + } + dirlist = gl.gl_pathv; + } else { + onefile[0] = whichf; + dirlist = onefile; + simple = 1; } - if (S_ISREG(st.st_mode)) { - if (dout == NULL) { - dout = dataconn("file list", (off_t)-1, "w"); - if (dout == NULL) - goto out; - transflag++; - } - snprintf(buf, sizeof(buf), "%s%s\n", dirname, - type == TYPE_A ? "\r" : ""); - sec_write(fileno(dout), buf, strlen(buf)); - byte_count += strlen(dirname) + 1; - continue; - } else if (!S_ISDIR(st.st_mode)) - continue; - - if ((dirp = opendir(dirname)) == NULL) - continue; - - while ((dir = readdir(dirp)) != NULL) { - char nbuf[MaxPathLen]; - - if (!strcmp(dir->d_name, ".")) - continue; - if (!strcmp(dir->d_name, "..")) - continue; - - snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name); - - /* - * We have to do a stat to insure it's - * not a directory or special file. - */ - if (simple || (stat(nbuf, &st) == 0 && - S_ISREG(st.st_mode))) { - if (dout == NULL) { - dout = dataconn("file list", (off_t)-1, "w"); - if (dout == NULL) + while ((dirname = *dirlist++)) { + + if (urgflag && handleoobcmd()) + goto out; + + if (stat(dirname, &st) < 0) { + /* + * If user typed "ls -l", etc, and the client + * used NLST, do what the user meant. + */ + if (dirname[0] == '-' && *dirlist == NULL && + transflag == 0) { + list_file(dirname); + goto out; + } + perror_reply(550, whichf); goto out; - transflag++; } - if(strncmp(nbuf, "./", 2) == 0) - snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2, - type == TYPE_A ? "\r" : ""); - else - snprintf(buf, sizeof(buf), "%s%s\n", nbuf, - type == TYPE_A ? "\r" : ""); - sec_write(fileno(dout), buf, strlen(buf)); - byte_count += strlen(nbuf) + 1; - } + + if (S_ISREG(st.st_mode)) { + if (dout == NULL) { + dout = dataconn("file list", (off_t)-1, "w"); + if (dout == NULL) + goto out; + transflag = 1; + } + snprintf(buf, sizeof(buf), "%s%s\n", dirname, + type == TYPE_A ? "\r" : ""); + sec_write(fileno(dout), buf, strlen(buf)); + byte_count += strlen(dirname) + 1; + continue; + } else if (!S_ISDIR(st.st_mode)) + continue; + + if ((dirp = opendir(dirname)) == NULL) + continue; + + while ((dir = readdir(dirp)) != NULL) { + char nbuf[MaxPathLen]; + + if (urgflag && handleoobcmd()) + goto out; + + if (!strcmp(dir->d_name, ".")) + continue; + if (!strcmp(dir->d_name, "..")) + continue; + + snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name); + + /* + * We have to do a stat to insure it's + * not a directory or special file. + */ + if (simple || (stat(nbuf, &st) == 0 && + S_ISREG(st.st_mode))) { + if (dout == NULL) { + dout = dataconn("file list", (off_t)-1, "w"); + if (dout == NULL) + goto out; + transflag = 1; + } + if(strncmp(nbuf, "./", 2) == 0) + snprintf(buf, sizeof(buf), "%s%s\n", nbuf +2, + type == TYPE_A ? "\r" : ""); + else + snprintf(buf, sizeof(buf), "%s%s\n", nbuf, + type == TYPE_A ? "\r" : ""); + sec_write(fileno(dout), buf, strlen(buf)); + byte_count += strlen(nbuf) + 1; + } + } + closedir(dirp); } - closedir(dirp); - } - if (dout == NULL) - reply(550, "No files found."); - else if (ferror(dout) != 0) - perror_reply(550, "Data connection"); - else - reply(226, "Transfer complete."); - - transflag = 0; - if (dout != NULL){ - sec_write(fileno(dout), buf, 0); /* XXX flush */ - - fclose(dout); - } - data = -1; - pdata = -1; + if (dout == NULL) + reply(550, "No files found."); + else if (ferror(dout) != 0) + perror_reply(550, "Data connection"); + else + reply(226, "Transfer complete."); + out: - if (freeglob) { - freeglob = 0; - globfree(&gl); - } + transflag = 0; + if (dout != NULL){ + sec_write(fileno(dout), buf, 0); /* XXX flush */ + + fclose(dout); + } + data = -1; + pdata = -1; + if (freeglob) { + freeglob = 0; + globfree(&gl); + } } diff --git a/appl/ftp/ftpd/ftpd_locl.h b/appl/ftp/ftpd/ftpd_locl.h index ad12a1214..3918f9b2f 100644 --- a/appl/ftp/ftpd/ftpd_locl.h +++ b/appl/ftp/ftpd/ftpd_locl.h @@ -111,7 +111,6 @@ #ifdef HAVE_PWD_H #include #endif -#include #include #include #include diff --git a/appl/kx/ChangeLog b/appl/kx/ChangeLog index 92b2b2077..c2214a6c7 100644 --- a/appl/kx/ChangeLog +++ b/appl/kx/ChangeLog @@ -1,3 +1,27 @@ +2004-03-16 Love Hörquist Åstrand + + * krb5.c: 1.12: (krb5_destroy): free allocated memory, not + something else + +2004-02-18 Love Hörquist Åstrand + + * krb4.c: 1.12: remove dup on + +2004-01-08 Love Hörquist Åstrand + + * krb5.c: 1.10->1.11: clean up krb5 support, log to syslog instead + of stdout + (very confusing for the other end tcp connection), patch originally + from joda + +2003-05-15 Love Hörquist Åstrand + + * kxd.c: 1.71->1.74: + (recv_conn): pass pointer to sockaddr, not pointer to pointer + (recv_conn): if getnameinfo failes, send error to client (and syslog) + (recv_conn): get sizeof of the sockaddr_storage, not the sockaddr + pointer + 2003-04-16 Johan Danielsson * kx.c (doit_{passive,active}): use kc->thataddr directly diff --git a/appl/kx/krb4.c b/appl/kx/krb4.c index 119d79e09..1d587df45 100644 --- a/appl/kx/krb4.c +++ b/appl/kx/krb4.c @@ -72,8 +72,7 @@ krb4_authenticate (kx_context *kc, int s) const char *host = kc->host; if (kc->thisaddr->sa_family != AF_INET) { - warnx ("%s: used Kerberos v4 authentiocation on on non-IP4 address", - host); + warnx ("%s: used Kerberos v4 authentiocation on non-IP4 address", host); return -1; } diff --git a/appl/kx/krb5.c b/appl/kx/krb5.c index 3398d2fe2..8a0c0762c 100644 --- a/appl/kx/krb5.c +++ b/appl/kx/krb5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2000, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -42,28 +42,32 @@ struct krb5_kx_context { krb5_keyblock *keyblock; krb5_crypto crypto; krb5_principal client; + krb5_log_facility *log; + }; typedef struct krb5_kx_context krb5_kx_context; +#define K5DATA(kc) ((krb5_kx_context*)kc->data) +#define CONTEXT(kc) (K5DATA(kc)->context) + /* * Destroy the krb5 context in `c'. */ static void -krb5_destroy (kx_context *c) +krb5_destroy (kx_context *kc) { - krb5_kx_context *kc = (krb5_kx_context *)c->data; - - if (kc->keyblock) - krb5_free_keyblock (kc->context, kc->keyblock); - if (kc->crypto) - krb5_crypto_destroy (kc->context, kc->crypto); - if (kc->client) - krb5_free_principal (kc->context, kc->client); - if (kc->context) - krb5_free_context (kc->context); - free (kc); + if (K5DATA(kc)->keyblock) + krb5_free_keyblock (CONTEXT(kc), K5DATA(kc)->keyblock); + if (K5DATA(kc)->crypto) + krb5_crypto_destroy (CONTEXT(kc), K5DATA(kc)->crypto); + if (K5DATA(kc)->client) + krb5_free_principal (CONTEXT(kc), K5DATA(kc)->client); + if (CONTEXT(kc)) + krb5_free_context (CONTEXT(kc)); + memset (kc->data, 0, sizeof(krb5_kx_context)); + free (kc->data); } /* @@ -74,21 +78,19 @@ krb5_destroy (kx_context *c) static int krb5_authenticate (kx_context *kc, int s) { - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; krb5_auth_context auth_context = NULL; krb5_error_code ret; krb5_principal server; const char *host = kc->host; - ret = krb5_sname_to_principal (context, + ret = krb5_sname_to_principal (CONTEXT(kc), host, "host", KRB5_NT_SRV_HST, &server); if (ret) { - krb5_warn (context, ret, "krb5_sname_to_principal: %s", host); + krb5_warn (CONTEXT(kc), ret, "krb5_sname_to_principal: %s", host); return 1; } - ret = krb5_sendauth (context, + ret = krb5_sendauth (CONTEXT(kc), &auth_context, &s, KX_VERSION, @@ -103,21 +105,23 @@ krb5_authenticate (kx_context *kc, int s) NULL); if (ret) { if(ret != KRB5_SENDAUTH_BADRESPONSE) - krb5_warn (context, ret, "krb5_sendauth: %s", host); + krb5_warn (CONTEXT(kc), ret, "krb5_sendauth: %s", host); return 1; } - ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock); + ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, + &K5DATA(kc)->keyblock); if (ret) { - krb5_warn (context, ret, "krb5_auth_con_getkey: %s", host); - krb5_auth_con_free (context, auth_context); + krb5_warn (CONTEXT(kc), ret, "krb5_auth_con_getkey: %s", host); + krb5_auth_con_free (CONTEXT(kc), auth_context); return 1; } - ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto); + ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, + 0, &K5DATA(kc)->crypto); if (ret) { - krb5_warn (context, ret, "krb5_crypto_init"); - krb5_auth_con_free (context, auth_context); + krb5_warn (CONTEXT(kc), ret, "krb5_crypto_init"); + krb5_auth_con_free (CONTEXT(kc), auth_context); return 1; } return 0; @@ -133,30 +137,30 @@ static ssize_t krb5_read (kx_context *kc, int fd, void *buf, size_t len) { - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; size_t data_len, outer_len; krb5_error_code ret; unsigned char tmp[4]; krb5_data data; int l; - l = krb5_net_read (context, &fd, tmp, 4); + l = krb5_net_read (CONTEXT(kc), &fd, tmp, 4); if (l == 0) return l; if (l != 4) return -1; data_len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - outer_len = krb5_get_wrapped_length (context, c->crypto, data_len); + outer_len = krb5_get_wrapped_length (CONTEXT(kc), + K5DATA(kc)->crypto, data_len); if (outer_len > len) return -1; - if (krb5_net_read (context, &fd, buf, outer_len) != outer_len) + if (krb5_net_read (CONTEXT(kc), &fd, buf, outer_len) != outer_len) return -1; - ret = krb5_decrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED, + ret = krb5_decrypt (CONTEXT(kc), K5DATA(kc)->crypto, + KRB5_KU_OTHER_ENCRYPTED, buf, outer_len, &data); if (ret) { - krb5_warn (context, ret, "krb5_decrypt"); + krb5_warn (CONTEXT(kc), ret, "krb5_decrypt"); return -1; } if (data_len > data.length) { @@ -177,17 +181,16 @@ static ssize_t krb5_write(kx_context *kc, int fd, const void *buf, size_t len) { - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; krb5_data data; krb5_error_code ret; unsigned char tmp[4]; size_t outlen; - ret = krb5_encrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED, + ret = krb5_encrypt (CONTEXT(kc), K5DATA(kc)->crypto, + KRB5_KU_OTHER_ENCRYPTED, (void *)buf, len, &data); if (ret){ - krb5_warn (context, ret, "krb5_write"); + krb5_warn (CONTEXT(kc), ret, "krb5_write"); return -1; } @@ -197,8 +200,8 @@ krb5_write(kx_context *kc, tmp[2] = (len >> 8) & 0xFF; tmp[3] = (len >> 0) & 0xFF; - if (krb5_net_write (context, &fd, tmp, 4) != 4 || - krb5_net_write (context, &fd, data.data, outlen) != outlen) { + if (krb5_net_write (CONTEXT(kc), &fd, tmp, 4) != 4 || + krb5_net_write (CONTEXT(kc), &fd, data.data, outlen) != outlen) { krb5_data_free (&data); return -1; } @@ -221,7 +224,7 @@ copy_out (kx_context *kc, int from_fd, int to_fd) if (len == 0) return 0; if (len < 0) { - warn ("read"); + krb5_warn (CONTEXT(kc), errno, "read"); return len; } return krb5_write (kc, to_fd, buf, len); @@ -235,7 +238,6 @@ copy_out (kx_context *kc, int from_fd, int to_fd) static int copy_in (kx_context *kc, int from_fd, int to_fd) { - krb5_kx_context *c = (krb5_kx_context *)kc->data; char buf[33000]; /* XXX */ ssize_t len; @@ -244,11 +246,11 @@ copy_in (kx_context *kc, int from_fd, int to_fd) if (len == 0) return 0; if (len < 0) { - warn ("krb5_read"); + krb5_warn (CONTEXT(kc), errno, "krb5_read"); return len; } - return krb5_net_write (c->context, &to_fd, buf, len); + return krb5_net_write (CONTEXT(kc), &to_fd, buf, len); } /* @@ -264,7 +266,7 @@ krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) int ret; if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { - warnx ("fd too large"); + krb5_warnx (CONTEXT(kc), "fd too large"); return 1; } @@ -274,7 +276,7 @@ krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); if (ret < 0 && errno != EINTR) { - warn ("select"); + krb5_warn (CONTEXT(kc), errno, "select"); return 1; } if (FD_ISSET(fd1, &fdset)) { @@ -298,17 +300,15 @@ krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) static int krb5_userok (kx_context *kc, char *user) { - krb5_kx_context *c = (krb5_kx_context *)kc->data; - krb5_context context = c->context; krb5_error_code ret; char *tmp; - ret = krb5_unparse_name (context, c->client, &tmp); + ret = krb5_unparse_name (CONTEXT(kc), K5DATA(kc)->client, &tmp); if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); + krb5_err (CONTEXT(kc), 1, ret, "krb5_unparse_name"); kc->user = tmp; - return !krb5_kuserok (context, c->client, user); + return !krb5_kuserok (CONTEXT(kc), K5DATA(kc)->client, user); } /* @@ -330,13 +330,17 @@ krb5_make_context (kx_context *kc) kc->user = NULL; kc->data = malloc(sizeof(krb5_kx_context)); - if (kc->data == NULL) - err (1, "malloc"); + if (kc->data == NULL) { + syslog (LOG_ERR, "failed to malloc %u bytes", sizeof(krb5_kx_context)); + exit(1); + } memset (kc->data, 0, sizeof(krb5_kx_context)); c = (krb5_kx_context *)kc->data; ret = krb5_init_context (&c->context); - if (ret) - errx (1, "krb5_init_context failed: %d", ret); + if (ret) { + syslog (LOG_ERR, "failed initialise krb5 context"); + exit(1); + } } /* @@ -349,8 +353,6 @@ recv_v5_auth (kx_context *kc, int sock, u_char *buf) { u_int32_t len; krb5_error_code ret; - krb5_kx_context *c; - krb5_context context; krb5_principal server; krb5_auth_context auth_context = NULL; krb5_ticket *ticket; @@ -369,18 +371,18 @@ recv_v5_auth (kx_context *kc, int sock, u_char *buf) } krb5_make_context (kc); - c = (krb5_kx_context *)kc->data; - context = c->context; + krb5_openlog(CONTEXT(kc), "kxd", &K5DATA(kc)->log); + krb5_set_warn_dest(CONTEXT(kc), K5DATA(kc)->log); - ret = krb5_sock_to_principal (context, sock, "host", + ret = krb5_sock_to_principal (CONTEXT(kc), sock, "host", KRB5_NT_SRV_HST, &server); if (ret) { syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (context, ret)); + krb5_get_err_text (CONTEXT(kc), ret)); exit (1); } - ret = krb5_recvauth (context, + ret = krb5_recvauth (CONTEXT(kc), &auth_context, &sock, KX_VERSION, @@ -388,30 +390,30 @@ recv_v5_auth (kx_context *kc, int sock, u_char *buf) KRB5_RECVAUTH_IGNORE_VERSION, NULL, &ticket); - krb5_free_principal (context, server); + krb5_free_principal (CONTEXT(kc), server); if (ret) { syslog (LOG_ERR, "krb5_sock_to_principal: %s", - krb5_get_err_text (context, ret)); + krb5_get_err_text (CONTEXT(kc), ret)); exit (1); } - ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock); + ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, &K5DATA(kc)->keyblock); if (ret) { syslog (LOG_ERR, "krb5_auth_con_getkey: %s", - krb5_get_err_text (context, ret)); + krb5_get_err_text (CONTEXT(kc), ret)); exit (1); } - ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto); + ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, 0, &K5DATA(kc)->crypto); if (ret) { syslog (LOG_ERR, "krb5_crypto_init: %s", - krb5_get_err_text (context, ret)); + krb5_get_err_text (CONTEXT(kc), ret)); exit (1); } - c->client = ticket->client; + K5DATA(kc)->client = ticket->client; ticket->client = NULL; - krb5_free_ticket (context, ticket); + krb5_free_ticket (CONTEXT(kc), ticket); return 0; } diff --git a/appl/kx/kxd.c b/appl/kx/kxd.c index 59dbce9c4..b6e3deaa1 100644 --- a/appl/kx/kxd.c +++ b/appl/kx/kxd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -128,7 +128,7 @@ recv_conn (int sock, kx_context *kc, exit (1); } kc->thisaddr_len = addrlen; - addrlen = sizeof(kc->thataddr); + addrlen = sizeof(kc->__ss_that); kc->thataddr = (struct sockaddr*)&kc->__ss_that; if (getpeername (sock, kc->thataddr, &addrlen) < 0) { syslog (LOG_ERR, "getpeername: %m"); @@ -226,11 +226,11 @@ recv_conn (int sock, kx_context *kc, fatal (kc, sock, "cannot set uid"); } - ret = getnameinfo((struct sockaddr *)&kc->thataddr, kc->thataddr_len, + ret = getnameinfo(kc->thataddr, kc->thataddr_len, remoteaddr, sizeof(remoteaddr), NULL, 0, NI_NUMERICHOST); if (ret != 0) - fatal (kc, sock, "getnameinfo failed"); + fatal (kc, sock, "getnameinfo failed: %s", gai_strerror(ret)); syslog (LOG_INFO, "from %s(%s): %s -> %s", remotehost, remoteaddr, diff --git a/appl/login/ChangeLog b/appl/login/ChangeLog index 9fcd5d2ea..3da323743 100644 --- a/appl/login/ChangeLog +++ b/appl/login/ChangeLog @@ -1,3 +1,8 @@ +2004-09-08 Johan Danielsson + + * login.c: pull up 1.62->1.63: use krb5_appdefault_boolean instead + of krb5_config_get_bool + 2003-03-24 Johan Danielsson * Makefile.am: install man pages diff --git a/appl/login/login.c b/appl/login/login.c index 2c828130d..e631301b7 100644 --- a/appl/login/login.c +++ b/appl/login/login.c @@ -181,21 +181,19 @@ krb5_to4 (krb5_ccache id) int get_v4_tgt; - get_v4_tgt = krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL); - ret = krb5_cc_get_principal(context, id, &princ); - if (ret == 0) { - get_v4_tgt = krb5_config_get_bool_default(context, NULL, - get_v4_tgt, - "realms", - *krb5_princ_realm(context, - princ), - "krb4_get_tickets", - NULL); + if(ret == 0) { + krb5_appdefault_boolean(context, "login", + krb5_principal_get_realm(context, princ), + "krb4_get_tickets", FALSE, &get_v4_tgt); krb5_free_principal(context, princ); + } else { + krb5_realm realm = NULL; + krb5_get_default_realm(context, &realm); + krb5_appdefault_boolean(context, "login", + realm, + "krb4_get_tickets", FALSE, &get_v4_tgt); + free(realm); } if (get_v4_tgt) { diff --git a/appl/popper/ChangeLog b/appl/popper/ChangeLog index 9b463c2e7..33d7b2cad 100644 --- a/appl/popper/ChangeLog +++ b/appl/popper/ChangeLog @@ -1,3 +1,9 @@ +2003-10-13 Love + + * pop_init.c: 1.58->1.59: (pop_init): change call to + authentication function, from a ?: construct (which toubles some + versions of gcc) to if; from Björn Grönvall + 2003-04-16 Love Hörnquist Åstrand * popper.8: spelling, from jmc diff --git a/appl/popper/pop_init.c b/appl/popper/pop_init.c index d22dd98f6..9904ee5b1 100644 --- a/appl/popper/pop_init.c +++ b/appl/popper/pop_init.c @@ -394,5 +394,8 @@ pop_init(POP *p,int argcount,char **argmessage) #endif /* DEBUG */ - return((p->kerberosp ? krb_authenticate : plain_authenticate)(p, cs)); + if(p->kerberosp) + return krb_authenticate(p, cs); + else + return plain_authenticate(p, cs); } diff --git a/appl/push/ChangeLog b/appl/push/ChangeLog index e90e34e85..e15818104 100644 --- a/appl/push/ChangeLog +++ b/appl/push/ChangeLog @@ -1,3 +1,7 @@ +2004-06-21 Love Hörnquist Åstrand + + * push.c: 1.48: alloc memory to handle very long lines + 2003-04-03 Assar Westerlund * push.c: fixed one incorrect fprintf to stderr diff --git a/appl/push/push.c b/appl/push/push.c index 1d51992a8..43e3b1037 100644 --- a/appl/push/push.c +++ b/appl/push/push.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -214,9 +214,10 @@ doit(int s, int ret; char out_buf[PUSH_BUFSIZ]; int out_len = 0; - char in_buf[PUSH_BUFSIZ + 1]; /* sentinel */ + char *in_buf; + size_t in_buf_size; size_t in_len = 0; - char *in_ptr = in_buf; + char *in_ptr; pop_state state = INIT; unsigned count, bytes; unsigned asked_for = 0, retrieved = 0, asked_deleted = 0, deleted = 0; @@ -231,6 +232,10 @@ doit(int s, int i; char *tmp = NULL; + in_buf = emalloc(PUSH_BUFSIZ + 1); + in_ptr = in_buf; + in_buf_size = PUSH_BUFSIZ; + if (do_from) { char *tmp2; @@ -310,7 +315,14 @@ doit(int s, size_t rem; int blank_line = 0; - ret = read (s, in_ptr, sizeof(in_buf) - in_len - 1); + if(in_len >= in_buf_size) { + char *tmp = erealloc(in_buf, in_buf_size + PUSH_BUFSIZ + 1); + in_ptr = tmp + (in_ptr - in_buf); + in_buf = tmp; + in_buf_size += PUSH_BUFSIZ; + } + + ret = read (s, in_ptr, in_buf_size - in_len); if (ret < 0) err (1, "read"); else if (ret == 0) diff --git a/appl/rsh/rshd.c b/appl/rsh/rshd.c index 47cadde47..defc8d415 100644 --- a/appl/rsh/rshd.c +++ b/appl/rsh/rshd.c @@ -919,7 +919,7 @@ struct getargs args[] = { "port" }, { "vacuous", 'v', arg_flag, &do_vacuous, "Don't accept non-kerberised connections" }, -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) { NULL, 'P', arg_negative_flag, &do_newpag, "Don't put process in new PAG" }, #endif diff --git a/appl/su/ChangeLog b/appl/su/ChangeLog index ac9cfdb74..7420d85ee 100644 --- a/appl/su/ChangeLog +++ b/appl/su/ChangeLog @@ -1,3 +1,8 @@ +2003-05-06 Johan Danielsson + + * su.c: remove accidentally committed code that prints the command + being executed + 2003-03-18 Love Hörnquist Åstrand * su.c (krb5_start_session): krb5_afslog doesn't depend on KRB4 diff --git a/appl/su/su.c b/appl/su/su.c index 97930a5ae..6602799d3 100644 --- a/appl/su/su.c +++ b/appl/su/su.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -544,12 +544,6 @@ main(int argc, char **argv) if (ok == 4) krb_start_session(); #endif - { - char **p; - for(p = args; *p; p++) - printf("%s ", *p); - printf("\n"); - } execv(shell, args); } diff --git a/appl/telnet/ChangeLog b/appl/telnet/ChangeLog index f69687133..610655763 100644 --- a/appl/telnet/ChangeLog +++ b/appl/telnet/ChangeLog @@ -1,3 +1,21 @@ +2004-06-21 Love Hörnquist Åstrand + + * telnet/network.c: 1.12: make network rings larger From: MAAAAA + MOOOR + + * telnetd/state.c: 1.14: make subbuffer larger XXX resize + dynamicly From: MAAAAA MOOOR + + * libtelnet/kerberos5.c: 1.54: (Data): allocate the data needed to + be send + From: MAAAAA MOOOR + +2004-03-22 Love Hörnquist Åstrand + + * telnetd/telnetd.c: call setprogname to make libvers happy + + * telnet/main.c: call setprogname to make libvers happy + 2002-09-02 Johan Danielsson * libtelnet/kerberos5.c: set AP_OPTS_USE_SUBKEY diff --git a/appl/telnet/libtelnet/kerberos5.c b/appl/telnet/libtelnet/kerberos5.c index 192d4acfd..5229b6529 100644 --- a/appl/telnet/libtelnet/kerberos5.c +++ b/appl/telnet/libtelnet/kerberos5.c @@ -97,8 +97,7 @@ int forwardable(int); void kerberos5_forward (Authenticator *); -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_KERBEROS_V5, }; +static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 }; #define KRB_AUTH 0 /* Authentication data follows */ #define KRB_REJECT 1 /* Rejected (reason might follow) */ @@ -118,12 +117,25 @@ static krb5_auth_context auth_context; static int Data(Authenticator *ap, int type, void *d, int c) { - unsigned char *p = str_data + 4; unsigned char *cd = (unsigned char *)d; + unsigned char *p0, *p; + size_t len = sizeof(str_data) + 3 + 2; + int ret; if (c == -1) c = strlen((char*)cd); + for (p = cd; p - cd < c; p++, len++) + if (*p == IAC) + len++; + + p0 = malloc(len); + if (p0 == NULL) + return 0; + + memcpy(p0, str_data, sizeof(str_data)); + p = p0 + sizeof(str_data); + if (auth_debug_mode) { printf("%s:%d: [%d] (%d)", str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", @@ -142,8 +154,10 @@ Data(Authenticator *ap, int type, void *d, int c) *p++ = IAC; *p++ = SE; if (str_data[3] == TELQUAL_IS) - printsub('>', &str_data[2], p - &str_data[2]); - return(telnet_net_write(str_data, p - str_data)); + printsub('>', &p0[2], len - 2); + ret = telnet_net_write(p0, len); + free(p0); + return ret; } int diff --git a/appl/telnet/telnet/main.c b/appl/telnet/telnet/main.c index 6e528cfaf..58730aae3 100644 --- a/appl/telnet/telnet/main.c +++ b/appl/telnet/telnet/main.c @@ -160,6 +160,8 @@ main(int argc, char **argv) int ch; char *user; + setprogname(argv[0]); + #ifdef KRB5 krb5_init(); #endif diff --git a/appl/telnet/telnet/network.c b/appl/telnet/telnet/network.c index f1d76f2c0..6c1ed53a3 100644 --- a/appl/telnet/telnet/network.c +++ b/appl/telnet/telnet/network.c @@ -36,7 +36,8 @@ RCSID("$Id$"); Ring netoring, netiring; -unsigned char netobuf[2*BUFSIZ], netibuf[BUFSIZ]; +size_t netobufsize = 64*1024; +size_t netibufsize = 64*1024; /* * Initialize internal network data structures. @@ -45,10 +46,17 @@ unsigned char netobuf[2*BUFSIZ], netibuf[BUFSIZ]; void init_network(void) { - if (ring_init(&netoring, netobuf, sizeof netobuf) != 1) { + void *obuf, *ibuf; + + if ((obuf = malloc(netobufsize)) == NULL) + exit(1); + if ((ibuf = malloc(netibufsize)) == NULL) + exit(1); + + if (ring_init(&netoring, obuf, netobufsize) != 1) { exit(1); } - if (ring_init(&netiring, netibuf, sizeof netibuf) != 1) { + if (ring_init(&netiring, ibuf, netibufsize) != 1) { exit(1); } NetTrace = stdout; diff --git a/appl/telnet/telnetd/state.c b/appl/telnet/telnetd/state.c index 2edfa28db..c679dfd0b 100644 --- a/appl/telnet/telnetd/state.c +++ b/appl/telnet/telnetd/state.c @@ -45,7 +45,7 @@ int not42 = 1; * Buffer for sub-options, and macros * for suboptions buffer manipulations */ -unsigned char subbuffer[2048], *subpointer= subbuffer, *subend= subbuffer; +unsigned char subbuffer[1024*64], *subpointer= subbuffer, *subend= subbuffer; #define SB_CLEAR() subpointer = subbuffer #define SB_TERM() { subend = subpointer; SB_CLEAR(); } @@ -1284,6 +1284,7 @@ doclientstat(void) clientstat(TELOPT_LINEMODE, WILL, 0); } +#undef ADD #define ADD(c) *ncp++ = c #define ADD_DATA(c) { *ncp++ = c; if (c == SE || c == IAC) *ncp++ = c; } diff --git a/appl/telnet/telnetd/telnetd.c b/appl/telnet/telnetd/telnetd.c index 0d4b3c7bf..b5c38dc2b 100644 --- a/appl/telnet/telnetd/telnetd.c +++ b/appl/telnet/telnetd/telnetd.c @@ -163,6 +163,8 @@ main(int argc, char **argv) netip = netibuf; nfrontp = nbackp = netobuf; + setprogname(argv[0]); + progname = *argv; #ifdef ENCRYPTION nclearto = 0; diff --git a/appl/xnlock/ChangeLog b/appl/xnlock/ChangeLog index 93fdb3304..ca1da3750 100644 --- a/appl/xnlock/ChangeLog +++ b/appl/xnlock/ChangeLog @@ -1,3 +1,25 @@ +2004-09-08 Johan Danielsson + + * xnlock.c: pull up 1.99->1.100: use krb5_appdefault_boolean + instead of krb5_config_get_bool + +2004-03-22 Johan Danielsson + + * xnlock.c: protect the world from des_encrypt in crypt.h + +2004-03-01 Love Hörnquist Åstrand + + * xnlock.c: include , From: Fredrik Ljungberg + + +2003-05-06 Johan Danielsson + + * no checks here + +2003-04-29 Love Hörnquist Åstrand + + * xnlock.c: include kafs.h in the krb5 case + 2003-04-14 Love Hörnquist Åstrand * xnlock.c (GetPasswd): cast argument to isprint to unsigned char, diff --git a/appl/xnlock/Makefile.am b/appl/xnlock/Makefile.am index a36bb6631..43615a3ca 100644 --- a/appl/xnlock/Makefile.am +++ b/appl/xnlock/Makefile.am @@ -16,6 +16,8 @@ bin_PROGRAMS = endif +CHECK_LOCAL = + man_MANS = xnlock.1 EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \ diff --git a/appl/xnlock/xnlock.c b/appl/xnlock/xnlock.c index e2ce4dbcc..ade0b8afe 100644 --- a/appl/xnlock/xnlock.c +++ b/appl/xnlock/xnlock.c @@ -30,12 +30,20 @@ RCSID("$Id$"); #ifdef HAVE_PWD_H #include #endif +#ifdef HAVE_CRYPT_H +#undef des_encrypt +#define des_encrypt wingless_pigs_mostly_fail_to_fly +#include +#undef des_encrypt +#endif #ifdef KRB5 #include #endif #ifdef KRB4 #include +#endif +#if defined(KRB4) || defined(KRB5) #include #endif @@ -571,6 +579,7 @@ verify_krb5(const char *password) { krb5_error_code ret; krb5_ccache id; + krb5_boolean get_v4_tgt; krb5_cc_default(context, &id); ret = krb5_verify_user(context, @@ -581,10 +590,10 @@ verify_krb5(const char *password) NULL); if (ret == 0){ #ifdef KRB4 - if (krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL)) { + krb5_appdefault_boolean(context, "xnlock", + krb5_principal_get_realm(context, client), + "krb4_get_tickets", FALSE, &get_v4_tgt); + if(get_v4_tgt) { CREDENTIALS c; krb5_creds mcred, cred; diff --git a/cf/ChangeLog b/cf/ChangeLog index 0d4257831..1018925c9 100644 --- a/cf/ChangeLog +++ b/cf/ChangeLog @@ -1,3 +1,17 @@ +2003-08-15 Love + + * check-compile-et.m4: 1.7->1.8: check if compile_et support + ``error_table N M'' also, don't be overly aggressivly reset CFLAGS + +2003-05-08 Johan Danielsson + + * Makefile.am.common: change install-data-local to + install-data-hook + +2003-05-05 Assar Westerlund + + * crypto.m4: define OPENSSL_DES_LIBDES_COMPATIBILITY + 2003-04-03 Love Hörnquist Åstrand * crypto.m4: check if libcrypto needs -lnsl or -lsocket diff --git a/cf/Makefile.am.common b/cf/Makefile.am.common index e93f7853a..411c5dde7 100644 --- a/cf/Makefile.am.common +++ b/cf/Makefile.am.common @@ -1,7 +1,5 @@ # $Id$ -AUTOMAKE_OPTIONS = foreign no-dependencies 1.6 - SUFFIXES = .et .h INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) @@ -190,7 +188,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) -install-data-local: install-cat-mans +install-data-hook: install-cat-mans .et.h: diff --git a/cf/aix.m4 b/cf/aix.m4 index 57015a9ae..db4b982ea 100644 --- a/cf/aix.m4 +++ b/cf/aix.m4 @@ -2,7 +2,7 @@ dnl dnl $Id$ dnl -AC_DEFUN(rk_AIX,[ +AC_DEFUN([rk_AIX],[ aix=no case "$host" in diff --git a/cf/auth-modules.m4 b/cf/auth-modules.m4 index 93e2195ad..e27de4bd8 100644 --- a/cf/auth-modules.m4 +++ b/cf/auth-modules.m4 @@ -4,7 +4,7 @@ dnl Figure what authentication modules should be built dnl dnl rk_AUTH_MODULES(module-list) -AC_DEFUN(rk_AUTH_MODULES,[ +AC_DEFUN([rk_AUTH_MODULES],[ AC_MSG_CHECKING([which authentication modules should be built]) z='m4_ifval([$1], $1, [sia pam afskauthlib])' diff --git a/cf/broken-getaddrinfo.m4 b/cf/broken-getaddrinfo.m4 index e2619475c..6115856a7 100644 --- a/cf/broken-getaddrinfo.m4 +++ b/cf/broken-getaddrinfo.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl test if getaddrinfo can handle numeric services -AC_DEFUN(rk_BROKEN_GETADDRINFO,[ +AC_DEFUN([rk_BROKEN_GETADDRINFO],[ AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv, AC_TRY_RUN([[#include #include diff --git a/cf/broken-getnameinfo.m4 b/cf/broken-getnameinfo.m4 index b2d51c90d..d7d36e1df 100644 --- a/cf/broken-getnameinfo.m4 +++ b/cf/broken-getnameinfo.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl test for broken AIX getnameinfo -AC_DEFUN(rk_BROKEN_GETNAMEINFO,[ +AC_DEFUN([rk_BROKEN_GETNAMEINFO],[ AC_CACHE_CHECK([if getnameinfo is broken], ac_cv_func_getnameinfo_broken, AC_TRY_RUN([[#include #include diff --git a/cf/broken-glob.m4 b/cf/broken-glob.m4 index 5914b4c8b..e4eaa3547 100644 --- a/cf/broken-glob.m4 +++ b/cf/broken-glob.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl check for glob(3) dnl -AC_DEFUN(AC_BROKEN_GLOB,[ +AC_DEFUN([AC_BROKEN_GLOB],[ AC_CACHE_CHECK(for working glob, ac_cv_func_glob_working, ac_cv_func_glob_working=yes AC_TRY_LINK([ diff --git a/cf/broken-realloc.m4 b/cf/broken-realloc.m4 index 0de8afb4d..83feac796 100644 --- a/cf/broken-realloc.m4 +++ b/cf/broken-realloc.m4 @@ -3,7 +3,7 @@ dnl $Id$ dnl dnl Test for realloc that doesn't handle NULL as first parameter dnl -AC_DEFUN(rk_BROKEN_REALLOC, [ +AC_DEFUN([rk_BROKEN_REALLOC], [ AC_CACHE_CHECK(if realloc if broken, ac_cv_func_realloc_broken, [ ac_cv_func_realloc_broken=no AC_TRY_RUN([ diff --git a/cf/broken-snprintf.m4 b/cf/broken-snprintf.m4 index 720ec662a..68964c6a9 100644 --- a/cf/broken-snprintf.m4 +++ b/cf/broken-snprintf.m4 @@ -1,6 +1,6 @@ dnl $Id$ dnl -AC_DEFUN(AC_BROKEN_SNPRINTF, [ +AC_DEFUN([AC_BROKEN_SNPRINTF], [ AC_CACHE_CHECK(for working snprintf,ac_cv_func_snprintf_working, ac_cv_func_snprintf_working=yes AC_TRY_RUN([ @@ -21,7 +21,7 @@ AC_NEED_PROTO([#include ],snprintf) fi ]) -AC_DEFUN(AC_BROKEN_VSNPRINTF,[ +AC_DEFUN([AC_BROKEN_VSNPRINTF],[ AC_CACHE_CHECK(for working vsnprintf,ac_cv_func_vsnprintf_working, ac_cv_func_vsnprintf_working=yes AC_TRY_RUN([ diff --git a/cf/c-attribute.m4 b/cf/c-attribute.m4 index 88c872eec..a263bcc4c 100644 --- a/cf/c-attribute.m4 +++ b/cf/c-attribute.m4 @@ -6,7 +6,7 @@ dnl dnl Test for __attribute__ dnl -AC_DEFUN(AC_C___ATTRIBUTE__, [ +AC_DEFUN([AC_C___ATTRIBUTE__], [ AC_MSG_CHECKING(for __attribute__) AC_CACHE_VAL(ac_cv___attribute__, [ AC_TRY_COMPILE([ diff --git a/cf/c-function.m4 b/cf/c-function.m4 index 5ce48f9dd..b2f1eb9b1 100644 --- a/cf/c-function.m4 +++ b/cf/c-function.m4 @@ -6,7 +6,7 @@ dnl dnl Test for __FUNCTION__ dnl -AC_DEFUN(AC_C___FUNCTION__, [ +AC_DEFUN([AC_C___FUNCTION__], [ AC_MSG_CHECKING(for __FUNCTION__) AC_CACHE_VAL(ac_cv___function__, [ AC_TRY_RUN([ diff --git a/cf/capabilities.m4 b/cf/capabilities.m4 index 5375b0828..4178b3c0a 100644 --- a/cf/capabilities.m4 +++ b/cf/capabilities.m4 @@ -6,7 +6,7 @@ dnl dnl Test SGI capabilities dnl -AC_DEFUN(KRB_CAPABILITIES,[ +AC_DEFUN([KRB_CAPABILITIES],[ AC_CHECK_HEADERS(capability.h sys/capability.h) diff --git a/cf/check-compile-et.m4 b/cf/check-compile-et.m4 index ae481f778..3370092d1 100644 --- a/cf/check-compile-et.m4 +++ b/cf/check-compile-et.m4 @@ -12,7 +12,7 @@ if test "${COMPILE_ET}" = "compile_et"; then dnl We have compile_et. Now let's see if it supports `prefix' and `index'. AC_MSG_CHECKING(whether compile_et has the features we need) cat > conftest_et.et <<'EOF' -error_table conf +error_table test conf prefix CONFTEST index 1 error_code CODE1, "CODE1" @@ -22,7 +22,7 @@ end EOF if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then dnl XXX Some systems have . - save_CPPFLAGS="${save_CPPFLAGS}" + save_CPPFLAGS="${CPPFLAGS}" if test -d "/usr/include/et"; then CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" fi @@ -31,18 +31,18 @@ if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then #include #include #include "conftest_et.h" -int main(){return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} +int main(){ +#ifndef ERROR_TABLE_BASE_conf +#error compile_et does not handle error_table N M +#endif +return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;} ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"]) fi AC_MSG_RESULT(${krb_cv_compile_et}) if test "${krb_cv_compile_et}" = "yes"; then AC_MSG_CHECKING(for if com_err needs to have a initialize_error_table_r) - save2_CPPFLAGS="$CPPFLAGS" - CPPFLAGS="$CPPFLAGS" AC_EGREP_CPP(initialize_error_table_r,[#include "conftest_et.c"], - [krb_cv_com_err_need_r="initialize_error_table_r(0,0,0,0);" - CPPFLAGS="$save2_CPPFLAGS"], - [CPPFLAGS="${save_CPPFLAGS}"]) + [krb_cv_com_err_need_r="initialize_error_table_r(0,0,0,0);"]) if test X"$krb_cv_com_err_need_r" = X ; then AC_MSG_RESULT(no) else diff --git a/cf/check-declaration.m4 b/cf/check-declaration.m4 index 8f3606006..76b311e53 100644 --- a/cf/check-declaration.m4 +++ b/cf/check-declaration.m4 @@ -5,7 +5,7 @@ dnl Check if we need the declaration of a variable dnl dnl AC_HAVE_DECLARATION(includes, variable) -AC_DEFUN(AC_CHECK_DECLARATION, [ +AC_DEFUN([AC_CHECK_DECLARATION], [ AC_MSG_CHECKING([if $2 is properly declared]) AC_CACHE_VAL(ac_cv_var_$2_declaration, [ AC_TRY_COMPILE([$1 diff --git a/cf/check-getpwnam_r-posix.m4 b/cf/check-getpwnam_r-posix.m4 index 82bcba630..2477837e7 100644 --- a/cf/check-getpwnam_r-posix.m4 +++ b/cf/check-getpwnam_r-posix.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl check for getpwnam_r, and if it's posix or not -AC_DEFUN(AC_CHECK_GETPWNAM_R_POSIX,[ +AC_DEFUN([AC_CHECK_GETPWNAM_R_POSIX],[ AC_FIND_FUNC_NO_LIBS(getpwnam_r,c_r) if test "$ac_cv_func_getpwnam_r" = yes; then AC_CACHE_CHECK(if getpwnam_r is posix,ac_cv_func_getpwnam_r_posix, diff --git a/cf/check-man.m4 b/cf/check-man.m4 index 9a7a32902..c0c05d737 100644 --- a/cf/check-man.m4 +++ b/cf/check-man.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl check how to format manual pages dnl -AC_DEFUN(rk_CHECK_MAN, +AC_DEFUN([rk_CHECK_MAN], [AC_PATH_PROG(NROFF, nroff) AC_PATH_PROG(GROFF, groff) AC_CACHE_CHECK(how to format man pages,ac_cv_sys_man_format, diff --git a/cf/check-netinet-ip-and-tcp.m4 b/cf/check-netinet-ip-and-tcp.m4 index 657f86f8c..9458ff123 100644 --- a/cf/check-netinet-ip-and-tcp.m4 +++ b/cf/check-netinet-ip-and-tcp.m4 @@ -5,7 +5,7 @@ dnl dnl extra magic check for netinet/{ip.h,tcp.h} because on irix 6.5.3 dnl you have to include standards.h before including these files -AC_DEFUN(CHECK_NETINET_IP_AND_TCP, +AC_DEFUN([CHECK_NETINET_IP_AND_TCP], [ AC_CHECK_HEADERS(standards.h) for i in netinet/ip.h netinet/tcp.h; do diff --git a/cf/check-type-extra.m4 b/cf/check-type-extra.m4 index 68b789d64..f881120ae 100644 --- a/cf/check-type-extra.m4 +++ b/cf/check-type-extra.m4 @@ -3,7 +3,7 @@ dnl dnl ac_check_type + extra headers dnl AC_CHECK_TYPE_EXTRA(TYPE, DEFAULT, HEADERS) -AC_DEFUN(AC_CHECK_TYPE_EXTRA, +AC_DEFUN([AC_CHECK_TYPE_EXTRA], [AC_REQUIRE([AC_HEADER_STDC])dnl AC_MSG_CHECKING(for $1) AC_CACHE_VAL(ac_cv_type_$1, diff --git a/cf/check-x.m4 b/cf/check-x.m4 index 4eaa01d02..383bf2c1e 100644 --- a/cf/check-x.m4 +++ b/cf/check-x.m4 @@ -3,7 +3,7 @@ dnl See if there is any X11 present dnl dnl $Id$ -AC_DEFUN(KRB_CHECK_X,[ +AC_DEFUN([KRB_CHECK_X],[ AC_PATH_XTRA # try to figure out if we need any additional ld flags, like -R diff --git a/cf/check-xau.m4 b/cf/check-xau.m4 index 840bde3e5..553881137 100644 --- a/cf/check-xau.m4 +++ b/cf/check-xau.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl check for Xau{Read,Write}Auth and XauFileName dnl -AC_DEFUN(AC_CHECK_XAU,[ +AC_DEFUN([AC_CHECK_XAU],[ save_CFLAGS="$CFLAGS" CFLAGS="$X_CFLAGS $CFLAGS" save_LIBS="$LIBS" diff --git a/cf/crypto.m4 b/cf/crypto.m4 index 5fa3b1008..6c5967938 100644 --- a/cf/crypto.m4 +++ b/cf/crypto.m4 @@ -11,6 +11,7 @@ m4_define([test_headers], [ #include #include #include + #define OPENSSL_DES_LIBDES_COMPATIBILITY #include #include #include diff --git a/cf/find-func-no-libs.m4 b/cf/find-func-no-libs.m4 index d1cc9a01d..f3413409f 100644 --- a/cf/find-func-no-libs.m4 +++ b/cf/find-func-no-libs.m4 @@ -5,5 +5,5 @@ dnl Look for function in any of the specified libraries dnl dnl AC_FIND_FUNC_NO_LIBS(func, libraries, includes, arguments, extra libs, extra args) -AC_DEFUN(AC_FIND_FUNC_NO_LIBS, [ +AC_DEFUN([AC_FIND_FUNC_NO_LIBS], [ AC_FIND_FUNC_NO_LIBS2([$1], ["" $2], [$3], [$4], [$5], [$6])]) diff --git a/cf/find-func-no-libs2.m4 b/cf/find-func-no-libs2.m4 index eb51d37cd..f9be91814 100644 --- a/cf/find-func-no-libs2.m4 +++ b/cf/find-func-no-libs2.m4 @@ -5,7 +5,7 @@ dnl Look for function in any of the specified libraries dnl dnl AC_FIND_FUNC_NO_LIBS2(func, libraries, includes, arguments, extra libs, extra args) -AC_DEFUN(AC_FIND_FUNC_NO_LIBS2, [ +AC_DEFUN([AC_FIND_FUNC_NO_LIBS2], [ AC_MSG_CHECKING([for $1]) AC_CACHE_VAL(ac_cv_funclib_$1, diff --git a/cf/find-func.m4 b/cf/find-func.m4 index c89b8d39e..865772a70 100644 --- a/cf/find-func.m4 +++ b/cf/find-func.m4 @@ -1,7 +1,7 @@ dnl $Id$ dnl dnl AC_FIND_FUNC(func, libraries, includes, arguments) -AC_DEFUN(AC_FIND_FUNC, [ +AC_DEFUN([AC_FIND_FUNC], [ AC_FIND_FUNC_NO_LIBS([$1], [$2], [$3], [$4]) if test -n "$LIB_$1"; then LIBS="$LIB_$1 $LIBS" diff --git a/cf/find-if-not-broken.m4 b/cf/find-if-not-broken.m4 index 156cc8ae4..1397616f4 100644 --- a/cf/find-if-not-broken.m4 +++ b/cf/find-if-not-broken.m4 @@ -4,7 +4,7 @@ dnl dnl Mix between AC_FIND_FUNC and AC_BROKEN dnl -AC_DEFUN(AC_FIND_IF_NOT_BROKEN, +AC_DEFUN([AC_FIND_IF_NOT_BROKEN], [AC_FIND_FUNC([$1], [$2], [$3], [$4]) if eval "test \"$ac_cv_func_$1\" != yes"; then rk_LIBOBJ([$1]) diff --git a/cf/have-pragma-weak.m4 b/cf/have-pragma-weak.m4 index 44cfca792..50af68846 100644 --- a/cf/have-pragma-weak.m4 +++ b/cf/have-pragma-weak.m4 @@ -1,6 +1,6 @@ dnl $Id$ dnl -AC_DEFUN(AC_HAVE_PRAGMA_WEAK, [ +AC_DEFUN([AC_HAVE_PRAGMA_WEAK], [ if test "${enable_shared}" = "yes"; then AC_MSG_CHECKING(for pragma weak) AC_CACHE_VAL(ac_have_pragma_weak, [ diff --git a/cf/have-struct-field.m4 b/cf/have-struct-field.m4 index 090ae3bcb..a31187aec 100644 --- a/cf/have-struct-field.m4 +++ b/cf/have-struct-field.m4 @@ -4,7 +4,7 @@ dnl check for fields in a structure dnl dnl AC_HAVE_STRUCT_FIELD(struct, field, headers) -AC_DEFUN(AC_HAVE_STRUCT_FIELD, [ +AC_DEFUN([AC_HAVE_STRUCT_FIELD], [ define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_])) AC_CACHE_CHECK([for $2 in $1], cache_val,[ AC_TRY_COMPILE([$3],[$1 x; x.$2;], diff --git a/cf/have-type.m4 b/cf/have-type.m4 index f88e45f5a..d0042ea72 100644 --- a/cf/have-type.m4 +++ b/cf/have-type.m4 @@ -3,7 +3,7 @@ dnl dnl check for existance of a type dnl AC_HAVE_TYPE(TYPE,INCLUDES) -AC_DEFUN(AC_HAVE_TYPE, [ +AC_DEFUN([AC_HAVE_TYPE], [ AC_REQUIRE([AC_HEADER_STDC]) cv=`echo "$1" | sed 'y%./+- %__p__%'` AC_MSG_CHECKING(for $1) diff --git a/cf/have-types.m4 b/cf/have-types.m4 index 8e05abe17..7e6e49352 100644 --- a/cf/have-types.m4 +++ b/cf/have-types.m4 @@ -2,7 +2,7 @@ dnl dnl $Id$ dnl -AC_DEFUN(AC_HAVE_TYPES, [ +AC_DEFUN([AC_HAVE_TYPES], [ for i in $1; do AC_HAVE_TYPE($i) done diff --git a/cf/krb-bigendian.m4 b/cf/krb-bigendian.m4 index 2c46ca8fc..914fb52c8 100644 --- a/cf/krb-bigendian.m4 +++ b/cf/krb-bigendian.m4 @@ -7,7 +7,7 @@ dnl if we can figure it out at compile-time then don't define the cpp symbol dnl otherwise test for it and define it. also allow options for overriding dnl it when cross-compiling -AC_DEFUN(KRB_C_BIGENDIAN, [ +AC_DEFUN([KRB_C_BIGENDIAN], [ AC_ARG_ENABLE(bigendian, AC_HELP_STRING([--enable-bigendian],[the target is big endian]), krb_cv_c_bigendian=yes) diff --git a/cf/krb-func-getcwd-broken.m4 b/cf/krb-func-getcwd-broken.m4 index 2ac64ca7b..6f59d7a30 100644 --- a/cf/krb-func-getcwd-broken.m4 +++ b/cf/krb-func-getcwd-broken.m4 @@ -4,7 +4,7 @@ dnl dnl test for broken getcwd in (SunOS braindamage) dnl -AC_DEFUN(AC_KRB_FUNC_GETCWD_BROKEN, [ +AC_DEFUN([AC_KRB_FUNC_GETCWD_BROKEN], [ if test "$ac_cv_func_getcwd" = yes; then AC_MSG_CHECKING(if getcwd is broken) AC_CACHE_VAL(ac_cv_func_getcwd_broken, [ diff --git a/cf/krb-func-getlogin.m4 b/cf/krb-func-getlogin.m4 index a0a173fcf..6218e6b1f 100644 --- a/cf/krb-func-getlogin.m4 +++ b/cf/krb-func-getlogin.m4 @@ -5,7 +5,7 @@ dnl test for POSIX (broken) getlogin dnl -AC_DEFUN(AC_FUNC_GETLOGIN, [ +AC_DEFUN([AC_FUNC_GETLOGIN], [ AC_CHECK_FUNCS(getlogin setlogin) if test "$ac_cv_func_getlogin" = yes; then AC_CACHE_CHECK(if getlogin is posix, ac_cv_func_getlogin_posix, [ diff --git a/cf/krb-ipv6.m4 b/cf/krb-ipv6.m4 index 260c35c10..2acea3118 100644 --- a/cf/krb-ipv6.m4 +++ b/cf/krb-ipv6.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl test for IPv6 dnl -AC_DEFUN(AC_KRB_IPV6, [ +AC_DEFUN([AC_KRB_IPV6], [ AC_ARG_WITH(ipv6, AC_HELP_STRING([--without-ipv6],[do not enable IPv6 support]),[ if test "$withval" = "no"; then diff --git a/cf/krb-prog-ln-s.m4 b/cf/krb-prog-ln-s.m4 index 3802f6c0d..35ab877ef 100644 --- a/cf/krb-prog-ln-s.m4 +++ b/cf/krb-prog-ln-s.m4 @@ -4,7 +4,7 @@ dnl dnl Better test for ln -s, ln or cp dnl -AC_DEFUN(AC_KRB_PROG_LN_S, +AC_DEFUN([AC_KRB_PROG_LN_S], [AC_MSG_CHECKING(for ln -s or something else) AC_CACHE_VAL(ac_cv_prog_LN_S, [rm -f conftestdata diff --git a/cf/krb-prog-ranlib.m4 b/cf/krb-prog-ranlib.m4 index a96205e73..8bc5b9eff 100644 --- a/cf/krb-prog-ranlib.m4 +++ b/cf/krb-prog-ranlib.m4 @@ -4,5 +4,5 @@ dnl dnl Also look for EMXOMF for OS/2 dnl -AC_DEFUN(AC_KRB_PROG_RANLIB, +AC_DEFUN([AC_KRB_PROG_RANLIB], [AC_CHECK_PROGS(RANLIB, ranlib EMXOMF, :)]) diff --git a/cf/krb-prog-yacc.m4 b/cf/krb-prog-yacc.m4 index 244affdf2..380412ec7 100644 --- a/cf/krb-prog-yacc.m4 +++ b/cf/krb-prog-yacc.m4 @@ -4,7 +4,7 @@ dnl dnl We prefer byacc or yacc because they do not use `alloca' dnl -AC_DEFUN(AC_KRB_PROG_YACC, +AC_DEFUN([AC_KRB_PROG_YACC], [AC_CHECK_PROGS(YACC, byacc yacc 'bison -y') if test "$YACC" = ""; then AC_MSG_WARN([yacc not found - some stuff will not build]) diff --git a/cf/krb-readline.m4 b/cf/krb-readline.m4 index 3bcbdf811..57042c3ea 100644 --- a/cf/krb-readline.m4 +++ b/cf/krb-readline.m4 @@ -5,7 +5,7 @@ dnl dnl el_init -AC_DEFUN(KRB_READLINE,[ +AC_DEFUN([KRB_READLINE],[ AC_FIND_FUNC_NO_LIBS(el_init, edit, [], [], [$LIB_tgetent]) if test "$ac_cv_func_el_init" = yes ; then AC_CACHE_CHECK(for four argument el_init, ac_cv_func_el_init_four,[ diff --git a/cf/krb-struct-spwd.m4 b/cf/krb-struct-spwd.m4 index 0ded25287..fe5f39192 100644 --- a/cf/krb-struct-spwd.m4 +++ b/cf/krb-struct-spwd.m4 @@ -2,7 +2,7 @@ dnl $Id$ dnl dnl Test for `struct spwd' -AC_DEFUN(AC_KRB_STRUCT_SPWD, [ +AC_DEFUN([AC_KRB_STRUCT_SPWD], [ AC_MSG_CHECKING(for struct spwd) AC_CACHE_VAL(ac_cv_struct_spwd, [ AC_TRY_COMPILE( diff --git a/cf/krb-struct-winsize.m4 b/cf/krb-struct-winsize.m4 index 3bbea6d0a..5f46b8d06 100644 --- a/cf/krb-struct-winsize.m4 +++ b/cf/krb-struct-winsize.m4 @@ -4,7 +4,7 @@ dnl dnl Search for struct winsize dnl -AC_DEFUN(AC_KRB_STRUCT_WINSIZE, [ +AC_DEFUN([AC_KRB_STRUCT_WINSIZE], [ AC_MSG_CHECKING(for struct winsize) AC_CACHE_VAL(ac_cv_struct_winsize, [ ac_cv_struct_winsize=no diff --git a/cf/krb-sys-aix.m4 b/cf/krb-sys-aix.m4 index 6df296dfc..c599ef88b 100644 --- a/cf/krb-sys-aix.m4 +++ b/cf/krb-sys-aix.m4 @@ -3,7 +3,7 @@ dnl dnl dnl AIX have a very different syscall convention dnl -AC_DEFUN(AC_KRB_SYS_AIX, [ +AC_DEFUN([AC_KRB_SYS_AIX], [ AC_MSG_CHECKING(for AIX) AC_CACHE_VAL(krb_cv_sys_aix, AC_EGREP_CPP(yes, diff --git a/cf/krb-sys-nextstep.m4 b/cf/krb-sys-nextstep.m4 index 5ab0d3417..d9308a087 100644 --- a/cf/krb-sys-nextstep.m4 +++ b/cf/krb-sys-nextstep.m4 @@ -4,7 +4,7 @@ dnl NEXTSTEP is not posix compliant by default, dnl you need a switch -posix to the compiler dnl -AC_DEFUN(rk_SYS_NEXTSTEP, [ +AC_DEFUN([rk_SYS_NEXTSTEP], [ AC_CACHE_CHECK(for NeXTSTEP, rk_cv_sys_nextstep, [ AC_EGREP_CPP(yes, [#if defined(NeXT) && !defined(__APPLE__) diff --git a/cf/krb-version.m4 b/cf/krb-version.m4 index 49499c710..e196d993d 100644 --- a/cf/krb-version.m4 +++ b/cf/krb-version.m4 @@ -4,7 +4,7 @@ dnl dnl output a C header-file with some version strings dnl -AC_DEFUN(AC_KRB_VERSION,[ +AC_DEFUN([AC_KRB_VERSION],[ cat > include/newversion.h.in </dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do - ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ; - if test $? = 0 ; then + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; - rm -f $dummy.c $dummy.o $dummy.rel ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac' +esac ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) @@ -142,9 +157,11 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched @@ -167,7 +184,18 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ;; esac # The OS release - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. @@ -216,65 +244,52 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in if test $UNAME_RELEASE = "V4.0"; then UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` fi + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - cat <$dummy.s - .data -\$Lformat: - .byte 37,100,45,37,120,10,0 # "%d-%x\n" - - .text - .globl main - .align 4 - .ent main -main: - .frame \$30,16,\$26,0 - ldgp \$29,0(\$27) - .prologue 1 - .long 0x47e03d80 # implver \$0 - lda \$2,-1 - .long 0x47e20c21 # amask \$2,\$1 - lda \$16,\$Lformat - mov \$0,\$17 - not \$1,\$18 - jsr \$26,printf - ldgp \$29,0(\$26) - mov 0,\$16 - jsr \$26,exit - .end main -EOF - eval $set_cc_for_build - $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null - if test "$?" = 0 ; then - case `./$dummy` in - 0-0) - UNAME_MACHINE="alpha" - ;; - 1-0) - UNAME_MACHINE="alphaev5" - ;; - 1-1) - UNAME_MACHINE="alphaev56" - ;; - 1-101) - UNAME_MACHINE="alphapca56" - ;; - 2-303) - UNAME_MACHINE="alphaev6" - ;; - 2-307) - UNAME_MACHINE="alphaev67" - ;; - 2-1307) - UNAME_MACHINE="alphaev68" - ;; - esac - fi - rm -f $dummy.s $dummy echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` exit 0 ;; + Alpha*:OpenVMS:*:*) + echo alpha-hp-vms + exit 0 ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead @@ -313,6 +328,13 @@ EOF NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit 0 ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit 0 ;; + DRS?6000:UNIX_SV:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7 && exit 0 ;; + esac ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit 0 ;; @@ -419,15 +441,20 @@ EOF exit (-1); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy \ - && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c \ + && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && exit 0 echo mips-mips-riscos${UNAME_RELEASE} exit 0 ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit 0 ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit 0 ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit 0 ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit 0 ;; @@ -500,8 +527,7 @@ EOF exit(0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo rs6000-ibm-aix3.2.5 elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 @@ -599,11 +625,21 @@ EOF exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null) && HP_ARCH=`./$dummy` - if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi - rm -f $dummy.c $dummy + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + # avoid double evaluation of $set_cc_for_build + test -n "$CC_FOR_BUILD" || eval $set_cc_for_build + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit 0 ;; ia64:HP-UX:*:*) @@ -637,8 +673,7 @@ EOF exit (0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo unknown-hitachi-hiuxwe2 exit 0 ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) @@ -696,15 +731,15 @@ EOF CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; - CRAY*T3D:*:*:*) - echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; + *:UNICOS/mp:*:*) + echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` @@ -720,8 +755,22 @@ EOF *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit 0 ;; - *:FreeBSD:*:*) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + *:FreeBSD:*:*|*:GNU/FreeBSD:*:*) + # Determine whether the default compiler uses glibc. + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + #if __GLIBC__ >= 2 + LIBC=gnu + #else + LIBC= + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` + # GNU/FreeBSD systems have a "k" prefix to indicate we are using + # FreeBSD's kernel, but not the complete OS. + case ${LIBC} in gnu) kernel_only='k' ;; esac + echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC} exit 0 ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin @@ -732,14 +781,17 @@ EOF i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit 0 ;; - x86:Interix*:3*) - echo i386-pc-interix3 + x86:Interix*:[34]*) + echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' + exit 0 ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks exit 0 ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? - echo i386-pc-interix + echo i586-pc-interix exit 0 ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin @@ -759,6 +811,9 @@ EOF arm*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit 0 ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; @@ -782,8 +837,26 @@ EOF #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - rm -f $dummy.c - test x"${CPU}" != x && echo "${CPU}-pc-linux-gnu" && exit 0 + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu @@ -819,6 +892,9 @@ EOF s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux exit 0 ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit 0 ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; @@ -845,7 +921,7 @@ EOF ;; a.out-i386-linux) echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; + exit 0 ;; coff-i386) echo "${UNAME_MACHINE}-pc-linux-gnucoff" exit 0 ;; @@ -878,7 +954,6 @@ EOF #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - rm -f $dummy.c test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 ;; @@ -896,6 +971,23 @@ EOF # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit 0 ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit 0 ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit 0 ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit 0 ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit 0 ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then @@ -917,22 +1009,19 @@ EOF UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` - (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 - (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 - (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about @@ -956,9 +1045,15 @@ EOF # "miniframe" echo m68010-convergent-sysv exit 0 ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit 0 ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit 0 ;; M68*:*:R3V[567]*:*) test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0) + 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` @@ -975,9 +1070,6 @@ EOF mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit 0 ;; @@ -1049,6 +1141,9 @@ EOF SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit 0 ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit 0 ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit 0 ;; @@ -1056,7 +1151,11 @@ EOF echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit 0 ;; *:Darwin:*:*) - echo `uname -p`-apple-darwin${UNAME_RELEASE} + case `uname -p` in + *86) UNAME_PROCESSOR=i686 ;; + powerpc) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit 0 ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` @@ -1069,7 +1168,7 @@ EOF *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; - NSR-[GKLNPTVW]:NONSTOP_KERNEL:*:*) + NSR-[DGKLNPTVW]:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; *:NonStop-UX:*:*) @@ -1092,11 +1191,6 @@ EOF fi echo ${UNAME_MACHINE}-unknown-plan9 exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit 0 ;; @@ -1115,11 +1209,8 @@ EOF *:ITS:*:*) echo pdp10-unknown-its exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop - exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} exit 0 ;; esac @@ -1241,8 +1332,7 @@ main () } EOF -$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm -f $dummy.c $dummy && exit 0 -rm -f $dummy.c $dummy +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 # Apollos put the system type in the environment. diff --git a/config.sub b/config.sub index f3657978c..a12b59fab 100755 --- a/config.sub +++ b/config.sub @@ -1,9 +1,12 @@ #! /bin/sh +# +# $NetBSD: config.sub,v 1.6 2003/07/11 10:11:33 chris Exp $ +# # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. -timestamp='2002-03-07' +timestamp='2003-07-04' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -118,7 +121,7 @@ esac # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | storm-chaos* | os2-emx* | windows32-* | rtmk-nova*) + nto-qnx* | linux-gnu* | kfreebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; @@ -230,26 +233,38 @@ case $basic_machine in | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ | c4x | clipper \ - | d10v | d30v | dsp16xx \ - | fr30 \ + | d10v | d30v | dlx | dsp16xx \ + | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ + | ip2k \ | m32r | m68000 | m68k | m88k | mcore \ - | mips | mips16 | mips64 | mips64el | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el | mips64vr4300 \ - | mips64vr4300el | mips64vr5000 | mips64vr5000el \ - | mipsbe | mipseb | mipsel | mipsle | mipstx39 | mipstx39el \ - | mipsisa32 | mipsisa64 \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64vr | mips64vrel \ + | mips64orion | mips64orionel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | msp430 \ | ns16k | ns32k \ | openrisc | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | sh | sh[34] | sh[34]eb | shbe | shle | sh64 \ + | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \ | strongarm \ - | tahoe | thumb | tic80 | tron \ + | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ | we32k \ | x86 | xscale | xstormy16 | xtensa \ @@ -281,34 +296,49 @@ case $basic_machine in | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armv*-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* \ | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c54x-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ | clipper-* | cydra-* \ - | d10v-* | d30v-* \ + | d10v-* | d30v-* | dlx-* \ | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | fx80-* \ + | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ + | ip2k-* \ | m32r-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | mcore-* \ - | mips-* | mips16-* | mips64-* | mips64el-* | mips64orion-* \ - | mips64orionel-* | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* | mipsbe-* | mipseb-* \ - | mipsle-* | mipsel-* | mipstx39-* | mipstx39el-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | msp430-* \ + | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ | romp-* | rs6000-* \ - | sh-* | sh[34]-* | sh[34]eb-* | shbe-* | shle-* | sh64-* \ + | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* | tic30-* | tic54x-* | tic80-* | tron-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tron-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ @@ -346,6 +376,9 @@ case $basic_machine in basic_machine=a29k-none os=-bsd ;; + amd64) + basic_machine=x86_64-pc + ;; amdahl) basic_machine=580-amdahl os=-sysv @@ -695,6 +728,10 @@ case $basic_machine in np1) basic_machine=np1-gould ;; + nv1) + basic_machine=nv1-cray + os=-unicosmp + ;; nsr-tandem) basic_machine=nsr-tandem ;; @@ -728,49 +765,55 @@ case $basic_machine in pbb) basic_machine=m68k-tti ;; - pc532 | pc532-*) + pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; - pentiumpro | p6 | 6x86 | athlon) + pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; - pentiumii | pentium2) + pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; + pentium4) + basic_machine=i786-pc + ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - pentiumii-* | pentium2-*) + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc) basic_machine=powerpc-unknown - ;; + ;; ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown - ;; + ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown - ;; + ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown - ;; + ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; @@ -801,6 +844,16 @@ case $basic_machine in basic_machine=a29k-amd os=-udi ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; sequent) basic_machine=i386-sequent ;; @@ -808,6 +861,9 @@ case $basic_machine in basic_machine=sh-hitachi os=-hms ;; + sh64) + basic_machine=sh64-unknown + ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks @@ -866,7 +922,7 @@ case $basic_machine in sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; - sv1) + sv1) basic_machine=sv1-cray os=-unicos ;; @@ -874,10 +930,6 @@ case $basic_machine in basic_machine=i386-sequent os=-dynix ;; - t3d) - basic_machine=alpha-cray - os=-unicos - ;; t3e) basic_machine=alphaev5-cray os=-unicos @@ -890,6 +942,14 @@ case $basic_machine in basic_machine=tic54x-unknown os=-coff ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; tx39) basic_machine=mipstx39-unknown ;; @@ -924,8 +984,8 @@ case $basic_machine in os=-vms ;; vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; + basic_machine=f301-fujitsu + ;; vxworks960) basic_machine=i960-wrs os=-vxworks @@ -946,11 +1006,7 @@ case $basic_machine in basic_machine=hppa1.1-winbond os=-proelf ;; - windows32) - basic_machine=i386-pc - os=-windows32-msvcrt - ;; - xps | xps100) + xps | xps100) basic_machine=xps100-honeywell ;; ymp) @@ -996,16 +1052,19 @@ case $basic_machine in we32k) basic_machine=we32k-att ;; - sh3 | sh4 | sh3eb | sh4eb) + sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; + sh5el) + basic_machine=sh5le-unknown + ;; sh64) basic_machine=sh64-unknown ;; sparc | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; - cydra) + cydra) basic_machine=cydra-cydrome ;; orion) @@ -1020,10 +1079,6 @@ case $basic_machine in pmac | pmac-mpw) basic_machine=powerpc-apple ;; - c4x*) - basic_machine=c4x-none - os=-coff - ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; @@ -1079,18 +1134,19 @@ case $os in | -aos* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ + | -hiux* | -386bsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \ | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova*) + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1102,8 +1158,10 @@ case $os in ;; esac ;; + -nto-qnx*) + ;; -nto*) - os=-nto-qnx + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ @@ -1155,7 +1213,7 @@ case $os in os=-rtmk-nova ;; -ns2 ) - os=-nextstep2 + os=-nextstep2 ;; -nsk*) os=-nsk @@ -1194,8 +1252,14 @@ case $os in -xenix) os=-xenix ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos ;; -none) ;; @@ -1228,11 +1292,14 @@ case $basic_machine in arm*-semi) os=-aout ;; + c4x-* | tic4x-*) + os=-coff + ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; - pdp11-*) + pdp11-*) os=-none ;; *-dec | vax-*) @@ -1325,19 +1392,19 @@ case $basic_machine in *-next) os=-nextstep3 ;; - *-gould) + *-gould) os=-sysv ;; - *-highlevel) + *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; - *-sgi) + *-sgi) os=-irix ;; - *-siemens) + *-siemens) os=-sysv4 ;; *-masscomp) @@ -1409,7 +1476,7 @@ case $basic_machine in -ptx*) vendor=sequent ;; - -vxsim* | -vxworks*) + -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) diff --git a/configure.in b/configure.in index 76d3dc590..269d4fda6 100644 --- a/configure.in +++ b/configure.in @@ -1,8 +1,8 @@ dnl Process this file with autoconf to produce a configure script. AC_REVISION($Revision$) AC_PREREQ(2.53) -test -z "$CFLAGS" && CFLAGS="-g" -AC_INIT(Heimdal, 0.6pre3, heimdal-bugs@pdc.kth.se) +#test -z "$CFLAGS" && CFLAGS="-g" +AC_INIT([Heimdal], [0.6.3], [heimdal-bugs@pdc.kth.se]) AC_CONFIG_SRCDIR([kuser/kinit.c]) AM_CONFIG_HEADER(include/config.h) @@ -11,7 +11,7 @@ AC_PROG_CC AC_PROG_CPP AC_PROG_CC_STDC -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign no-dependencies 1.7]) AM_MAINTAINER_MODE AC_PREFIX_DEFAULT(/usr/heimdal) diff --git a/doc/Makefile.am b/doc/Makefile.am index 4ba0e2b7e..7f7292841 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common -AUTOMAKE_OPTIONS += no-texinfo.tex +AUTOMAKE_OPTIONS = no-texinfo.tex info_TEXINFOS = heimdal.texi heimdal_TEXINFOS = intro.texi install.texi setup.texi kerberos4.texi diff --git a/doc/ack.texi b/doc/ack.texi index b37f5e265..23ab30cc6 100644 --- a/doc/ack.texi +++ b/doc/ack.texi @@ -39,7 +39,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by: @item Marc Horowitz @email{marc@@cygnus.com} @item Luke Howard -@email{lukeh@@xedoc.com.au} +@email{lukeh@@PADL.COM} @item Brandon S. Allbery KF8NH @email{allbery@@kf8nh.apk.net} @item Jun-ichiro itojun Hagino diff --git a/doc/programming.texi b/doc/programming.texi index 47f345412..8a3b84d1c 100644 --- a/doc/programming.texi +++ b/doc/programming.texi @@ -45,7 +45,7 @@ replay cache, and checksum types. See the manual page for @manpage{krb5_auth_context,3}. -@subsection Keytab managment +@subsection Keytab management A keytab is a storage for locally stored keys. Heimdal includes keytab support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, diff --git a/doc/setup.texi b/doc/setup.texi index 63f53f02d..981b2db10 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -15,6 +15,9 @@ * Slave Servers:: * Incremental propagation:: * Salting:: +* Cross realm:: +* Transit policy:: +* Setting up DNS:: @end menu A @@ -61,12 +64,12 @@ In this manual, names of sections and bindings will be given as strings separated by slashes (@samp{/}). The @samp{other-var} variable will thus be @samp{section1/a-subsection/other-var}. -For in-depth information about the contents of the config file, refer to +For in-depth information about the contents of the configuration file, refer to the @file{krb5.conf} manual page. Some of the more important sections are briefly described here. The @samp{libdefaults} section contains a list of library configuration -parameters, such as the default realm and the timeout for kdc +parameters, such as the default realm and the timeout for KDC responses. The @samp{realms} section contains information about specific realms, such as where they hide their KDC. This section serves the same purpose as the Kerberos 4 @file{krb.conf} file, but can contain more @@ -74,7 +77,7 @@ information. Finally the @samp{domain_realm} section contains a list of mappings from domains to realms, equivalent to the Kerberos 4 @file{krb.realms} file. -To continue with the realm setup, you will have to create a config file, +To continue with the realm setup, you will have to create a configuration file, with contents similar to the following. @example @@ -82,7 +85,8 @@ with contents similar to the following. default_realm = MY.REALM [realms] MY.REALM = @{ - kdc = my.kdc + kdc = my.kdc my.slave.kdc + kdc = my.third.kdc @} [domain_realm] .my.domain = MY.REALM @@ -91,14 +95,19 @@ with contents similar to the following. If you use a realm name equal to your domain name, you can omit the @samp{libdefaults}, and @samp{domain_realm}, sections. If you have a -SRV-record for your realm, or your kerberos server has CNAME called +SRV-record for your realm, or your Kerberos server has CNAME called @samp{kerberos.my.realm}, you can omit the @samp{realms} section too. @node Creating the database, keytabs, Configuration file, Setting up a realm @section Creating the database -The database library will look for the database in @file{/var/heimdal}, -so you should probably create that directory. +The database library will look for the database in the directory +@file{/var/heimdal}, so you should probably create that directory. +Make sure the directory have restrictive permissions. + +@example +# mkdir /var/heimdal +@end example The keys of all the principals are stored in the database. If you choose to, these can be encrypted with a master key. You do not have to @@ -193,11 +202,11 @@ Version Type Principal Heimdal can be configured to support 524, Kerberos 4 or kaserver. All theses services are default turned off. Kerberos 4 support also -depends on if Kerberos 4 support is compiled in with heimdal. +depends on if Kerberos 4 support is compiled in with Heimdal. @subsection 524 -524 is a service that allows the kdc to convert Kerberos 5 tickets to +524 is a service that allows the KDC to convert Kerberos 5 tickets to Kerberos 4 tickets for backward compatibility. See also Using 2b tokens with AFS in @xref{Things in search for a better place}. @@ -224,7 +233,7 @@ Kerberos 4 can be turned on by adding this to the configuration file @subsection kaserver Kaserver is a Kerberos 4 that is used in AFS, the protocol have some -features over plain Kerberos 4, but like kerberos 4 only use single +features over plain Kerberos 4, but like Kerberos 4 only use single DES too. You should only enable Kerberos 4 support if you have a need for for @@ -252,7 +261,7 @@ kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmin You might need to add @samp{kerberos-adm} to your @file{/etc/services} as 749/tcp. -Access to the admin server is controlled by an acl-file, (default +Access to the administration server is controlled by an acl-file, (default @file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the following syntax: @smallexample @@ -277,7 +286,7 @@ The patters are of the same type as those used in shell globbing, see In the example below @samp{lha/admin} can change every principal in the database. @samp{jimmy/admin} can only modify principals that belong to the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the -helpdesk, so he should only be able to change the passwords for single +help desk, so he should only be able to change the passwords for single component principals (ordinary users). He will not be able to change any @samp{/admin} principal. @@ -356,8 +365,9 @@ to the slaves, running @pindex hpropd @code{hpropd} processes. -Every slave needs a keytab with a principal, -@samp{hprop/@var{hostname}}. Add that with the +Every slave needs a database directory, the master key (if it was used +for the database) and a keytab with the principal +@samp{hprop/@var{hostname}}. Add the principal with the @pindex ktutil @code{ktutil} command and start @pindex hpropd @@ -365,6 +375,7 @@ Every slave needs a keytab with a principal, @example slave# ktutil get -p foo/admin hprop/`hostname` +slave# mkdir /var/heimdal slave# hpropd @end example @@ -447,7 +458,7 @@ master# /usr/heimdal/libexec/ipropd-master & slave# /usr/heimdal/libexec/ipropd-slave master & @end example -@node Salting, , Incremental propagation, Setting up a realm +@node Salting, Cross realm, Incremental propagation, Setting up a realm @section Salting @cindex Salting @@ -476,7 +487,7 @@ The syntax of @code{[kadmin]default_keys} is @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the salt-string is the string that will be used as -salt (remember that if the salt is appened/prepended, the empty salt "" +salt (remember that if the salt is appended/prepended, the empty salt "" is the same thing as no salt at all). Common types of salting includes @@ -498,3 +509,156 @@ string (same as no salt). the cell appended to the password. @end itemize + +@node Cross realm, Transit policy , Salting, Setting up a realm +@section Cross realm +@cindex Cross realm + +Suppose you are residing in the realm @samp{MY.REALM}, how do you +authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in +@samp{MY.REALM} allows you to communicate with kerberised services in that +realm. However, the computer in the other realm does not have a secret +key shared with the Kerberos server in your realm. + +It is possible to add a share keys between two realms that trust each +other. When a client program, such as @code{telnet} or @code{ssh}, +finds that the other computer is in a different realm, it will try to +get a ticket granting ticket for that other realm, but from the local +Kerberos server. With that ticket granting ticket, it will then obtain +service tickets from the Kerberos server in the other realm. + +For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM} +add the following principals to each realm. The principals should be +@samp{krbtgt/OTHER.REALM@@MY.REALM} and +@samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and +@samp{krbtgt/MY.REALM@@OTHER.REALM} and +@samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}. + +In Kerberos 5 the trust can be one configured to be one way. So that +users from @samp{MY.REALM} can authenticate to services in +@samp{OTHER.REALM}, but not the opposite. In the example above, the +@samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed. + +The two principals must have the same key, key version number, and the +same set of encryption types. Remember to transfer the two keys in a +safe manner. + +@example +@cartouche +vr$ klist +Credentials cache: FILE:/tmp/krb5cc_913.console + Principal: lha@@E.KTH.SE + + Issued Expires Principal +May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE + +vr$ telnet -l lha hummel.it.su.se +Trying 2001:6b0:5:1095:250:fcff:fe24:dbf... +Connected to hummel.it.su.se. +Escape character is '^]'. +Waiting for encryption to be negotiated... +[ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ] +[ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ] +Encryption negotiated. +Last login: Sat May 3 14:11:47 from vr.l.nxs.se +hummel$ exit + +vr$ klist +Credentials cache: FILE:/tmp/krb5cc_913.console + Principal: lha@@E.KTH.SE + + Issued Expires Principal +May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE +May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE +May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE + +@end cartouche +@end example + +@node Transit policy, Setting up DNS , Cross realm, Setting up a realm +@section Transit policy +@cindex Transit policy + +If you want to use cross realm authentication through an intermediate +realm it must be explicitly allowed by either the KDCs or the server +receiving the request. This is done in @file{krb5.conf} in the +@code{[capaths]} section. + +When the ticket transits through a realm to another realm, the +destination realm adds its peer to the "transited-realms" field in the +ticket. The field is unordered, this is since there is no way to know if +know if one of the transited-realms changed the order of the list. + +The syntax for @code{[capaths]} section: + +@example +@cartouche +[capaths] + CLIENT-REALM = @{ + SERVER-REALM = PERMITTED-CROSS-REALMS ... + @} +@end cartouche +@end example + +The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and +@code{DSV.SU.SE} to cross in. Since @code{STACKEN.KTH.SE} only have +direct cross realm with @code{KTH.SE}, and @code{DSV.SU.SE} only have direct cross +realm with @code{SU.SE} they need to use both @code{SU.SE} and +@code{KTH.SE} as transit realms. + +@example +@cartouche +[capaths] + SU.SE = @{ + STACKEN.KTH.SE = KTH.SE + @} + DSV.SU.SE = @{ + STACKEN.KTH.SE = SU.SE KTH.SE + @} + +@end cartouche +@end example + +@c To test the cross realm configuration, use: +@c kmumble transit-check client server transit-realms ... + +@node Setting up DNS, , Transit policy, Setting up a realm +@section Setting up DNS +@cindex Setting up DNS + +If there is information about where to find the KDC or kadmind for a +realm in the @file{krb5.conf} for a realm, that information will be +preferred and DNS will not be queried. + +Heimdal will try to use DNS to find the KDCs for a realm. First it +will try to find @code{SRV} resource record (RR) for the realm. If no +SRV RRs are found, it will fall back to looking for a @code{A} RR for +a machine named kerberos.REALM, and then kerberos-1.REALM, etc + +Adding this information to DNS makes the client have less +configuration (in the common case, no configuration) and allows the +system administrator to change the number of KDCs and on what machines +they are running without caring about clients. + +The backside of using DNS that the client might be fooled to use the +wrong server if someone fakes DNS replies/data, but storing the IP +addresses of the KDC on all the clients makes it very hard to change +the infrastructure. + +Example of the configuration for the realm @code{EXAMPLE.COM}, + +@example + +$ORIGIN example.com. +_kerberos._tcp SRV 10 1 88 kerberos.example.com. +_kerberos._udp SRV 10 1 88 kerberos.example.com. +_kerberos._tcp SRV 10 1 88 kerberos-1.example.com. +_kerberos._udp SRV 10 1 88 kerberos-1.example.com. +_kpasswd._udp SRV 10 1 464 kerberos.example.com. +_kerberos-adm._tcp SRV 10 1 749 kerberos.example.com. + +@end example + +More information about DNS SRV resource records can be found in +RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)). + diff --git a/fix-export b/fix-export index 32ce8c412..973a32c14 100755 --- a/fix-export +++ b/fix-export @@ -7,12 +7,17 @@ test -d "$1" || { echo not a dir in \$1 ; exit 1 ; } cd $1 if test "$DATEDVERSION"; then - date=`date -u +%Y%m%d` ed -s configure.in << END -/AC_INIT/s/AC_INIT(\([^,]*\), [^,]*, \(.*\))/AC_INIT(\1, $date, \2)/ +/AC_INIT/s/AC_INIT(\([^,]*\), [^,]*, \(.*\))/AC_INIT(\1, $DATEDVERSION, \2)/ w q END + + error=WARN + exitcmd=: +else + error=ERROR + exitcmd=exit fi ver=`sed -n 's/AC_INIT([^,]*,\([^,]*\),.*/\1/p' configure.in` @@ -42,6 +47,12 @@ find . -name Makefile.am | while read f; do y=`dirname $f`/`echo $i | sed 's/[0-9]$/cat&/'` echo `grog -Tascii $x` \> $y `grog -Tascii $x` > $y + perl -p -e 'exit 1 if (/NetBSD|FreeBSD|OpenBSD|Linux|OSF|Solaris/); exit 0;' $y + if [ $? != 0 ] ; then + echo "$error: catfile $y contains operating system" + head -1 $y + $exitcmd + fi done done @@ -49,7 +60,7 @@ make_proto () { (top=`pwd` cd $1 b=`basename $1` - perl $top/cf/make-proto.pl -o $2 -p $3 `(sed 's/^include/##include/' Makefile.am; + perl $top/cf/make-proto.pl -o $2 -p $3 `(perl -p -e 's/^(include|if|else|endif)\b/##$1/' Makefile.am; echo 'print-sources:; @if test "$(proto_opts)"; then echo $(proto_opts); else echo -q -P comment; fi; echo '$4 | sort -u ) | make -f - print-sources `) } diff --git a/include/make_crypto.c b/include/make_crypto.c index 5ebe6a6da..f8e45a4ef 100644 --- a/include/make_crypto.c +++ b/include/make_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002 Kungliga Tekniska Högskolan + * Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -66,6 +66,9 @@ main(int argc, char **argv) fputs("#include \n", f); fputs("#include \n", f); fputs("#include \n", f); +#if ENABLE_AES + fputs("#include \n", f); +#endif #else fputs("#include \n", f); fputs("#include \n", f); diff --git a/install-sh b/install-sh index 398a88e14..0ec27bcd4 100755 --- a/install-sh +++ b/install-sh @@ -1,19 +1,37 @@ #!/bin/sh # # install - install a program, script, or datafile -# This comes from X11R5 (mit/util/scripts/install.sh). # -# Copyright 1991 by the Massachusetts Institute of Technology +# This originates from X11R5 (mit/util/scripts/install.sh), which was +# later released in X11R6 (xc/config/util/install.sh) with the +# following copyright and license. # -# Permission to use, copy, modify, distribute, and sell this software and its -# documentation for any purpose is hereby granted without fee, provided that -# the above copyright notice appear in all copies and that both that -# copyright notice and this permission notice appear in supporting -# documentation, and that the name of M.I.T. not be used in advertising or -# publicity pertaining to distribution of the software without specific, -# written prior permission. M.I.T. makes no representations about the -# suitability of this software for any purpose. It is provided "as is" -# without express or implied warranty. +# Copyright (C) 1994 X Consortium +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- +# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Except as contained in this notice, the name of the X Consortium shall not +# be used in advertising or otherwise to promote the sale, use or other deal- +# ings in this Software without prior written authorization from the X Consor- +# tium. +# +# +# FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it @@ -56,7 +74,7 @@ dir_arg="" while [ x"$1" != x ]; do case $1 in - -c) instcmd="$cpprog" + -c) instcmd=$cpprog shift continue;; @@ -79,7 +97,7 @@ while [ x"$1" != x ]; do shift continue;; - -s) stripcmd="$stripprog" + -s) stripcmd=$stripprog shift continue;; @@ -106,7 +124,7 @@ done if [ x"$src" = x ] then - echo "install: no input file specified" + echo "$0: no input file specified" >&2 exit 1 else : @@ -115,8 +133,8 @@ fi if [ x"$dir_arg" != x ]; then dst=$src src="" - - if [ -d $dst ]; then + + if [ -d "$dst" ]; then instcmd=: chmodcmd="" else @@ -125,20 +143,20 @@ if [ x"$dir_arg" != x ]; then else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad +# might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. - if [ -f $src -o -d $src ] + if [ -f "$src" ] || [ -d "$src" ] then : else - echo "install: $src does not exist" + echo "$0: $src does not exist" >&2 exit 1 fi - + if [ x"$dst" = x ] then - echo "install: no destination specified" + echo "$0: no destination specified" >&2 exit 1 else : @@ -147,16 +165,16 @@ else # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic - if [ -d $dst ] + if [ -d "$dst" ] then - dst="$dst"/`basename $src` + dst=$dst/`basename "$src"` else : fi fi ## this sed command emulates the dirname command -dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` +dstdir=`echo "$dst" | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script @@ -165,69 +183,73 @@ dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` if [ ! -d "$dstdir" ]; then defaultIFS=' ' -IFS="${IFS-${defaultIFS}}" +IFS="${IFS-$defaultIFS}" -oIFS="${IFS}" +oIFS=$IFS # Some sh's can't handle IFS=/ for some reason. IFS='%' -set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` -IFS="${oIFS}" +set - `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS=$oIFS pathcomp='' while [ $# -ne 0 ] ; do - pathcomp="${pathcomp}${1}" + pathcomp=$pathcomp$1 shift - if [ ! -d "${pathcomp}" ] ; + if [ ! -d "$pathcomp" ] ; then - $mkdirprog "${pathcomp}" + $mkdirprog "$pathcomp" else : fi - pathcomp="${pathcomp}/" + pathcomp=$pathcomp/ done fi if [ x"$dir_arg" != x ] then - $doit $instcmd $dst && + $doit $instcmd "$dst" && - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else : ; fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else : ; fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else : ; fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else : ; fi + if [ x"$chowncmd" != x ]; then $doit $chowncmd "$dst"; else : ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd "$dst"; else : ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd "$dst"; else : ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd "$dst"; else : ; fi else # If we're going to rename the final executable, determine the name now. - if [ x"$transformarg" = x ] + if [ x"$transformarg" = x ] then - dstfile=`basename $dst` + dstfile=`basename "$dst"` else - dstfile=`basename $dst $transformbasename | + dstfile=`basename "$dst" $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename - if [ x"$dstfile" = x ] + if [ x"$dstfile" = x ] then - dstfile=`basename $dst` + dstfile=`basename "$dst"` else : fi -# Make a temp file name in the proper directory. +# Make a couple of temp file names in the proper directory. dsttmp=$dstdir/#inst.$$# + rmtmp=$dstdir/#rm.$$# -# Move or copy the file name to the temp name +# Trap to clean up temp files at exit. - $doit $instcmd $src $dsttmp && + trap 'status=$?; rm -f "$dsttmp" "$rmtmp" && exit $status' 0 + trap '(exit $?); exit' 1 2 13 15 - trap "rm -f ${dsttmp}" 0 && +# Move or copy the file name to the temp name + + $doit $instcmd "$src" "$dsttmp" && # and set any options; do chmod last to preserve setuid bits @@ -235,17 +257,38 @@ else # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else :;fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else :;fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else :;fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else :;fi && + if [ x"$chowncmd" != x ]; then $doit $chowncmd "$dsttmp"; else :;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd "$dsttmp"; else :;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd "$dsttmp"; else :;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd "$dsttmp"; else :;fi && + +# Now remove or move aside any old file at destination location. We try this +# two ways since rm can't unlink itself on some systems and the destination +# file might be busy for other reasons. In this case, the final cleanup +# might fail but the new file should still install successfully. + +{ + if [ -f "$dstdir/$dstfile" ] + then + $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null || + $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null || + { + echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2 + (exit 1); exit + } + else + : + fi +} && # Now rename the file to the real destination. - $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile + $doit $mvcmd "$dsttmp" "$dstdir/$dstfile" fi && +# The final little trick to "correctly" pass the exit status to the exit trap. -exit 0 +{ + (exit 0); exit +} diff --git a/kadmin/ChangeLog b/kadmin/ChangeLog index 093835e98..8bfbeed7f 100644 --- a/kadmin/ChangeLog +++ b/kadmin/ChangeLog @@ -1,3 +1,10 @@ +2004-04-29 Love Hörquist Åstrand + + * version4.c: 1.30: (handle_v4): make sure length is longer then + 2, Pointed out by Evgeny Demidov + + * kadmind.c: 1.31: make kerberos4 support default turned off + 2003-04-14 Love Hörquist Åstrand * util.c: cast argument to tolower to unsigned char, from diff --git a/kadmin/kadmind.c b/kadmin/kadmind.c index 51a37412c..b1049070a 100644 --- a/kadmin/kadmind.c +++ b/kadmin/kadmind.c @@ -46,7 +46,7 @@ static int debug_flag; static char *port_str; char *realm; #ifdef KRB4 -int do_kerberos4 = 1; +int do_kerberos4 = 0; #endif static struct getargs args[] = { @@ -75,7 +75,7 @@ static struct getargs args[] = { "enable debugging" }, #ifdef KRB4 - { "kerberos4", 0, arg_negative_flag, &do_kerberos4, + { "kerberos4", 0, arg_flag, &do_kerberos4, "don't respond to kerberos 4 requests" }, #endif diff --git a/kadmin/version4.c b/kadmin/version4.c index cfb3f5d0d..1a6d3db12 100644 --- a/kadmin/version4.c +++ b/kadmin/version4.c @@ -965,6 +965,8 @@ handle_v4(krb5_context context, if(term_flag) exit(0); if(first) { + if (len < 2) + krb5_errx(context, 1, "received too short len (%d < 2)", len); /* first time around, we have already read len, and two bytes of the version string */ krb5_data_alloc(&message, len); diff --git a/kdc/config.c b/kdc/config.c index c2cd57adb..5581cad5b 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -64,6 +64,8 @@ krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean check_ticket_addresses; krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_anonymous; +int trpolicy; +static const char *trpolicy_str; static struct getarg_strings addresses_str; /* addresses to listen on */ krb5_addresses explicit_addresses; @@ -293,9 +295,8 @@ configure(int argc, char **argv) get_dbinfo(); - if(max_request_str){ + if(max_request_str) max_request = parse_bytes(max_request_str, NULL); - } if(max_request == 0){ p = krb5_config_get_string (context, @@ -366,6 +367,23 @@ configure(int argc, char **argv) allow_anonymous = krb5_config_get_bool(context, NULL, "kdc", "allow-anonymous", NULL); + trpolicy_str = + krb5_config_get_string_default(context, NULL, "always-check", "kdc", + "transited-policy", NULL); + if(strcasecmp(trpolicy_str, "always-check") == 0) + trpolicy = TRPOLICY_ALWAYS_CHECK; + else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) + trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; + else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) + trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; + else { + kdc_log(0, "unknown transited-policy: %s, reverting to always-check", + trpolicy_str); + trpolicy = TRPOLICY_ALWAYS_CHECK; + } + + krb5_config_get_bool_default(context, NULL, TRUE, "kdc", + "enforce-transited-policy", NULL); #ifdef KRB4 if(v4_realm == NULL){ p = krb5_config_get_string (context, NULL, diff --git a/kdc/connect.c b/kdc/connect.c index 337fa458e..56b5e09cb 100644 --- a/kdc/connect.c +++ b/kdc/connect.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -547,21 +547,23 @@ grow_descr (struct descr *d, size_t n) { if (d->size - d->len < n) { unsigned char *tmp; + size_t grow; - d->size += max(1024, d->len + n); - if (d->size >= max_request) { + grow = max(1024, d->len + n); + if (d->size + grow > max_request) { kdc_log(0, "Request exceeds max request size (%lu bytes).", - (unsigned long)d->size); + (unsigned long)d->size + grow); clear_descr(d); return -1; } - tmp = realloc (d->buf, d->size); + tmp = realloc (d->buf, d->size + grow); if (tmp == NULL) { kdc_log(0, "Failed to re-allocate %lu bytes.", - (unsigned long)d->size); + (unsigned long)d->size + grow); clear_descr(d); return -1; } + d->size += grow; d->buf = tmp; } return 0; @@ -702,6 +704,12 @@ handle_tcp(struct descr *d, int index, int min_free) if(n < 0){ krb5_warn(context, errno, "recvfrom"); return; + } else if (n == 0) { + krb5_warnx(context, "connection closed before end of data after %lu " + "bytes from %s", + (unsigned long)d[index].len, d[index].addr_string); + clear_descr (d + index); + return; } if (grow_descr (&d[index], n)) return; diff --git a/kdc/kaserver.c b/kdc/kaserver.c index afdbab380..fde417506 100644 --- a/kdc/kaserver.c +++ b/kdc/kaserver.c @@ -402,6 +402,10 @@ do_authenticate (struct rx_header *hdr, unparse_auth_args (sp, &name, &instance, &start_time, &end_time, &request, &max_seq_len); + if (request.length < 8) { + make_error_reply (hdr, KABADREQUEST, reply); + goto out; + } snprintf (client_name, sizeof(client_name), "%s.%s@%s", name, instance, v4_realm); @@ -600,6 +604,11 @@ do_getticket (struct rx_header *hdr, unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, &name, &instance, ×, &max_seq_len); + if (times.length < 8) { + make_error_reply (hdr, KABADREQUEST, reply); + goto out; + + } snprintf (server_name, sizeof(server_name), "%s.%s@%s", name, instance, v4_realm); diff --git a/kdc/kdc.8 b/kdc/kdc.8 index aa8d5f47e..8c7bcefcc 100644 --- a/kdc/kdc.8 +++ b/kdc/kdc.8 @@ -31,7 +31,7 @@ .\" .\" $Id$ .\" -.Dd August 22, 2002 +.Dd October 21, 2003 .Dt KDC 8 .Os HEIMDAL .Sh NAME @@ -185,6 +185,10 @@ Permit tickets with no addresses. This option is only relevant when check-ticket-addresses is TRUE. .It Li allow-anonymous = Va boolean Permit anonymous tickets with no addresses. +.It Li enforce-transited-policy = Va boolean +Always verify the transited policy, ignoring the +.Va disable-transited-check +flag if set in the KDC client request. .It encode_as_rep_as_tgs_rep = Va boolean Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The Heimdal clients allow both. diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h index 697c3b909..90750be6d 100644 --- a/kdc/kdc_locl.h +++ b/kdc/kdc_locl.h @@ -62,6 +62,10 @@ extern krb5_boolean encode_as_rep_as_tgs_rep; extern krb5_boolean check_ticket_addresses; extern krb5_boolean allow_null_ticket_addresses; extern krb5_boolean allow_anonymous; +enum { TRPOLICY_ALWAYS_CHECK, + TRPOLICY_ALLOW_PER_PRINCIPAL, + TRPOLICY_ALWAYS_HONOUR_REQUEST }; +extern int trpolicy; extern int enable_524; extern int enable_v4_cross_realm; diff --git a/kdc/kerberos4.c b/kdc/kerberos4.c index 3a7d781a6..40e967ab3 100644 --- a/kdc/kerberos4.c +++ b/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -133,7 +133,7 @@ do_version4(unsigned char *buf, char *name = NULL, *inst = NULL, *realm = NULL; char *sname = NULL, *sinst = NULL; int32_t req_time; - time_t max_life; + time_t max_life, max_end, actual_end, issue_time; u_int8_t life; char client_name[256]; char server_name[256]; @@ -425,17 +425,22 @@ do_version4(unsigned char *buf, goto out2; } - max_life = krb_life_to_time(ad.time_sec, ad.life); - max_life = min(max_life, krb_life_to_time(kdc_time, life)); - life = min(life, krb_time_to_life(kdc_time, max_life)); - max_life = krb_life_to_time(0, life); -#if 0 - if(client->max_life) - max_life = min(max_life, *client->max_life); -#endif - if(server->max_life) - max_life = min(max_life, *server->max_life); + max_end = krb_life_to_time(ad.time_sec, ad.life); + max_end = min(max_end, krb_life_to_time(kdc_time, life)); + life = min(life, krb_time_to_life(kdc_time, max_end)); + issue_time = kdc_time; + actual_end = krb_life_to_time(issue_time, life); + while (actual_end > max_end && life > 1) { + /* move them into the next earlier lifetime bracket */ + life--; + actual_end = krb_life_to_time(issue_time, life); + } + if (actual_end > max_end) { + /* if life <= 1 and it's still too long, backdate the ticket */ + issue_time -= actual_end - max_end; + } + { KTEXT_ST cipher, ticket; KTEXT r; @@ -443,13 +448,14 @@ do_version4(unsigned char *buf, des_new_random_key(&session); krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, - addr->sin_addr.s_addr, &session, life, kdc_time, + addr->sin_addr.s_addr, &session, life, + issue_time, sname, sinst, skey->key.keyvalue.data); create_ciph(&cipher, session, sname, sinst, v4_realm, life, server->kvno % 256, &ticket, - kdc_time, &ad.session); - + issue_time, &ad.session); + memset(&session, 0, sizeof(session)); memset(ad.session, 0, sizeof(ad.session)); diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index bb881fa11..4a475b4c7 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -331,6 +331,9 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, return ENOMEM; for(j = 0; j < etypes_len; j++) { + for (i = 0; i < n; i++) + if (pa.val[i].etype == etypes[j]) + goto skip1; for(i = 0; i < client->keys.len; i++) { if(client->keys.val[i].key.keytype == etypes[j]) if((ret = make_etype_info_entry(&pa.val[n++], @@ -339,18 +342,19 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, return ret; } } + skip1:; } for(i = 0; i < client->keys.len; i++) { for(j = 0; j < etypes_len; j++) { if(client->keys.val[i].key.keytype == etypes[j]) - goto skip; + goto skip2; } if((ret = make_etype_info_entry(&pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO(&pa); return ret; } - skip:; + skip2:; } if(n != pa.len) { @@ -496,8 +500,8 @@ as_rep(KDC_REQ *req, krb5_enctype cetype, setype; EncTicketPart et; EncKDCRepPart ek; - krb5_principal client_princ, server_princ; - char *client_name, *server_name; + krb5_principal client_princ = NULL, server_princ = NULL; + char *client_name = NULL, *server_name = NULL; krb5_error_code ret = 0; const char *e_text = NULL; krb5_crypto crypto; @@ -506,27 +510,30 @@ as_rep(KDC_REQ *req, memset(&rep, 0, sizeof(rep)); if(b->sname == NULL){ - server_name = ""; ret = KRB5KRB_ERR_GENERIC; e_text = "No server in request"; } else{ principalname2krb5_principal (&server_princ, *(b->sname), b->realm); krb5_unparse_name(context, server_princ, &server_name); } + if (ret) { + kdc_log(0, "AS-REQ malformed server name from %s", from); + goto out; + } if(b->cname == NULL){ - client_name = ""; ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; } else { principalname2krb5_principal (&client_princ, *(b->cname), b->realm); krb5_unparse_name(context, client_princ, &client_name); } - kdc_log(0, "AS-REQ %s from %s for %s", - client_name, from, server_name); - - if(ret) + if (ret) { + kdc_log(0, "AS-REQ malformed client name from %s", from); goto out; + } + + kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); ret = db_fetch(client_princ, &client); if(ret){ @@ -842,13 +849,8 @@ as_rep(KDC_REQ *req, copy_HostAddresses(b->addresses, et.caddr); } - { - krb5_data empty_string; - - krb5_data_zero(&empty_string); - et.transited.tr_type = DOMAIN_X500_COMPRESS; - et.transited.contents = empty_string; - } + et.transited.tr_type = DOMAIN_X500_COMPRESS; + krb5_data_zero(&et.transited.contents); copy_EncryptionKey(&et.key, &ek.key); @@ -930,9 +932,11 @@ as_rep(KDC_REQ *req, ret = 0; } out2: - krb5_free_principal(context, client_princ); + if (client_princ) + krb5_free_principal(context, client_princ); free(client_name); - krb5_free_principal(context, server_princ); + if (server_princ) + krb5_free_principal(context, server_princ); free(server_name); if(client) free_ent(client); @@ -1055,33 +1059,35 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) } static krb5_error_code -fix_transited_encoding(TransitedEncoding *tr, +fix_transited_encoding(krb5_boolean check_policy, + TransitedEncoding *tr, + EncTicketPart *et, const char *client_realm, const char *server_realm, const char *tgt_realm) { krb5_error_code ret = 0; - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){ - char **realms = NULL, **tmp; - int num_realms = 0; - int i; - if(tr->tr_type && tr->contents.length != 0) { - if(tr->tr_type != DOMAIN_X500_COMPRESS){ - kdc_log(0, "Unknown transited type: %u", - tr->tr_type); - return KRB5KDC_ERR_TRTYPE_NOSUPP; - } - ret = krb5_domain_x500_decode(context, - tr->contents, - &realms, - &num_realms, - client_realm, - server_realm); - if(ret){ - krb5_warn(context, ret, "Decoding transited encoding"); - return ret; - } - } + char **realms, **tmp; + int num_realms; + int i; + + if(tr->tr_type != DOMAIN_X500_COMPRESS) { + kdc_log(0, "Unknown transited type: %u", tr->tr_type); + return KRB5KDC_ERR_TRTYPE_NOSUPP; + } + + ret = krb5_domain_x500_decode(context, + tr->contents, + &realms, + &num_realms, + client_realm, + server_realm); + if(ret){ + krb5_warn(context, ret, "Decoding transited encoding"); + return ret; + } + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { + /* not us, so add the previous realm to transited set */ if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { ret = ERANGE; goto free_realms; @@ -1098,16 +1104,46 @@ fix_transited_encoding(TransitedEncoding *tr, goto free_realms; } num_realms++; - free_TransitedEncoding(tr); - tr->tr_type = DOMAIN_X500_COMPRESS; - ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents); - if(ret) - krb5_warn(context, ret, "Encoding transited encoding"); - free_realms: + } + if(num_realms == 0) { + if(strcmp(client_realm, server_realm)) + kdc_log(0, "cross-realm %s -> %s", client_realm, server_realm); + } else { + size_t l = 0; + char *rs; for(i = 0; i < num_realms; i++) - free(realms[i]); - free(realms); + l += strlen(realms[i]) + 2; + rs = malloc(l); + if(rs != NULL) { + *rs = '\0'; + for(i = 0; i < num_realms; i++) { + if(i > 0) + strlcat(rs, ", ", l); + strlcat(rs, realms[i], l); + } + kdc_log(0, "cross-realm %s -> %s via [%s]", client_realm, server_realm, rs); + free(rs); + } } + if(check_policy) { + ret = krb5_check_transited(context, client_realm, + server_realm, + realms, num_realms, NULL); + if(ret) { + krb5_warn(context, ret, "cross-realm %s -> %s", + client_realm, server_realm); + goto free_realms; + } + et->flags.transited_policy_checked = 1; + } + et->transited.tr_type = DOMAIN_X500_COMPRESS; + ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); + if(ret) + krb5_warn(context, ret, "Encoding transited encoding"); + free_realms: + for(i = 0; i < num_realms; i++) + free(realms[i]); + free(realms); return ret; } @@ -1175,8 +1211,28 @@ tgs_make_reply(KDC_REQ_BODY *b, if(ret) goto out; - copy_TransitedEncoding(&tgt->transited, &et.transited); - ret = fix_transited_encoding(&et.transited, + /* We should check the transited encoding if: + 1) the request doesn't ask not to be checked + 2) globally enforcing a check + 3) principal requires checking + 4) we allow non-check per-principal, but principal isn't marked as allowing this + 5) we don't globally allow this + */ + +#define GLOBAL_FORCE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_CHECK) +#define GLOBAL_ALLOW_PER_PRINCIPAL (trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) +#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) +/* these will consult the database in future release */ +#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 +#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 + + ret = fix_transited_encoding(!f.disable_transited_check || + GLOBAL_FORCE_TRANSITED_CHECK || + PRINCIPAL_FORCE_TRANSITED_CHECK(server) || + !((GLOBAL_ALLOW_PER_PRINCIPAL && + PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || + GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), + &tgt->transited, &et, *krb5_princ_realm(context, client_principal), *krb5_princ_realm(context, server->principal), *krb5_princ_realm(context, krbtgt->principal)); @@ -1276,7 +1332,7 @@ tgs_make_reply(KDC_REQ_BODY *b, DES3? */ ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, 0, &tgt->key, e_text, reply); -out: + out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); if(et.starttime) @@ -1378,13 +1434,13 @@ get_krbtgt_realm(const PrincipalName *p) } static Realm -find_rpath(Realm r) +find_rpath(Realm crealm, Realm srealm) { const char *new_realm = krb5_config_get_string(context, NULL, - "libdefaults", - "capath", - r, + "capaths", + crealm, + srealm, NULL); return (Realm)new_realm; } @@ -1676,7 +1732,7 @@ tgs_rep2(KDC_REQ_BODY *b, if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { if(loop++ < 2) { - new_rlm = find_rpath(req_rlm); + new_rlm = find_rpath(tgt->crealm, req_rlm); if(new_rlm) { kdc_log(5, "krbtgt for realm %s not found, trying %s", req_rlm, new_rlm); @@ -1725,6 +1781,18 @@ tgs_rep2(KDC_REQ_BODY *b, } #endif + if(strcmp(krb5_principal_get_realm(context, sp), + krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { + char *tpn; + ret = krb5_unparse_name(context, krbtgt->principal, &tpn); + kdc_log(0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : ""); + if(ret == 0) + free(tpn); + ret = KRB5KRB_AP_ERR_NOT_US; + goto out; + + } + ret = check_flags(client, cpn, server, spn, FALSE); if(ret) goto out; diff --git a/kdc/v4_dump.c b/kdc/v4_dump.c index ab2c9cb79..49b02844a 100644 --- a/kdc/v4_dump.c +++ b/kdc/v4_dump.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -103,7 +103,7 @@ v4_prop_dump(void *arg, const char *file) memset(&pr, 0, sizeof(pr)); errno = 0; lineno++; - ret = sscanf(buf, "%s %s %d %d %d %d %lx %lx %s %s %s %s", + ret = sscanf(buf, "%63s %63s %d %d %d %d %lx %lx %63s %63s %63s %63s", pr.name, pr.instance, &pr.max_life, &pr.mkvno, &pr.kvno, &attributes, diff --git a/kuser/kdestroy.c b/kuser/kdestroy.c index 190e65015..359fd9661 100644 --- a/kuser/kdestroy.c +++ b/kuser/kdestroy.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -120,11 +120,11 @@ main (int argc, char **argv) #if KRB4 if(dest_tkt_flag && dest_tkt ()) exit_val = 1; +#endif if (unlog_flag && k_hasafs ()) { if (k_unlog ()) exit_val = 1; } -#endif return exit_val; } diff --git a/kuser/kinit.c b/kuser/kinit.c index b080e74be..c063eb7ef 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -52,9 +52,9 @@ char *start_str = NULL; struct getarg_strings etype_str; int use_keytab = 0; char *keytab_str = NULL; +int do_afslog = -1; #ifdef KRB4 int get_v4_tgt = -1; -int do_afslog = -1; int convert_524; #endif int fcache_version; @@ -66,10 +66,10 @@ static struct getargs args[] = { { "524convert", '9', arg_flag, &convert_524, "only convert ticket to version 4" }, - +#endif { "afslog", 0 , arg_flag, &do_afslog, "obtain afs tokens" }, -#endif + { "cache", 'c', arg_string, &cred_cache, "credentials cache", "cachename" }, @@ -290,10 +290,13 @@ do_524init(krb5_context context, krb5_ccache ccache, krb5_cc_get_principal(context, ccache, &client); memset(&in_creds, 0, sizeof(in_creds)); ret = get_server(context, client, server, &in_creds.server); - krb5_free_principal(context, client); - if(ret) + if(ret) { + krb5_free_principal(context, client); return ret; + } + in_creds.client = client; ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds); + krb5_free_principal(context, client); krb5_free_principal(context, in_creds.server); if(ret) return ret; @@ -370,16 +373,15 @@ renew_validate(krb5_context context, } ret = krb5_cc_store_cred(context, cache, out); -#ifdef KRB4 if(ret == 0 && server == NULL) { +#ifdef KRB4 /* only do this if it's a general renew-my-tgt request */ if(get_v4_tgt) do_524init(context, cache, out, NULL); - +#endif if(do_afslog && k_hasafs()) krb5_afslog(context, cache, NULL, NULL); } -#endif krb5_free_creds (context, out); if(ret) { @@ -426,15 +428,15 @@ get_new_tickets(krb5_context context, krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs); } + if (renew_life == NULL && renewable_flag) + renew_life = "1 month"; if(renew_life) { renew = parse_time (renew_life, "s"); if (renew < 0) errx (1, "unparsable time: %s", renew_life); krb5_get_init_creds_opt_set_renew_life (&opt, renew); - } else if (renewable_flag == 1) - krb5_get_init_creds_opt_set_renew_life (&opt, 1 << 30); - + } if(ticket_life != 0) krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life); @@ -625,8 +627,6 @@ main (int argc, char **argv) if((fd = mkstemp(s)) >= 0) { close(fd); setenv("KRBTKFILE", s, 1); - if (k_hasafs ()) - k_setpag(); } } #endif @@ -636,6 +636,9 @@ main (int argc, char **argv) if (ret) krb5_err (context, 1, ret, "resolving credentials cache"); + if (argc > 1 && k_hasafs ()) + k_setpag(); + if (lifetime) { int tmp = parse_time (lifetime, "s"); if (tmp < 0) @@ -648,11 +651,11 @@ main (int argc, char **argv) krb5_appdefault_boolean(context, "kinit", krb5_principal_get_realm(context, principal), "krb4_get_tickets", TRUE, &get_v4_tgt); +#endif if(do_afslog == -1) krb5_appdefault_boolean(context, "kinit", krb5_principal_get_realm(context, principal), "afslog", TRUE, &do_afslog); -#endif if(!addrs_flag && extra_addresses.num_strings > 0) krb5_errx(context, 1, "specifying both extra addresses and " @@ -687,20 +690,22 @@ main (int argc, char **argv) #ifdef KRB4 if(get_v4_tgt) do_524init(context, ccache, NULL, server); +#endif if(do_afslog && k_hasafs()) krb5_afslog(context, ccache, NULL, NULL); -#endif if(argc > 1) { - simple_execvp(argv[1], argv+1); + ret = simple_execvp(argv[1], argv+1); krb5_cc_destroy(context, ccache); #ifdef KRB4 dest_tkt(); +#endif if(k_hasafs()) k_unlog(); -#endif - } else + } else { krb5_cc_close (context, ccache); + ret = 0; + } krb5_free_principal(context, principal); krb5_free_context (context); - return 0; + return ret; } diff --git a/kuser/klist.c b/kuser/klist.c index 1615b1ae9..10afc2873 100644 --- a/kuser/klist.c +++ b/kuser/klist.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -273,10 +273,10 @@ print_tickets (krb5_context context, rtbl_set_prefix(ct, " "); rtbl_set_column_prefix(ct, COL_ISSUED, ""); } - while (krb5_cc_next_cred (context, - ccache, - &cursor, - &creds) == 0) { + while ((ret = krb5_cc_next_cred (context, + ccache, + &cursor, + &creds)) == 0) { if(do_verbose){ print_cred_verbose(context, &creds); }else{ @@ -284,6 +284,8 @@ print_tickets (krb5_context context, } krb5_free_creds_contents (context, &creds); } + if(ret != KRB5_CC_END) + krb5_err(context, 1, ret, "krb5_cc_get_next"); ret = krb5_cc_end_seq_get (context, ccache, &cursor); if (ret) krb5_err (context, 1, ret, "krb5_cc_end_seq_get"); @@ -466,6 +468,7 @@ display_v4_tickets (int do_verbose) */ return 0; } +#endif /* KRB4 */ /* * Print a list of all AFS tokens @@ -500,7 +503,7 @@ display_tokens(int do_verbose) continue; if(parms.out_size < sizeof(size_secret_tok)) continue; - t[parms.out_size] = 0; + t[min(parms.out_size,sizeof(t)-1)] = 0; memcpy(&size_secret_tok, r, sizeof(size_secret_tok)); /* dont bother about the secret token */ r += size_secret_tok + sizeof(size_secret_tok); @@ -536,7 +539,6 @@ display_tokens(int do_verbose) putchar('\n'); } } -#endif /* KRB4 */ /* * display the ccache in `cred_cache' @@ -596,8 +598,8 @@ static int do_verbose = 0; static int do_test = 0; #ifdef KRB4 static int do_v4 = 1; -static int do_tokens = 0; #endif +static int do_tokens = 0; static int do_v5 = 1; static char *cred_cache; static int do_flags = 0; @@ -612,9 +614,9 @@ static struct getargs args[] = { #ifdef KRB4 { "v4", '4', arg_flag, &do_v4, "display v4 tickets", NULL }, +#endif { "tokens", 'T', arg_flag, &do_tokens, "display AFS tokens", NULL }, -#endif { "v5", '5', arg_flag, &do_v5, "display v5 cred cache", NULL}, { "verbose", 'v', arg_flag, &do_verbose, @@ -666,20 +668,24 @@ main (int argc, char **argv) exit_status = display_v5_ccache (cred_cache, do_test, do_verbose, do_flags); -#ifdef KRB4 if (!do_test) { +#ifdef KRB4 if (do_v4) { if (do_v5) printf ("\n"); display_v4_tickets (do_verbose); } +#endif if (do_tokens && k_hasafs ()) { - if (do_v4 || do_v5) + if (do_v5) printf ("\n"); +#ifdef KRB4 + else if (do_v4) + printf ("\n"); +#endif display_tokens (do_verbose); } } -#endif return exit_status; } diff --git a/lib/asn1/Makefile.am b/lib/asn1/Makefile.am index 416da982b..b25a17639 100644 --- a/lib/asn1/Makefile.am +++ b/lib/asn1/Makefile.am @@ -5,7 +5,7 @@ include $(top_srcdir)/Makefile.am.common YFLAGS = -d lib_LTLIBRARIES = libasn1.la -libasn1_la_LDFLAGS = -version-info 6:0:0 +libasn1_la_LDFLAGS = -version-info 6:2:0 libasn1_la_LIBADD = @LIB_com_err@ @@ -23,6 +23,7 @@ gen_files = \ asn1_Authenticator.x \ asn1_AuthorizationData.x \ asn1_CKSUMTYPE.x \ + asn1_ChangePasswdDataMS.x \ asn1_Checksum.x \ asn1_ENCTYPE.x \ asn1_ETYPE_INFO.x \ diff --git a/lib/asn1/check-gen.c b/lib/asn1/check-gen.c index 4cd04c46b..3047aaca9 100644 --- a/lib/asn1/check-gen.c +++ b/lib/asn1/check-gen.c @@ -80,18 +80,22 @@ cmp_principal (void *a, void *b) static int test_principal (void) { + struct test_case tests[] = { { NULL, 29, - "0\e \0200\016 \003\002\001\001¡\a0\005\e\003" - "lha¡\a\e\005SU.SE" + (unsigned char*)"\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b" + "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45" }, { NULL, 35, - "0! \0260\024 \003\002\001\001¡\r0\013\e\003" - "lha\e\004root¡\a\e\005SU.SE" + (unsigned char*)"\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b" + "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55" + "\x2e\x53\x45" }, { NULL, 54, - "04 &0$ \003\002\001\003¡\0350\e\e\004" - "host\e\023nutcracker.e.kth.se¡\n\e\bE.KTH.SE" + (unsigned char*)"\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b" + "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65" + "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e" + "\x4b\x54\x48\x2e\x53\x45" } }; @@ -140,14 +144,14 @@ test_authenticator (void) { struct test_case tests[] = { { NULL, 63, - "\x62\x3d\x30\x3b\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08" + (unsigned char*)"\x62\x3d\x30\x3b\xa0\x03\x02\x01\x05\xa1\x0a\x1b\x08" "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0" "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61" "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30" "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a" }, { NULL, 67, - "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05" + (unsigned char*)"\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05" "\x53\x55\x2e\x53\x45\xa2\x16\x30\x14\xa0\x03\x02\x01" "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72" "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f" diff --git a/lib/asn1/der_free.c b/lib/asn1/der_free.c index e0a3849ad..a61eeb38a 100644 --- a/lib/asn1/der_free.c +++ b/lib/asn1/der_free.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -39,16 +39,19 @@ void free_general_string (general_string *str) { free(*str); + *str = NULL; } void free_octet_string (octet_string *k) { free(k->data); + k->data = NULL; } void free_oid (oid *k) { free(k->components); + k->components = NULL; } diff --git a/lib/asn1/der_length.c b/lib/asn1/der_length.c index 367132780..058d2a0d4 100644 --- a/lib/asn1/der_length.c +++ b/lib/asn1/der_length.c @@ -35,8 +35,8 @@ RCSID("$Id$"); -static size_t -len_unsigned (unsigned val) +size_t +_heim_len_unsigned (unsigned val) { size_t ret = 0; @@ -47,24 +47,31 @@ len_unsigned (unsigned val) return ret; } -static size_t -len_int (int val) +size_t +_heim_len_int (int val) { - size_t ret = 0; - - if (val == 0) - return 1; - while (val > 255 || val < -255) { - ++ret; - val /= 256; - } - if (val != 0) { - ++ret; - if ((signed char)val != val) - ++ret; - val /= 256; - } - return ret; + unsigned char q; + size_t ret = 0; + + if (val >= 0) { + do { + q = val % 256; + ret++; + val /= 256; + } while(val); + if(q >= 128) + ret++; + } else { + val = ~val; + do { + q = ~(val % 256); + ret++; + val /= 256; + } while(val); + if(q < 128) + ret++; + } + return ret; } static size_t @@ -89,16 +96,16 @@ len_oid (const oid *oid) size_t length_len (size_t len) { - if (len < 128) - return 1; - else - return len_unsigned (len) + 1; + if (len < 128) + return 1; + else + return _heim_len_unsigned (len) + 1; } size_t length_integer (const int *data) { - size_t len = len_int (*data); + size_t len = _heim_len_int (*data); return 1 + length_len(len) + len; } @@ -106,7 +113,7 @@ length_integer (const int *data) size_t length_unsigned (const unsigned *data) { - size_t len = len_unsigned (*data); + size_t len = _heim_len_unsigned (*data); return 1 + length_len(len) + len; } @@ -114,7 +121,7 @@ length_unsigned (const unsigned *data) size_t length_enumerated (const unsigned *data) { - size_t len = len_int (*data); + size_t len = _heim_len_int (*data); return 1 + length_len(len) + len; } diff --git a/lib/asn1/der_locl.h b/lib/asn1/der_locl.h index ad5787c88..d65d06890 100644 --- a/lib/asn1/der_locl.h +++ b/lib/asn1/der_locl.h @@ -53,4 +53,7 @@ #include #include +size_t _heim_len_unsigned (unsigned); +size_t _heim_len_int (int); + #endif /* __DER_LOCL_H__ */ diff --git a/lib/asn1/gen_free.c b/lib/asn1/gen_free.c index b6d97bfd9..3394e80ca 100644 --- a/lib/asn1/gen_free.c +++ b/lib/asn1/gen_free.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -82,7 +82,8 @@ free_type (const char *name, const Type *t) if(m->optional) fprintf(codefile, "free(%s);\n" - "}\n",s); + "%s = NULL;\n" + "}\n", s, s); if (tag == -1) tag = m->val; free (s); @@ -100,7 +101,8 @@ free_type (const char *name, const Type *t) "}\n", name); fprintf(codefile, - "free((%s)->val);\n", name); + "free((%s)->val);\n" + "(%s)->val = NULL;\n", name, name); free(n); break; } diff --git a/lib/asn1/gen_length.c b/lib/asn1/gen_length.c index 6f26ab3c1..2819c8c9e 100644 --- a/lib/asn1/gen_length.c +++ b/lib/asn1/gen_length.c @@ -126,8 +126,12 @@ length_type (const char *name, const Type *t, const char *variable) variable, variable); fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name); + fprintf (codefile, "int oldret = %s;\n" + "%s = 0;\n", variable, variable); asprintf (&n, "&(%s)->val[i]", name); length_type(n, t->subtype, variable); + fprintf (codefile, "%s += oldret;\n", + variable); fprintf (codefile, "}\n"); fprintf (codefile, diff --git a/lib/asn1/k5.asn1 b/lib/asn1/k5.asn1 index 58342095f..14727d3ca 100644 --- a/lib/asn1/k5.asn1 +++ b/lib/asn1/k5.asn1 @@ -51,6 +51,7 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT) KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT) KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT) + KRB5-PADATA-ETYPE-INFO2(19), KRB5-PADATA-USE-SPECIFIED-KVNO(20), KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) KRB5-PADATA-GET-FROM-TYPED-DATA(22), @@ -440,6 +441,12 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE { e-data[12] OCTET STRING OPTIONAL } +ChangePasswdDataMS ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + pvno INTEGER ::= 5 -- current Kerberos protocol version number -- transited encodings diff --git a/lib/auth/ChangeLog b/lib/auth/ChangeLog index a6f9423b9..c85ad35ef 100644 --- a/lib/auth/ChangeLog +++ b/lib/auth/ChangeLog @@ -1,3 +1,13 @@ +2004-09-08 Johan Danielsson + + * afskauthlib/verify.c: pull up 1.27->1.28: use + krb5_appdefault_boolean instead of krb5_config_get_bool + +2003-05-08 Love Hörnquist Åstrand + + * sia/Makefile.am: 1.15->1.16: inline COMPILE since (modern) + automake doesn't add it by itself for some reason + 2003-03-27 Love Hörnquist Åstrand * sia/Makefile.am: libkafs is always built now, lets include it diff --git a/lib/auth/afskauthlib/verify.c b/lib/auth/afskauthlib/verify.c index 980d3ab47..82efeeb5a 100644 --- a/lib/auth/afskauthlib/verify.c +++ b/lib/auth/afskauthlib/verify.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1995-2000, 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -163,47 +163,51 @@ verify_krb5(struct passwd *pwd, } #ifdef KRB4 - if (krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL)) { - CREDENTIALS c; - krb5_creds mcred, cred; - krb5_realm realm; + { + krb5_realm realm = NULL; + krb5_boolean get_v4_tgt; - krb5_get_default_realm(context, &realm); - krb5_make_principal(context, &mcred.server, realm, - "krbtgt", - realm, - NULL); - free (realm); - ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); - if(ret == 0) { - ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c); - if(ret) - krb5_warn(context, ret, "converting creds"); - else { - set_krbtkfile(pwd->pw_uid); - tf_setup(&c, c.pname, c.pinst); - } - memset(&c, 0, sizeof(c)); - krb5_free_creds_contents(context, &cred); - } else - syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", - krb5_get_err_text(context, ret)); + krb5_get_default_realm(context, &realm); + krb5_appdefault_boolean(context, "afskauthlib", + realm, + "krb4_get_tickets", FALSE, &get_v4_tgt); + if (get_v4_tgt) { + CREDENTIALS c; + krb5_creds mcred, cred; + + krb5_make_principal(context, &mcred.server, realm, + "krbtgt", + realm, + NULL); + ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); + if(ret == 0) { + ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c); + if(ret) + krb5_warn(context, ret, "converting creds"); + else { + set_krbtkfile(pwd->pw_uid); + tf_setup(&c, c.pname, c.pinst); + } + memset(&c, 0, sizeof(c)); + krb5_free_creds_contents(context, &cred); + } else + syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", + krb5_get_err_text(context, ret)); - krb5_free_principal(context, mcred.server); - } - if (!pag_set && k_hasafs()) { - k_setpag(); - pag_set = 1; - } + krb5_free_principal(context, mcred.server); + } + free(realm); + if (!pag_set && k_hasafs()) { + k_setpag(); + pag_set = 1; + } - if (pag_set) - krb5_afslog_uid_home(context, ccache, NULL, NULL, - pwd->pw_uid, pwd->pw_dir); + if (pag_set) + krb5_afslog_uid_home(context, ccache, NULL, NULL, + pwd->pw_uid, pwd->pw_dir); + } #endif -out: + out: if(ret && !quiet) printf ("%s\n", krb5_get_err_text (context, ret)); return ret; diff --git a/lib/auth/sia/Makefile.am b/lib/auth/sia/Makefile.am index 0fb5c81b0..d46164402 100644 --- a/lib/auth/sia/Makefile.am +++ b/lib/auth/sia/Makefile.am @@ -104,5 +104,9 @@ CLEANFILES = $(MOD) $(OBJS) so_locations SUFFIXES += .c .o +# XXX inline COMPILE since automake wont add it + .c.o: - $(COMPILE) -c $< + $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \ + -c `test -f '$<' || echo '$(srcdir)/'`$< diff --git a/lib/gssapi/8003.c b/lib/gssapi/8003.c index e225bb021..8b5b4519f 100644 --- a/lib/gssapi/8003.c +++ b/lib/gssapi/8003.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,8 +35,8 @@ RCSID("$Id$"); -static krb5_error_code -encode_om_uint32(OM_uint32 n, u_char *p) +krb5_error_code +gssapi_encode_om_uint32(OM_uint32 n, u_char *p) { p[0] = (n >> 0) & 0xFF; p[1] = (n >> 8) & 0xFF; @@ -45,13 +45,30 @@ encode_om_uint32(OM_uint32 n, u_char *p) return 0; } -static krb5_error_code -decode_om_uint32(u_char *p, OM_uint32 *n) +krb5_error_code +gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p) +{ + p[0] = (n >> 24) & 0xFF; + p[1] = (n >> 16) & 0xFF; + p[2] = (n >> 8) & 0xFF; + p[3] = (n >> 0) & 0xFF; + return 0; +} + +krb5_error_code +gssapi_decode_om_uint32(u_char *p, OM_uint32 *n) { *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); return 0; } +krb5_error_code +gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n) +{ + *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0); + return 0; +} + static krb5_error_code hash_input_chan_bindings (const gss_channel_bindings_t b, u_char *p) @@ -60,23 +77,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b, MD5_CTX md5; MD5_Init(&md5); - encode_om_uint32 (b->initiator_addrtype, num); + gssapi_encode_om_uint32 (b->initiator_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->initiator_address.length, num); + gssapi_encode_om_uint32 (b->initiator_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->initiator_address.length) MD5_Update (&md5, b->initiator_address.value, b->initiator_address.length); - encode_om_uint32 (b->acceptor_addrtype, num); + gssapi_encode_om_uint32 (b->acceptor_addrtype, num); MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->acceptor_address.length, num); + gssapi_encode_om_uint32 (b->acceptor_address.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->acceptor_address.length) MD5_Update (&md5, b->acceptor_address.value, b->acceptor_address.length); - encode_om_uint32 (b->application_data.length, num); + gssapi_encode_om_uint32 (b->application_data.length, num); MD5_Update (&md5, num, sizeof(num)); if (b->application_data.length) MD5_Update (&md5, @@ -117,7 +134,7 @@ gssapi_krb5_create_8003_checksum ( } p = result->checksum.data; - encode_om_uint32 (16, p); + gssapi_encode_om_uint32 (16, p); p += 4; if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { memset (p, 0, 16); @@ -125,7 +142,7 @@ gssapi_krb5_create_8003_checksum ( hash_input_chan_bindings (input_chan_bindings, p); } p += 16; - encode_om_uint32 (flags, p); + gssapi_encode_om_uint32 (flags, p); p += 4; if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { @@ -178,7 +195,7 @@ gssapi_krb5_verify_8003_checksum( } p = cksum->checksum.data; - decode_om_uint32(p, &length); + gssapi_decode_om_uint32(p, &length); if(length != sizeof(hash)) { *minor_status = 0; return GSS_S_BAD_BINDINGS; @@ -200,7 +217,7 @@ gssapi_krb5_verify_8003_checksum( p += sizeof(hash); - decode_om_uint32(p, flags); + gssapi_decode_om_uint32(p, flags); p += 4; if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { diff --git a/lib/gssapi/ChangeLog b/lib/gssapi/ChangeLog index e6c3a282b..b18bde67e 100644 --- a/lib/gssapi/ChangeLog +++ b/lib/gssapi/ChangeLog @@ -1,3 +1,113 @@ +2003-12-19 Love Hörnquist Åstrand + + * accept_sec_context.c: 1.40->1.41: Don't require timestamp to be + set on delegated token, its already protected by the outer token + (and windows doesn't alway send it) Pointed out by Zi-Bin Yang + on heimdal-discuss + +2003-10-21 Love Hörnquist Åstrand + + * add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need + to do this since now gss_release_cred will destroy the cred. This + should be really be solved a better way. + +2003-10-07 Love Hörnquist Åstrand + + * release_cred.c: 1.9->1.10: + (gss_release_cred): if its a mcc, destroy it rather the just release it + Found by: "Zi-Bin Yang" + +2003-09-19 Love Hörnquist Åstrand + + * arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token + and gss_arcfour_warp_token + + * arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token + and gss_arcfour_warp_token + + * arcfour.c: make build + + * get_mic.c, verify_mic.c, unwrap.c, wrap.c: + glue in arcfour support + + * gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad + +2003-09-18 Love Hörnquist Åstrand + + * encapsulate.c: add _gssapi_make_mech_header + + * gssapi_locl.h: add "arcfour.h" and prototype for + _gssapi_make_mech_header + + * gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32 + + * 8003.c: 1.12->1.13: export and rename + encode_om_uint32/decode_om_uint32 and start to use them + +2003-08-16 Love Hörnquist Åstrand + + * verify_mic.c: 1.21->1.22: make sure minor_status is always set, + pointed out by Luke Howard + +2003-08-15 Love Hörnquist Åstrand + + * context_time.c: 1.7->1.10: return time in seconds from now + + * gssapi_locl.h: add gssapi_lifetime_left + + * init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred + is expired before we tries to create a token, fail so the peer + doesn't need reject us + (*): make sure time is returned in seconds from now, not in + kerberos time + + * acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is + returned in seconds from now, not in kerberos time + + * accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make + sure time is returned in seconds from now, not in kerberos time + +2003-05-07 Love Hörnquist Åstrand + + * gssapi.h: 1.27->1.28: + if __cplusplus, wrap the extern variable (just to be safe) and + functions in extern "C" { } + +2003-04-30 Love Hörnquist Åstrand + + * gssapi.3: more about the des3 mic mess + + * verify_mic.c 1.19->1.20 : (verify_mic_des3): always check if the + mic is the correct mic or the mic that old heimdal would have + generated + +2003-04-29 Jacques Vidrine + + * verify_mic.c: 1.18->1.19: verify_mic_des3: If MIC verification + fails, retry using the `old' MIC computation (with zero IV). + +2003-04-28 Love Hörnquist Åstrand + + * compat.c (_gss_DES3_get_mic_compat): default to use compat + + * gssapi.3: 1.5->1.6: document [gssapi]correct_des3_mic and + [gssapi]broken_des3_mic + + * compat.c: 1.2->1.4: + (gss_krb5_compat_des3_mci): return a value + (gss_krb5_compat_des3_mic): enable turning on/off des3 mic compat + (_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too + + * gssapi.h: 1.26->1.27: + (gss_krb5_compat_des3_mic): new function, turn on/off des3 mic compat + (GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if + gss_krb5_compat_des3_mic exists + +2003-04-23 Love Hörnquist Åstrand + + * Makefile.am: 1.44->1.45: test_acquire_cred_LDADD: use + libgssapi.la not ./libgssapi.la (makes make -jN work) + 2003-04-16 Love Hörnquist Åstrand * gssapi.3: spelling diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index d1acbd4b7..66d6bc9bb 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -5,7 +5,7 @@ include $(top_srcdir)/Makefile.am.common INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 3:6:2 +libgssapi_la_LDFLAGS = -version-info 5:0:4 libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la man_MANS = gssapi.3 gss_acquire_cred.3 @@ -14,6 +14,7 @@ include_HEADERS = gssapi.h libgssapi_la_SOURCES = \ 8003.c \ + arcfour.c \ accept_sec_context.c \ acquire_cred.c \ add_cred.c \ @@ -58,8 +59,8 @@ libgssapi_la_SOURCES = \ wrap.c \ address_to_krb5addr.c -noinst_PROGRAMS = test_acquire_cred +#noinst_PROGRAMS = test_acquire_cred -test_acquire_cred_SOURCES = test_acquire_cred.c +#test_acquire_cred_SOURCES = test_acquire_cred.c -test_acquire_cred_LDADD = ./libgssapi.la +#test_acquire_cred_LDADD = libgssapi.la diff --git a/lib/gssapi/accept_sec_context.c b/lib/gssapi/accept_sec_context.c index 4b55acb21..9def215f8 100644 --- a/lib/gssapi/accept_sec_context.c +++ b/lib/gssapi/accept_sec_context.c @@ -291,8 +291,8 @@ gss_accept_sec_context } if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - krb5_ccache ccache; + int32_t ac_flags; if (delegated_cred_handle == NULL) /* XXX Create a new delegated_cred_handle? */ @@ -346,10 +346,19 @@ gss_accept_sec_context goto end_fwd; } + krb5_auth_con_getflags(gssapi_krb5_context, + (*context_handle)->auth_context, + &ac_flags); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); kret = krb5_rd_cred2(gssapi_krb5_context, (*context_handle)->auth_context, ccache, &fwd_data); + krb5_auth_con_setflags(gssapi_krb5_context, + (*context_handle)->auth_context, + ac_flags); if (kret) { flags &= ~GSS_C_DELEG_FLAG; goto end_fwd; @@ -371,8 +380,13 @@ gss_accept_sec_context if (mech_type) *mech_type = GSS_KRB5_MECHANISM; - if (time_rec) - *time_rec = (*context_handle)->lifetime; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + if (ret) + goto failure; + } if(flags & GSS_C_MUTUAL_FLAG) { krb5_data outbuf; diff --git a/lib/gssapi/acquire_cred.c b/lib/gssapi/acquire_cred.c index e8c28f6d3..a4c5aa2c6 100644 --- a/lib/gssapi/acquire_cred.c +++ b/lib/gssapi/acquire_cred.c @@ -295,8 +295,14 @@ OM_uint32 gss_acquire_cred return (ret); } *minor_status = 0; - if (time_rec) - *time_rec = handle->lifetime; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + handle->lifetime, + time_rec); + + if (ret) + return ret; + } handle->usage = cred_usage; *output_cred_handle = handle; return (GSS_S_COMPLETE); diff --git a/lib/gssapi/add_cred.c b/lib/gssapi/add_cred.c index b207415c2..0f5bc8796 100644 --- a/lib/gssapi/add_cred.c +++ b/lib/gssapi/add_cred.c @@ -152,25 +152,43 @@ OM_uint32 gss_add_cred ( goto failure; } - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; + if (strcmp(type, "MEMORY") == 0) { + ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + &handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, + handle->ccache); + if (ret) { + *minor_status = ret; + goto failure; + } + + } else { + + name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); + if (name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + asprintf(&type_name, "%s:%s", type, name); + if (type_name == NULL) { + *minor_status = ENOMEM; + goto failure; + } + + kret = krb5_cc_resolve(gssapi_krb5_context, type_name, + &handle->ccache); + free(type_name); + if (kret) { + *minor_status = kret; + goto failure; + } } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } } ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); diff --git a/lib/gssapi/arcfour.c b/lib/gssapi/arcfour.c new file mode 100644 index 000000000..e9ce39c67 --- /dev/null +++ b/lib/gssapi/arcfour.c @@ -0,0 +1,623 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "gssapi_locl.h" + +/* + * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt + */ + +RCSID("$Id$"); + +static krb5_error_code +arcfour_mic_key(krb5_context context, krb5_keyblock *key, + void *cksum_data, size_t cksum_size, + void *key6_data, size_t key6_size) +{ + krb5_error_code ret; + + Checksum cksum_k5; + krb5_keyblock key5; + char k5_data[16]; + + Checksum cksum_k6; + + char T[4]; + + memset(T, 0, 4); + cksum_k5.checksum.data = k5_data; + cksum_k5.checksum.length = sizeof(k5_data); + + if (key->keytype == KEYTYPE_ARCFOUR_56) { + char L40[14] = "fortybits"; + + memcpy(L40 + 10, T, sizeof(T)); + ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, + L40, 14, 0, key, &cksum_k5); + memset(&k5_data[7], 0xAB, 9); + } else { + ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5, + T, 4, 0, key, &cksum_k5); + } + if (ret) + return ret; + + key5.keytype = KEYTYPE_ARCFOUR; + key5.keyvalue = cksum_k5.checksum; + + cksum_k6.checksum.data = key6_data; + cksum_k6.checksum.length = key6_size; + + return krb5_hmac(context, CKSUMTYPE_RSA_MD5, + cksum_data, cksum_size, 0, &key5, &cksum_k6); +} + + +static krb5_error_code +arcfour_mic_cksum(krb5_keyblock *key, unsigned usage, + u_char *sgn_cksum, size_t sgn_cksum_sz, + const char *v1, size_t l1, + const void *v2, size_t l2, + const void *v3, size_t l3) +{ + Checksum CKSUM; + u_char *ptr; + size_t len; + krb5_crypto crypto; + krb5_error_code ret; + + assert(sgn_cksum_sz == 8); + + len = l1 + l2 + l3; + + ptr = malloc(len); + if (ptr == NULL) + return ENOMEM; + + memcpy(ptr, v1, l1); + memcpy(ptr + l1, v2, l2); + memcpy(ptr + l1 + l2, v3, l3); + + ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); + if (ret) { + free(ptr); + return ret; + } + + ret = krb5_create_checksum(gssapi_krb5_context, + crypto, + usage, + 0, + ptr, len, + &CKSUM); + free(ptr); + if (ret == 0) { + memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz); + free_Checksum(&CKSUM); + } + krb5_crypto_destroy(gssapi_krb5_context, crypto); + + return ret; +} + + +OM_uint32 +_gssapi_get_mic_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token, + krb5_keyblock *key) +{ + krb5_error_code ret; + int32_t seq_number; + size_t len, total_len; + u_char k6_data[16], *p0, *p; + RC4_KEY rc4_key; + + gssapi_krb5_encap_length (22, &len, &total_len); + + message_token->length = total_len; + message_token->value = malloc (total_len); + if (message_token->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p0 = _gssapi_make_mech_header(message_token->value, + len); + p = p0; + + *p++ = 0x01; /* TOK_ID */ + *p++ = 0x01; + *p++ = 0x11; /* SGN_ALG */ + *p++ = 0x00; + *p++ = 0xff; /* Filler */ + *p++ = 0xff; + *p++ = 0xff; + *p++ = 0xff; + + p = NULL; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, + p0 + 16, 8, /* SGN_CKSUM */ + p0, 8, /* TOK_ID, SGN_ALG, Filer */ + message_buffer->value, message_buffer->length, + NULL, 0); + if (ret) { + gss_release_buffer(minor_status, message_token); + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + gss_release_buffer(minor_status, message_token); + *minor_status = ret; + return GSS_S_FAILURE; + } + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number); + p = p0 + 8; /* SND_SEQ */ + gssapi_encode_be_om_uint32(seq_number, p); + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number); + + memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4); + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p, p); + + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + + +OM_uint32 +_gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t * qop_state, + krb5_keyblock *key, + char *type) +{ + krb5_error_code ret; + int32_t seq_number, seq_number2; + OM_uint32 omret; + char cksum_data[8], k6_data[16], SND_SEQ[8]; + u_char *p; + int cmp; + + if (qop_state) + *qop_state = 0; + + p = token_buffer->value; + omret = gssapi_krb5_verify_header (&p, + token_buffer->length, + type); + if (omret) + return omret; + + if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ + return GSS_S_BAD_SIG; + p += 2; + if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) + return GSS_S_BAD_MIC; + p += 4; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN, + cksum_data, sizeof(cksum_data), + p - 8, 8, + message_buffer->value, message_buffer->length, + NULL, 0); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = arcfour_mic_key(gssapi_krb5_context, key, + cksum_data, sizeof(cksum_data), + k6_data, sizeof(k6_data)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + cmp = memcmp(cksum_data, p + 8, 8); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p, SND_SEQ); + + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) + cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else + cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number2); + + if (seq_number != seq_number2) { + *minor_status = 0; + return GSS_S_UNSEQ_TOKEN; + } + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number2); + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 +_gssapi_wrap_arcfour(OM_uint32 * minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int * conf_state, + gss_buffer_t output_message_buffer, + krb5_keyblock *key) +{ + u_char Klocaldata[16], k6_data[16], *p, *p0; + size_t len, total_len, datalen; + krb5_keyblock Klocal; + krb5_error_code ret; + int32_t seq_number; + + if (conf_state) + *conf_state = 0; + + datalen = input_message_buffer->length + 1 /* padding */; + len = datalen + 30; + gssapi_krb5_encap_length (len, &len, &total_len); + + output_message_buffer->length = total_len; + output_message_buffer->value = malloc (total_len); + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + p0 = _gssapi_make_mech_header(output_message_buffer->value, + len); + p = p0; + + *p++ = 0x02; /* TOK_ID */ + *p++ = 0x01; + *p++ = 0x11; /* SGN_ALG */ + *p++ = 0x00; + if (conf_req_flag) { + *p++ = 0x10; /* SEAL_ALG */ + *p++ = 0x00; + } else { + *p++ = 0xff; /* SEAL_ALG */ + *p++ = 0xff; + } + *p++ = 0xff; /* Filler */ + *p++ = 0xff; + + p = NULL; + + krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number); + + gssapi_encode_be_om_uint32(seq_number, p0 + 8); + + krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number); + + memset (p0 + 8 + 4, + (context_handle->more_flags & LOCAL) ? 0 : 0xff, + 4); + + krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */ + + /* p points to data */ + p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + memcpy(p, input_message_buffer->value, input_message_buffer->length); + p[input_message_buffer->length] = 1; /* PADDING */ + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, + p0 + 16, 8, /* SGN_CKSUM */ + p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */ + p0 + 24, 8, /* Confounder */ + p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + datalen); + if (ret) { + *minor_status = ret; + gss_release_buffer(minor_status, output_message_buffer); + return GSS_S_FAILURE; + } + + { + int i; + + Klocal.keytype = key->keytype; + Klocal.keyvalue.data = Klocaldata; + Klocal.keyvalue.length = sizeof(Klocaldata); + + for (i = 0; i < 16; i++) + Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; + } + ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + p0 + 8, 4, /* SND_SEQ */ + k6_data, sizeof(k6_data)); + memset(Klocaldata, 0, sizeof(Klocaldata)); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + + if(conf_req_flag) { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + /* XXX ? */ + RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */ + memset(&rc4_key, 0, sizeof(rc4_key)); + } + memset(k6_data, 0, sizeof(k6_data)); + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */ + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + if (conf_state) + *conf_state = conf_req_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + +OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state, + krb5_keyblock *key) +{ + u_char Klocaldata[16]; + krb5_keyblock Klocal; + krb5_error_code ret; + int32_t seq_number, seq_number2; + size_t datalen; + OM_uint32 omret; + char k6_data[16], SND_SEQ[8], Confounder[8]; + char cksum_data[8]; + u_char *p, *p0; + int cmp; + int conf_flag; + size_t padlen; + + if (conf_state) + *conf_state = 0; + if (qop_state) + *qop_state = 0; + + p0 = input_message_buffer->value; + omret = _gssapi_verify_mech_header(&p0, + input_message_buffer->length); + if (omret) + return omret; + p = p0; + + datalen = input_message_buffer->length - + (p - ((u_char *)input_message_buffer->value)) - + GSS_ARCFOUR_WRAP_TOKEN_SIZE; + + if (memcmp(p, "\x02\x01", 2) != 0) + return GSS_S_BAD_SIG; + p += 2; + if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */ + return GSS_S_BAD_SIG; + p += 2; + + if (memcmp (p, "\x10\x00", 2) == 0) + conf_flag = 1; + else if (memcmp (p, "\xff\xff", 2) == 0) + conf_flag = 0; + else + return GSS_S_BAD_SIG; + + p += 2; + if (memcmp (p, "\xff\xff", 2) != 0) + return GSS_S_BAD_MIC; + p = NULL; + + ret = arcfour_mic_key(gssapi_krb5_context, key, + p0 + 16, 8, /* SGN_CKSUM */ + k6_data, sizeof(k6_data)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */ + memset(&rc4_key, 0, sizeof(rc4_key)); + memset(k6_data, 0, sizeof(k6_data)); + } + + gssapi_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) + cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); + else + cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); + + if (cmp != 0) { + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + { + int i; + + Klocal.keytype = key->keytype; + Klocal.keyvalue.data = Klocaldata; + Klocal.keyvalue.length = sizeof(Klocaldata); + + for (i = 0; i < 16; i++) + Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0; + } + ret = arcfour_mic_key(gssapi_krb5_context, &Klocal, + SND_SEQ, 4, + k6_data, sizeof(k6_data)); + memset(Klocaldata, 0, sizeof(Klocaldata)); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + output_message_buffer->value = malloc(datalen); + if (output_message_buffer->value == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + output_message_buffer->length = datalen; + + if(conf_flag) { + RC4_KEY rc4_key; + + RC4_set_key (&rc4_key, sizeof(k6_data), k6_data); + RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */ + RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + output_message_buffer->value); + memset(&rc4_key, 0, sizeof(rc4_key)); + } else { + memcpy(Confounder, p0 + 24, 8); /* Confounder */ + memcpy(output_message_buffer->value, + p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, + datalen); + } + memset(k6_data, 0, sizeof(k6_data)); + + ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; + return ret; + } + output_message_buffer->length -= padlen; + + ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL, + cksum_data, sizeof(cksum_data), + p0, 8, + Confounder, sizeof(Confounder), + output_message_buffer->value, + output_message_buffer->length + padlen); + if (ret) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = ret; + return GSS_S_FAILURE; + } + + cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ + if (cmp) { + gss_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; + return GSS_S_BAD_MIC; + } + + krb5_auth_getremoteseqnumber (gssapi_krb5_context, + context_handle->auth_context, + &seq_number2); + + if (seq_number != seq_number2) { + *minor_status = 0; + return GSS_S_UNSEQ_TOKEN; + } + + krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, + context_handle->auth_context, + ++seq_number2); + + if (conf_state) + *conf_state = conf_flag; + + *minor_status = 0; + return GSS_S_COMPLETE; +} diff --git a/lib/gssapi/arcfour.h b/lib/gssapi/arcfour.h new file mode 100644 index 000000000..47577cfd7 --- /dev/null +++ b/lib/gssapi/arcfour.h @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2003 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id$ */ + +#ifndef GSSAPI_ARCFOUR_H_ +#define GSSAPI_ARCFOUR_H_ 1 + +/* + * The arcfour message have the following formats, these are only here + * for reference and is not used. + */ + +#if 0 +typedef struct gss_arcfour_mic_token { + u_char TOK_ID[2]; /* 01 01 */ + u_char SGN_ALG[2]; /* 11 00 */ + u_char Filler[4]; + u_char SND_SEQ[8]; + u_char SGN_CKSUM[8]; +} gss_arcfour_mic_token_desc, *gss_arcfour_mic_token; + +typedef struct gss_arcfour_wrap_token { + u_char TOK_ID[2]; /* 02 01 */ + u_char SGN_ALG[2]; + u_char SEAL_ALG[2]; + u_char Filler[2]; + u_char SND_SEQ[8]; + u_char SGN_CKSUM[8]; + u_char Confounder[8]; +} gss_arcfour_wrap_token_desc, *gss_arcfour_wrap_token; +#endif + +#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32 + +OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_message_buffer, + krb5_keyblock *key); + +OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state, + krb5_keyblock *key); + +OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + gss_qop_t qop_req, + const gss_buffer_t message_buffer, + gss_buffer_t message_token, + krb5_keyblock *key); + +OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t message_buffer, + const gss_buffer_t token_buffer, + gss_qop_t *qop_state, + krb5_keyblock *key, + char *type); + +#endif /* GSSAPI_ARCFOUR_H_ */ diff --git a/lib/gssapi/compat.c b/lib/gssapi/compat.c index c1a39de93..5d63b2650 100644 --- a/lib/gssapi/compat.c +++ b/lib/gssapi/compat.c @@ -38,7 +38,8 @@ RCSID("$Id$"); static krb5_error_code check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat) + const char *option, krb5_boolean *compat, + krb5_boolean match_val) { krb5_error_code ret = 0; char **p, **q; @@ -57,7 +58,7 @@ check_compat(OM_uint32 *minor_status, gss_name_t name, break; if (krb5_principal_match(gssapi_krb5_context, name, match)) { - *compat = TRUE; + *compat = match_val; break; } @@ -76,15 +77,37 @@ check_compat(OM_uint32 *minor_status, gss_name_t name, OM_uint32 _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) { - krb5_boolean use_compat = FALSE; + krb5_boolean use_compat = TRUE; OM_uint32 ret; - ret = check_compat(minor_status, ctx->target, - "broken_3des_mic", &use_compat); - if (ret) - return ret; - if (use_compat) + if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) { + ret = check_compat(minor_status, ctx->target, + "broken_des3_mic", &use_compat, TRUE); + if (ret) + return ret; + ret = check_compat(minor_status, ctx->target, + "correct_des3_mic", &use_compat, FALSE); + if (ret) + return ret; + + if (use_compat) + ctx->more_flags |= COMPAT_OLD_DES3; + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; + } + return 0; +} + +OM_uint32 +gss_krb5_compat_des3_mic(OM_uint32 *minor_status, gss_ctx_id_t ctx, int on) +{ + *minor_status = 0; + + if (on) { ctx->more_flags |= COMPAT_OLD_DES3; + } else { + ctx->more_flags &= ~COMPAT_OLD_DES3; + } + ctx->more_flags |= COMPAT_OLD_DES3_SELECTED; return 0; } diff --git a/lib/gssapi/context_time.c b/lib/gssapi/context_time.c index d133261b7..508423d0d 100644 --- a/lib/gssapi/context_time.c +++ b/lib/gssapi/context_time.c @@ -35,6 +35,30 @@ RCSID("$Id$"); +OM_uint32 +gssapi_lifetime_left(OM_uint32 *minor_status, + OM_uint32 lifetime, + OM_uint32 *lifetime_rec) +{ + krb5_timestamp timeret; + krb5_error_code kret; + + kret = krb5_timeofday(gssapi_krb5_context, &timeret); + if (kret) { + *minor_status = kret; + gssapi_krb5_set_error_string (); + return GSS_S_FAILURE; + } + + if (lifetime < timeret) + *lifetime_rec = 0; + else + *lifetime_rec = lifetime - timeret; + + return GSS_S_COMPLETE; +} + + OM_uint32 gss_context_time (OM_uint32 * minor_status, const gss_ctx_id_t context_handle, @@ -42,26 +66,20 @@ OM_uint32 gss_context_time ) { OM_uint32 lifetime; - OM_uint32 ret; - krb5_error_code kret; - krb5_timestamp timeret; + OM_uint32 major_status; GSSAPI_KRB5_INIT (); - ret = gss_inquire_context(minor_status, context_handle, - NULL, NULL, &lifetime, NULL, NULL, NULL, NULL); - if (ret) { - return ret; - } + lifetime = context_handle->lifetime; - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } + major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec); + if (major_status != GSS_S_COMPLETE) + return major_status; - *time_rec = lifetime - timeret; *minor_status = 0; + + if (*time_rec == 0) + return GSS_S_CONTEXT_EXPIRED; + return GSS_S_COMPLETE; } diff --git a/lib/gssapi/decapsulate.c b/lib/gssapi/decapsulate.c index 949280cbc..d96f35fe5 100644 --- a/lib/gssapi/decapsulate.c +++ b/lib/gssapi/decapsulate.c @@ -73,6 +73,56 @@ gssapi_krb5_verify_header(u_char **str, return GSS_S_COMPLETE; } +static ssize_t +gssapi_krb5_get_mech (const u_char *ptr, + size_t total_len, + const u_char **mech_ret) +{ + size_t len, len_len, mech_len, foo; + const u_char *p = ptr; + int e; + + if (total_len < 1) + return -1; + if (*p++ != 0x60) + return -1; + e = der_get_length (p, total_len - 1, &len, &len_len); + if (e || 1 + len_len + len != total_len) + return -1; + p += len_len; + if (*p++ != 0x06) + return -1; + e = der_get_length (p, total_len - 1 - len_len - 1, + &mech_len, &foo); + if (e) + return -1; + p += foo; + *mech_ret = p; + return mech_len; +} + +OM_uint32 +_gssapi_verify_mech_header(u_char **str, + size_t total_len) +{ + const u_char *p; + ssize_t mech_len; + + mech_len = gssapi_krb5_get_mech (*str, total_len, &p); + if (mech_len < 0) + return GSS_S_DEFECTIVE_TOKEN; + + if (mech_len != GSS_KRB5_MECHANISM->length) + return GSS_S_BAD_MECH; + if (memcmp(p, + GSS_KRB5_MECHANISM->elements, + GSS_KRB5_MECHANISM->length) != 0) + return GSS_S_BAD_MECH; + p += mech_len; + *str = (char *)p; + return GSS_S_COMPLETE; +} + /* * Remove the GSS-API wrapping from `in_token' giving `out_data. * Does not copy data, so just free `in_token'. @@ -103,3 +153,32 @@ gssapi_krb5_decapsulate( out_data->data = p; return GSS_S_COMPLETE; } + +/* + * Verify padding of a gss wrapped message and return its length. + */ + +OM_uint32 +_gssapi_verify_pad(gss_buffer_t wrapped_token, + size_t datalen, + size_t *padlen) +{ + u_char *pad; + size_t padlength; + int i; + + pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; + padlength = *pad; + + if (padlength > datalen) + return GSS_S_BAD_MECH; + + for (i = padlength; i > 0 && *pad == padlength; i--, pad--) + ; + if (i != 0) + return GSS_S_BAD_MIC; + + *padlen = padlength; + + return 0; +} diff --git a/lib/gssapi/encapsulate.c b/lib/gssapi/encapsulate.c index 8f64fdd25..5744a9bc3 100644 --- a/lib/gssapi/encapsulate.c +++ b/lib/gssapi/encapsulate.c @@ -72,6 +72,26 @@ gssapi_krb5_make_header (u_char *p, return p; } +u_char * +_gssapi_make_mech_header(u_char *p, + size_t len) +{ + int e; + size_t len_len, foo; + + *p++ = 0x60; + len_len = length_len(len); + e = der_put_length (p + len_len - 1, len_len, len, &foo); + if(e || foo != len_len) + abort (); + p += len_len; + *p++ = 0x06; + *p++ = GSS_KRB5_MECHANISM->length; + memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); + p += GSS_KRB5_MECHANISM->length; + return p; +} + /* * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. */ diff --git a/lib/gssapi/get_mic.c b/lib/gssapi/get_mic.c index bdf935e65..33acc6e64 100644 --- a/lib/gssapi/get_mic.c +++ b/lib/gssapi/get_mic.c @@ -281,6 +281,10 @@ OM_uint32 gss_get_mic ret = mic_des3 (minor_status, context_handle, qop_req, message_buffer, message_token, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req, + message_buffer, message_token, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/lib/gssapi/gss_acquire_cred.3 b/lib/gssapi/gss_acquire_cred.3 index fb407dd42..8b08a6abe 100644 --- a/lib/gssapi/gss_acquire_cred.3 +++ b/lib/gssapi/gss_acquire_cred.3 @@ -60,6 +60,7 @@ .Nm gss_inquire_mechs_for_name , .Nm gss_inquire_names_for_mech , .Nm gss_krb5_copy_ccache , +.Nm gss_krb5_compat_des3_mic , .Nm gss_process_context_token , .Nm gss_release_buffer , .Nm gss_release_cred , @@ -257,6 +258,12 @@ GSS-API library (libgssapi, -lgssapi) .Fa "krb5_ccache out" .Fc .Ft OM_uint32 +.Fo gss_krb5_compat_des3_mic +.Fa "OM_uint32 * minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int onoff" +.Fc +.Ft OM_uint32 .Fo gss_process_context_token .Fc .Ft OM_uint32 @@ -437,6 +444,20 @@ the initiator to the acceptor when using token delegation in the Kerberos mechanism. The acceptor receives the delegated token in the last argument to .Fn gss_accept_sec_context . +.Pp +.Nm gss_krb5_compat_des3_mic +turns on or off the compatibly with older version of Heimdal using +des3 get and verify mic, this is way to programmatically set the +[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see +COMPATIBILITY section in +.Xr gssapi 3 ) . +If the CPP symbol +.Dv GSS_C_KRB5_COMPAT_DES3_MIC +is present, +.Nm gss_krb5_compat_des3_mic +exists. +.Nm gss_krb5_compat_des3_mic +will be removed in a later version of the GSS-API library. .Sh SEE ALSO .Xr krb5 3 , .Xr krb5_ccache 3 , diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3 index 9cfe7586d..261fa18ee 100644 --- a/lib/gssapi/gssapi.3 +++ b/lib/gssapi/gssapi.3 @@ -106,21 +106,46 @@ implementations when using .Fn gss_get_mic / .Fn gss_verify_mic . +Its possible to modify the behavior of the generator of the MIC with +the +.Pa krb5.conf +configuration file so that old clients/servers will still +work. +.Pp +New clients/servers will try both the old and new MIC in Heimdal 0.6. +In 0.7 it will check only if configured and the compatibility code +will be removed in 0.8. +.Pp +Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, +this will change in 0.7 to generate correct des3 mic. .Pp To turn on compatibility with older clients and servers, change the .Nm [gssapi] -.Ar broken_3des_mic +.Ar broken_des3_mic in .Pa krb5.conf that contains a list of globbing expressions that will be matched against the server name. +To turn off generation of the old (incompatible) mic of the MIC use +.Nm [gssapi] +.Ar correct_des3_mic . +.Pp +If a match for a entry is in both +.Nm [gssapi] +.Ar correct_des3_mic +and +.Nm [gssapi] +.Ar correct_des3_mic , +the later will override. +.Pp This config option modifies behaviour for both clients and servers. .Pp Example: .Bd -literal -offset indent [gssapi] - broken_3des_mic = cvs/*@SU.SE - broken_3des_mic = host/*@SU.SE afs/*@SU.SE + broken_des3_mic = cvs/*@SU.SE + broken_des3_mic = host/*@E.KTH.SE + correct_des3_mic = host/*@SU.SE .Ed .Sh BUGS All of 0.5.x versions of diff --git a/lib/gssapi/gssapi.h b/lib/gssapi/gssapi.h index d95750ba3..493565163 100644 --- a/lib/gssapi/gssapi.h +++ b/lib/gssapi/gssapi.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -67,7 +67,8 @@ typedef struct gss_ctx_id_t_desc_struct { struct krb5_auth_context_data *auth_context; gss_name_t source, target; OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, COMPAT_OLD_DES3 = 4 } more_flags; + enum { LOCAL = 1, OPEN = 2, + COMPAT_OLD_DES3 = 4, COMPAT_OLD_DES3_SELECTED = 8 } more_flags; struct krb5_ticket *ticket; time_t lifetime; } gss_ctx_id_t_desc; @@ -212,6 +213,10 @@ typedef OM_uint32 gss_qop_t; */ #define GSS_C_INDEFINITE 0xfffffffful +#ifdef __cplusplus +extern "C" { +#endif + /* * The implementation must reserve static storage for a * gss_OID_desc object containing the value @@ -771,4 +776,13 @@ OM_uint32 gss_krb5_copy_ccache gss_cred_id_t /*cred*/, struct krb5_ccache_data */*out*/); +#define GSS_C_KRB5_COMPAT_DES3_MIC 1 + +OM_uint32 +gss_krb5_compat_des3_mic(OM_uint32 *, gss_ctx_id_t, int); + +#ifdef __cplusplus +} +#endif + #endif /* GSSAPI_H_ */ diff --git a/lib/gssapi/gssapi_locl.h b/lib/gssapi/gssapi_locl.h index 3cf709618..fbfa94930 100644 --- a/lib/gssapi/gssapi_locl.h +++ b/lib/gssapi/gssapi_locl.h @@ -44,6 +44,8 @@ #include #include +#include "arcfour.h" + extern krb5_context gssapi_krb5_context; extern krb5_keytab gssapi_krb5_keytab; @@ -81,6 +83,10 @@ gssapi_krb5_encapsulate( gss_buffer_t output_token, u_char *type); +u_char * +_gssapi_make_mech_header(u_char *p, + size_t len); + OM_uint32 gssapi_krb5_decapsulate( OM_uint32 *minor_status, @@ -103,6 +109,14 @@ gssapi_krb5_verify_header(u_char **str, size_t total_len, char *type); + +OM_uint32 +_gssapi_verify_mech_header(u_char **str, + size_t total_len); + +OM_uint32 +_gssapi_verify_pad(gss_buffer_t, size_t, size_t *); + OM_uint32 gss_verify_mic_internal(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, @@ -145,4 +159,21 @@ gssapi_krb5_get_error_string (void); OM_uint32 _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); +OM_uint32 +gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); + +/* 8003 */ + +krb5_error_code +gssapi_encode_om_uint32(OM_uint32, u_char *); + +krb5_error_code +gssapi_encode_be_om_uint32(OM_uint32, u_char *); + +krb5_error_code +gssapi_decode_om_uint32(u_char *, OM_uint32 *); + +krb5_error_code +gssapi_decode_be_om_uint32(u_char *, OM_uint32 *); + #endif diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c index efd5ae9c4..88392706c 100644 --- a/lib/gssapi/init_sec_context.c +++ b/lib/gssapi/init_sec_context.c @@ -193,6 +193,7 @@ init_auth Checksum cksum; krb5_enctype enctype; krb5_data fwd_data; + OM_uint32 lifetime_rec; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -292,7 +293,7 @@ init_auth } else this_cred.times.endtime = 0; this_cred.session.keytype = 0; - + kret = krb5_get_credentials (gssapi_krb5_context, KRB5_TC_MATCH_KEYTYPE, ccache, @@ -308,10 +309,23 @@ init_auth (*context_handle)->lifetime = cred->times.endtime; + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + &lifetime_rec); + if (ret) { + goto failure; + } + + if (lifetime_rec == 0) { + *minor_status = 0; + ret = GSS_S_CONTEXT_EXPIRED; + goto failure; + } + krb5_auth_con_setkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); - + kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); @@ -321,13 +335,13 @@ init_auth ret = GSS_S_FAILURE; goto failure; } - + flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) do_delegation ((*context_handle)->auth_context, ccache, cred, target_name, &fwd_data, &flags); - + if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; ap_options |= AP_OPTS_MUTUAL_REQUIRED; @@ -413,7 +427,7 @@ init_auth return GSS_S_CONTINUE_NEEDED; } else { if (time_rec) - *time_rec = (*context_handle)->lifetime; + *time_rec = lifetime_rec; (*context_handle)->more_flags |= OPEN; return GSS_S_COMPLETE; @@ -479,16 +493,21 @@ repl_mutual } krb5_free_ap_rep_enc_part (gssapi_krb5_context, repl); - - (*context_handle)->more_flags |= OPEN; - if (time_rec) - *time_rec = (*context_handle)->lifetime; + (*context_handle)->more_flags |= OPEN; + + *minor_status = 0; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + } else { + ret = GSS_S_COMPLETE; + } if (ret_flags) *ret_flags = (*context_handle)->flags; - *minor_status = 0; - return GSS_S_COMPLETE; + return ret; } /* diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c deleted file mode 100644 index e225bb021..000000000 --- a/lib/gssapi/krb5/8003.c +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static krb5_error_code -encode_om_uint32(OM_uint32 n, u_char *p) -{ - p[0] = (n >> 0) & 0xFF; - p[1] = (n >> 8) & 0xFF; - p[2] = (n >> 16) & 0xFF; - p[3] = (n >> 24) & 0xFF; - return 0; -} - -static krb5_error_code -decode_om_uint32(u_char *p, OM_uint32 *n) -{ - *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); - return 0; -} - -static krb5_error_code -hash_input_chan_bindings (const gss_channel_bindings_t b, - u_char *p) -{ - u_char num[4]; - MD5_CTX md5; - - MD5_Init(&md5); - encode_om_uint32 (b->initiator_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->initiator_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->initiator_address.length) - MD5_Update (&md5, - b->initiator_address.value, - b->initiator_address.length); - encode_om_uint32 (b->acceptor_addrtype, num); - MD5_Update (&md5, num, sizeof(num)); - encode_om_uint32 (b->acceptor_address.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->acceptor_address.length) - MD5_Update (&md5, - b->acceptor_address.value, - b->acceptor_address.length); - encode_om_uint32 (b->application_data.length, num); - MD5_Update (&md5, num, sizeof(num)); - if (b->application_data.length) - MD5_Update (&md5, - b->application_data.value, - b->application_data.length); - MD5_Final (p, &md5); - return 0; -} - -/* - * create a checksum over the chanel bindings in - * `input_chan_bindings', `flags' and `fwd_data' and return it in - * `result' - */ - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result) -{ - u_char *p; - - /* - * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value - * field's format) */ - result->cksumtype = 0x8003; - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) - result->checksum.length = 24 + 4 + fwd_data->length; - else - result->checksum.length = 24; - result->checksum.data = malloc (result->checksum.length); - if (result->checksum.data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = result->checksum.data; - encode_om_uint32 (16, p); - p += 4; - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) { - memset (p, 0, 16); - } else { - hash_input_chan_bindings (input_chan_bindings, p); - } - p += 16; - encode_om_uint32 (flags, p); - p += 4; - - if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) { -#if 0 - u_char *tmp; - - result->checksum.length = 28 + fwd_data->length; - tmp = realloc(result->checksum.data, result->checksum.length); - if (tmp == NULL) - return ENOMEM; - result->checksum.data = tmp; - - p = (u_char*)result->checksum.data + 24; -#endif - *p++ = (1 >> 0) & 0xFF; /* DlgOpt */ /* == 1 */ - *p++ = (1 >> 8) & 0xFF; /* DlgOpt */ /* == 0 */ - *p++ = (fwd_data->length >> 0) & 0xFF; /* Dlgth */ - *p++ = (fwd_data->length >> 8) & 0xFF; /* Dlgth */ - memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length); - - p += fwd_data->length; - } - - return GSS_S_COMPLETE; -} - -/* - * verify the checksum in `cksum' over `input_chan_bindings' - * returning `flags' and `fwd_data' - */ - -OM_uint32 -gssapi_krb5_verify_8003_checksum( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data) -{ - unsigned char hash[16]; - unsigned char *p; - OM_uint32 length; - int DlgOpt; - static unsigned char zeros[16]; - - /* XXX should handle checksums > 24 bytes */ - if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p = cksum->checksum.data; - decode_om_uint32(p, &length); - if(length != sizeof(hash)) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - p += 4; - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && memcmp(p, zeros, sizeof(zeros)) != 0) { - if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - if(memcmp(hash, p, sizeof(hash)) != 0) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - } - - p += sizeof(hash); - - decode_om_uint32(p, flags); - p += 4; - - if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) { - if(cksum->checksum.length < 28) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - DlgOpt = (p[0] << 0) | (p[1] << 8); - p += 2; - if (DlgOpt != 1) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - - fwd_data->length = (p[0] << 0) | (p[1] << 8); - p += 2; - if(cksum->checksum.length < 28 + fwd_data->length) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - fwd_data->data = malloc(fwd_data->length); - if (fwd_data->data == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(fwd_data->data, p, fwd_data->length); - } - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/ChangeLog b/lib/gssapi/krb5/ChangeLog deleted file mode 100644 index e6c3a282b..000000000 --- a/lib/gssapi/krb5/ChangeLog +++ /dev/null @@ -1,578 +0,0 @@ -2003-04-16 Love Hörnquist Åstrand - - * gssapi.3: spelling - - * gss_acquire_cred.3: Change .Fd #include to .In - header.h, from Thomas Klausner - - -2003-04-06 Love Hörnquist Åstrand - - * gss_acquire_cred.3: spelling - - * Makefile.am: remove stuff that sneaked in with last commit - - * acquire_cred.c (acquire_initiator_cred): if the requested name - isn't in the ccache, also check keytab. Extact the krbtgt for the - default realm to check how long the credentials will last. - - * add_cred.c (gss_add_cred): don't create a new ccache, just open - the old one; better check if output handle is compatible with new - (copied) handle - - * test_acquire_cred.c: test gss_add_cred too - -2003-04-03 Love Hörnquist Åstrand - - * Makefile.am: build test_acquire_cred - - * test_acquire_cred.c: simple gss_acquire_cred test - -2003-04-02 Love Hörnquist Åstrand - - * gss_acquire_cred.3: s/gssapi/GSS-API/ - -2003-03-19 Love Hörnquist Åstrand - - * gss_acquire_cred.3: document v1 interface (and that they are - obsolete) - -2003-03-18 Love Hörnquist Åstrand - - * gss_acquire_cred.3: list supported mechanism and nametypes - -2003-03-16 Love Hörnquist Åstrand - - * gss_acquire_cred.3: text about gss_display_name - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2 - (libgssapi_la_SOURCES): add all new functions - - * gssapi.3: now that we have a functions, uncomment the missing - ones - - * gss_acquire_cred.3: now that we have a functions, uncomment the - missing ones - - * process_context_token.c: implement gss_process_context_token - - * inquire_names_for_mech.c: implement gss_inquire_names_for_mech - - * inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name - - * inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech - - * add_cred.c: implement gss_add_cred - - * acquire_cred.c (gss_acquire_cred): more testing of input - argument, make sure output arguments are ok, since we don't know - the time_rec (for now), set it to time_req - - * export_sec_context.c: send lifetime, also set minor_status - - * get_mic.c: set minor_status - - * import_sec_context.c (gss_import_sec_context): add error - checking, pick up lifetime (if there is no lifetime, use - GSS_C_INDEFINITE) - - * init_sec_context.c: take care to set export value to something - sane before we start so caller will have harmless values in them - if then function fails - - * release_buffer.c (gss_release_buffer): set minor_status - - * wrap.c: make sure minor_status get set - - * verify_mic.c (gss_verify_mic_internal): rename verify_mic to - gss_verify_mic_internal and let it take the type as an argument, - (gss_verify_mic): call gss_verify_mic_internal - set minor_status - - * unwrap.c: set minor_status - - * test_oid_set_member.c (gss_test_oid_set_member): use - gss_oid_equal - - * release_oid_set.c (gss_release_oid_set): set minor_status - - * release_name.c (gss_release_name): set minor_status - - * release_cred.c (gss_release_cred): set minor_status - - * add_oid_set_member.c (gss_add_oid_set_member): set minor_status - - * compare_name.c (gss_compare_name): set minor_status - - * compat.c (check_compat): make sure ret have a defined value - - * context_time.c (gss_context_time): set minor_status - - * copy_ccache.c (gss_krb5_copy_ccache): set minor_status - - * create_emtpy_oid_set.c (gss_create_empty_oid_set): set - minor_status - - * delete_sec_context.c (gss_delete_sec_context): set minor_status - - * display_name.c (gss_display_name): set minor_status - - * display_status.c (gss_display_status): use gss_oid_equal, handle - supplementary errors - - * duplicate_name.c (gss_duplicate_name): set minor_status - - * inquire_context.c (gss_inquire_context): set lifetime_rec now - when we know it, set minor_status - - * inquire_cred.c (gss_inquire_cred): take care to set export value - to something sane before we start so caller will have harmless - values in them if the function fails - - * accept_sec_context.c (gss_accept_sec_context): take care to set - export value to something sane before we start so caller will have - harmless values in them if then function fails, set lifetime from - ticket expiration date - - * indicate_mechs.c (gss_indicate_mechs): use - gss_create_empty_oid_set and gss_add_oid_set_member - - * gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred, - since there is no ticket transfered in the exported context - - * export_name.c (gss_export_name): export name with - GSS_C_NT_EXPORT_NAME wrapping, not just the principal - - * import_name.c (import_export_name): new function, parses a - GSS_C_NT_EXPORT_NAME - (import_krb5_name): factor out common code of parsing krb5 name - (gss_oid_equal): rename from oid_equal - - * gssapi_locl.h: add prototypes for gss_oid_equal and - gss_verify_mic_internal - - * gssapi.h: comment out the argument names - -2003-03-15 Love Hörnquist Åstrand - - * gssapi.3: add LIST OF FUNCTIONS and copyright/license - - * Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/ - - * Makefile.am: man_MANS += gss_aquire_cred.3 - -2003-03-14 Love Hörnquist Åstrand - - * gss_aquire_cred.3: the gssapi api manpage - -2003-03-03 Love Hörnquist Åstrand - - * inquire_context.c: (gss_inquire_context): rename argument open - to open_context - - * gssapi.h (gss_inquire_context): rename argument open to open_context - -2003-02-27 Love Hörnquist Åstrand - - * init_sec_context.c (do_delegation): remove unused variable - subkey - - * gssapi.3: all 0.5.x version had broken token delegation - -2003-02-21 Love Hörnquist Åstrand - - * (init_auth): only generate one subkey - -2003-01-27 Love Hörnquist Åstrand - - * verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform - to rfc (and mit kerberos), provide backward compat hook - - * get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and - mit kerberos), provide backward compat hook - - * init_sec_context.c (init_auth): check if we need compat for - older get_mic/verify_mic - - * gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat - - * gssapi.h (more_flags): add COMPAT_OLD_DES3 - - * Makefile.am: add gssapi.3 and compat.c - - * gssapi.3: add gssapi COMPATIBILITY documentation - - * accept_sec_context.c (gss_accept_sec_context): check if we need - compat for older get_mic/verify_mic - - * compat.c: check for compatiblity with other heimdal's 3des - get_mic/verify_mic - -2002-10-31 Johan Danielsson - - * check return value from gssapi_krb5_init - - * 8003.c (gssapi_krb5_verify_8003_checksum): check size of input - -2002-09-03 Johan Danielsson - - * wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE - - * unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE - -2002-09-02 Johan Danielsson - - * init_sec_context.c: we need to generate a local subkey here - -2002-08-20 Jacques Vidrine - - * acquire_cred.c, inquire_cred.c, release_cred.c: Use default - credential resolution if gss_acquire_cred is called with - GSS_C_NO_NAME. - -2002-06-20 Jacques Vidrine - - * import_name.c: Compare name types by value if pointers do - not match. Reported by: "Douglas E. Engert" - -2002-05-20 Jacques Vidrine - - * verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize - the qop_state parameter. from Doug Rabson - -2002-05-09 Jacques Vidrine - - * acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH - -2002-05-08 Jacques Vidrine - - * acquire_cred.c: initialize gssapi; handle null desired_name - -2002-03-22 Johan Danielsson - - * Makefile.am: remove non-functional stuff accidentally committed - -2002-03-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2 - * 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel - bindings - -2001-10-31 Jacques Vidrine - - * get_mic.c (mic_des3): MIC computation using DES3/SHA1 - was bogusly appending the message buffer to the result, - overwriting a heap buffer in the process. - -2001-08-29 Assar Westerlund - - * 8003.c (gssapi_krb5_verify_8003_checksum, - gssapi_krb5_create_8003_checksum): make more consistent by always - returning an gssapi error and setting minor status. update - callers - -2001-08-28 Jacques Vidrine - - * accept_sec_context.c: Create a cache for delegated credentials - when needed. - -2001-08-28 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2 - -2001-08-23 Assar Westerlund - - * *.c: handle minor_status more consistently - - * display_status.c (gss_display_status): handle krb5_get_err_text - failing - -2001-08-15 Johan Danielsson - - * gssapi_locl.h: fix prototype for gssapi_krb5_init - -2001-08-13 Johan Danielsson - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): init - context and check return value from kt_resolve - - * init.c: return error code - -2001-07-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2 - -2001-07-12 Assar Westerlund - - * Makefile.am (libgssapi_la_LIBADD): add required library - dependencies - -2001-07-06 Assar Westerlund - - * accept_sec_context.c (gsskrb5_register_acceptor_identity): set - the keytab to be used for gss_acquire_cred too' - -2001-07-03 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2 - -2001-06-18 Assar Westerlund - - * wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * verify_mic.c: update krb5_auth_con function names use - gss_krb5_get_remotekey - * unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey - and gss_krb5_get_remotekey - * gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey): - add prototypes - * get_mic.c: update krb5_auth_con function names. use - gss_krb5_get_localkey - * accept_sec_context.c: update krb5_auth_con function names - -2001-05-17 Assar Westerlund - - * Makefile.am: bump version to 3:1:2 - -2001-05-14 Assar Westerlund - - * address_to_krb5addr.c: adapt to new address functions - -2001-05-11 Assar Westerlund - - * try to return the error string from libkrb5 where applicable - -2001-05-08 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): remember to free - the memory used by the ticket itself. from - -2001-05-04 Assar Westerlund - - * gssapi_locl.h: add config.h for completeness - * gssapi.h: remove config.h, this is an installed header file - sys/types.h is not needed either - -2001-03-12 Assar Westerlund - - * acquire_cred.c (gss_acquire_cred): remove memory leaks. from - Jason R Thorpe - -2001-02-18 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): either return - gss_name NULL-ed or set - - * import_name.c: set minor_status in some cases where it was not - done - -2001-02-15 Assar Westerlund - - * wrap.c: use krb5_generate_random_block for the confounders - -2001-01-30 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2 - * acquire_cred.c, init_sec_context.c, release_cred.c: add support - for getting creds from a keytab, from fvdl@netbsd.org - - * copy_ccache.c: add gss_krb5_copy_ccache - -2001-01-27 Assar Westerlund - - * get_mic.c: cast parameters to des function to non-const pointers - to handle the case where these functions actually take non-const - des_cblock * - -2001-01-09 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2 - instead of krb5_rd_cred - -2000-12-11 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1 - -2000-12-08 Assar Westerlund - - * wrap.c (wrap_des3): use the checksum as ivec when encrypting the - sequence number - * unwrap.c (unwrap_des3): use the checksum as ivec when encrypting - the sequence number - * init_sec_context.c (init_auth): always zero fwd_data - -2000-12-06 Johan Danielsson - - * accept_sec_context.c: de-pointerise auth_context parameter to - krb5_mk_rep - -2000-11-15 Assar Westerlund - - * init_sec_context.c (init_auth): update to new - krb5_build_authenticator - -2000-09-19 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1 - -2000-08-27 Assar Westerlund - - * init_sec_context.c: actually pay attention to `time_req' - * init_sec_context.c: re-organize. leak less memory. - * gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey): - update prototypes add assert.h - * gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD): - add - * verify_mic.c: re-organize and add 3DES code - * wrap.c: re-organize and add 3DES code - * unwrap.c: re-organize and add 3DES code - * get_mic.c: re-organize and add 3DES code - * encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data', - let the caller do that. fix the callers. - -2000-08-16 Assar Westerlund - - * Makefile.am: bump version to 2:1:1 - -2000-07-29 Assar Westerlund - - * decapsulate.c (gssapi_krb5_verify_header): sanity-check length - -2000-07-25 Johan Danielsson - - * Makefile.am: bump version to 2:0:1 - -2000-07-22 Assar Westerlund - - * gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other - details from rfc2744 - -2000-06-29 Assar Westerlund - - * address_to_krb5addr.c (gss_address_to_krb5addr): actually use - `int' instead of `sa_family_t' for the address family. - -2000-06-21 Assar Westerlund - - * add support for token delegation. From Daniel Kouril - and Miroslav Ruda - -2000-05-15 Assar Westerlund - - * Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1 - -2000-04-12 Assar Westerlund - - * release_oid_set.c (gss_release_oid_set): clear set for - robustness. From GOMBAS Gabor - * release_name.c (gss_release_name): reset input_name for - robustness. From GOMBAS Gabor - * release_buffer.c (gss_release_buffer): set value to NULL to be - more robust. From GOMBAS Gabor - * add_oid_set_member.c (gss_add_oid_set_member): actually check if - the oid is a member first. leave the oid_set unchanged if realloc - fails. - -2000-02-13 Assar Westerlund - - * Makefile.am: set version to 1:0:1 - -2000-02-12 Assar Westerlund - - * gssapi_locl.h: add flags for import/export - * import_sec_context.c (import_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * export_sec_context.c (export_sec_context: add flags for what - fields are included. do not include the authenticator for now. - * accept_sec_context.c (gss_accept_sec_context): set target in - context_handle - -2000-02-11 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): set context to - GSS_C_NO_CONTEXT - - * Makefile.am: add {export,import}_sec_context.c - * export_sec_context.c: new file - * import_sec_context.c: new file - * accept_sec_context.c (gss_accept_sec_context): set trans flag - -2000-02-07 Assar Westerlund - - * Makefile.am: set version to 0:5:0 - -2000-01-26 Assar Westerlund - - * delete_sec_context.c (gss_delete_sec_context): handle a NULL - output_token - - * wrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * verify_mic.c: update to pseudo-standard APIs for md4,md5,sha. - some changes to libdes calls to make them more portable. - * unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some - changes to libdes calls to make them more portable. - * 8003.c: update to pseudo-standard APIs for md4,md5,sha. - -2000-01-06 Assar Westerlund - - * Makefile.am: set version to 0:4:0 - -1999-12-26 Assar Westerlund - - * accept_sec_context.c (gss_accept_sec_context): always set - `output_token' - * init_sec_context.c (init_auth): always initialize `output_token' - * delete_sec_context.c (gss_delete_sec_context): always set - `output_token' - -1999-12-06 Assar Westerlund - - * Makefile.am: bump version to 0:3:0 - -1999-10-20 Assar Westerlund - - * Makefile.am: set version to 0:2:0 - -1999-09-21 Assar Westerlund - - * init_sec_context.c (gss_init_sec_context): initialize `ticket' - - * gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick. - - * delete_sec_context.c (gss_delete_sec_context): free ticket - - * accept_sec_context.c (gss_accept_sec_context): stove away - `krb5_ticket' in context so that ugly programs such as - gss_nt_server can get at it. uck. - -1999-09-20 Johan Danielsson - - * accept_sec_context.c: set minor_status - -1999-08-04 Assar Westerlund - - * display_status.c (calling_error, routine_error): right shift the - code to make it possible to index into the arrays - -1999-07-28 Assar Westerlund - - * gssapi.h (GSS_C_AF_INET6): add - - * import_name.c (import_hostbased_name): set minor_status - -1999-07-26 Assar Westerlund - - * Makefile.am: set version to 0:1:0 - -Wed Apr 7 14:05:15 1999 Johan Danielsson - - * display_status.c: set minor_status - - * init_sec_context.c: set minor_status - - * lib/gssapi/init.c: remove donep (check gssapi_krb5_context - directly) - diff --git a/lib/gssapi/krb5/Makefile.am b/lib/gssapi/krb5/Makefile.am deleted file mode 100644 index d1acbd4b7..000000000 --- a/lib/gssapi/krb5/Makefile.am +++ /dev/null @@ -1,65 +0,0 @@ -# $Id$ - -include $(top_srcdir)/Makefile.am.common - -INCLUDES += -I$(srcdir)/../krb5 $(INCLUDE_des) $(INCLUDE_krb4) - -lib_LTLIBRARIES = libgssapi.la -libgssapi_la_LDFLAGS = -version-info 3:6:2 -libgssapi_la_LIBADD = ../krb5/libkrb5.la $(LIB_des) ../asn1/libasn1.la ../roken/libroken.la - -man_MANS = gssapi.3 gss_acquire_cred.3 - -include_HEADERS = gssapi.h - -libgssapi_la_SOURCES = \ - 8003.c \ - accept_sec_context.c \ - acquire_cred.c \ - add_cred.c \ - add_oid_set_member.c \ - canonicalize_name.c \ - compare_name.c \ - compat.c \ - context_time.c \ - copy_ccache.c \ - create_emtpy_oid_set.c \ - decapsulate.c \ - delete_sec_context.c \ - display_name.c \ - display_status.c \ - duplicate_name.c \ - encapsulate.c \ - export_sec_context.c \ - export_name.c \ - external.c \ - get_mic.c \ - gssapi.h \ - gssapi_locl.h \ - import_name.c \ - import_sec_context.c \ - indicate_mechs.c \ - init.c \ - init_sec_context.c \ - inquire_context.c \ - inquire_cred.c \ - inquire_cred_by_mech.c \ - inquire_mechs_for_name.c \ - inquire_names_for_mech.c \ - release_buffer.c \ - release_cred.c \ - release_name.c \ - release_oid_set.c \ - process_context_token.c \ - test_oid_set_member.c \ - unwrap.c \ - v1.c \ - verify_mic.c \ - wrap.c \ - address_to_krb5addr.c - -noinst_PROGRAMS = test_acquire_cred - -test_acquire_cred_SOURCES = test_acquire_cred.c - -test_acquire_cred_LDADD = ./libgssapi.la diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c deleted file mode 100644 index 4b55acb21..000000000 --- a/lib/gssapi/krb5/accept_sec_context.c +++ /dev/null @@ -1,431 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -krb5_keytab gssapi_krb5_keytab; - -OM_uint32 -gsskrb5_register_acceptor_identity (const char *identity) -{ - krb5_error_code ret; - char *p; - - ret = gssapi_krb5_init(); - if(ret) - return GSS_S_FAILURE; - - if(gssapi_krb5_keytab != NULL) { - krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab); - gssapi_krb5_keytab = NULL; - } - asprintf(&p, "FILE:%s", identity); - if(p == NULL) - return GSS_S_FAILURE; - ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab); - free(p); - if(ret) - return GSS_S_FAILURE; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_accept_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - const gss_cred_id_t acceptor_cred_handle, - const gss_buffer_t input_token_buffer, - const gss_channel_bindings_t input_chan_bindings, - gss_name_t * src_name, - gss_OID * mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec, - gss_cred_id_t * delegated_cred_handle - ) -{ - krb5_error_code kret; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data indata; - krb5_flags ap_options; - OM_uint32 flags; - krb5_ticket *ticket = NULL; - krb5_keytab keytab = NULL; - krb5_data fwd_data; - OM_uint32 minor; - - GSSAPI_KRB5_INIT(); - - krb5_data_zero (&fwd_data); - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = NULL; - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (*context_handle == GSS_C_NO_CONTEXT) { - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == GSS_C_NO_CONTEXT) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS - && input_chan_bindings->application_data.length == - 2 * sizeof((*context_handle)->auth_context->local_port) - ) { - - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - (*context_handle)->auth_context->remote_port = - *(int16_t *) input_chan_bindings->application_data.value; - - (*context_handle)->auth_context->local_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - (*context_handle)->auth_context->local_port, - &acceptor_addr); - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - (*context_handle)->auth_context->remote_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - (*context_handle)->auth_context, - &acceptor_addr, /* local address */ - &initiator_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - if (kret) { - gssapi_krb5_set_error_string (); - ret = GSS_S_BAD_BINDINGS; - *minor_status = kret; - goto failure; - } - } - - - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - ret = gssapi_krb5_decapsulate (minor_status, - input_token_buffer, - &indata, - "\x01\x00"); - if (ret) - goto failure; - - if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) { - if (gssapi_krb5_keytab != NULL) { - keytab = gssapi_krb5_keytab; - } - } else if (acceptor_cred_handle->keytab != NULL) { - keytab = acceptor_cred_handle->keytab; - } - - kret = krb5_rd_req (gssapi_krb5_context, - &(*context_handle)->auth_context, - &indata, - (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL - : acceptor_cred_handle->principal, - keytab, - &ap_options, - &ticket); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - &(*context_handle)->source); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->server, - &(*context_handle)->target); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - if (src_name != NULL) { - kret = krb5_copy_principal (gssapi_krb5_context, - ticket->client, - src_name); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - } - - { - krb5_authenticator authenticator; - - kret = krb5_auth_con_getauthenticator(gssapi_krb5_context, - (*context_handle)->auth_context, - &authenticator); - if(kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - - ret = gssapi_krb5_verify_8003_checksum(minor_status, - input_chan_bindings, - authenticator->cksum, - &flags, - &fwd_data); - krb5_free_authenticator(gssapi_krb5_context, &authenticator); - if (ret) - goto failure; - } - - if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { - - krb5_ccache ccache; - - if (delegated_cred_handle == NULL) - /* XXX Create a new delegated_cred_handle? */ - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - else if (*delegated_cred_handle == NULL) { - if ((*delegated_cred_handle = - calloc(1, sizeof(**delegated_cred_handle))) == NULL) { - ret = GSS_S_FAILURE; - *minor_status = ENOMEM; - krb5_set_error_string(gssapi_krb5_context, "out of memory"); - gssapi_krb5_set_error_string(); - goto failure; - } - if ((ret = gss_duplicate_name(minor_status, ticket->client, - &(*delegated_cred_handle)->principal)) != 0) { - flags &= ~GSS_C_DELEG_FLAG; - free(*delegated_cred_handle); - *delegated_cred_handle = NULL; - goto end_fwd; - } - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->ccache == NULL) { - kret = krb5_cc_gen_new (gssapi_krb5_context, - &krb5_mcc_ops, - &(*delegated_cred_handle)->ccache); - ccache = (*delegated_cred_handle)->ccache; - } - if (delegated_cred_handle != NULL && - (*delegated_cred_handle)->mechanisms == NULL) { - ret = gss_create_empty_oid_set(minor_status, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &(*delegated_cred_handle)->mechanisms); - if (ret) - goto failure; - } - - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - kret = krb5_cc_initialize(gssapi_krb5_context, - ccache, - *src_name); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - kret = krb5_rd_cred2(gssapi_krb5_context, - (*context_handle)->auth_context, - ccache, - &fwd_data); - if (kret) { - flags &= ~GSS_C_DELEG_FLAG; - goto end_fwd; - } - - end_fwd: - free(fwd_data.data); - } - - - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->lifetime = ticket->ticket.endtime; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= OPEN; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (time_rec) - *time_rec = (*context_handle)->lifetime; - - if(flags & GSS_C_MUTUAL_FLAG) { - krb5_data outbuf; - - kret = krb5_mk_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &outbuf); - if (kret) { - ret = GSS_S_FAILURE; - *minor_status = kret; - gssapi_krb5_set_error_string (); - goto failure; - } - ret = gssapi_krb5_encapsulate (minor_status, - &outbuf, - output_token, - "\x02\x00"); - krb5_data_free (&outbuf); - if (ret) - goto failure; - } else { - output_token->length = 0; - output_token->value = NULL; - } - - (*context_handle)->ticket = ticket; - ticket = NULL; - -#if 0 - krb5_free_ticket (context, ticket); -#endif - - *minor_status = 0; - return GSS_S_COMPLETE; - - failure: - if (fwd_data.length > 0) - free(fwd_data.data); - if (ticket != NULL) - krb5_free_ticket (gssapi_krb5_context, ticket); - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - if (src_name != NULL) { - gss_release_name (&minor, src_name); - *src_name = NULL; - } - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c deleted file mode 100644 index e8c28f6d3..000000000 --- a/lib/gssapi/krb5/acquire_cred.c +++ /dev/null @@ -1,303 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static krb5_error_code -get_keytab(krb5_keytab *keytab) -{ - char kt_name[256]; - krb5_error_code kret; - - if (gssapi_krb5_keytab != NULL) { - kret = krb5_kt_get_name(gssapi_krb5_context, - gssapi_krb5_keytab, - kt_name, sizeof(kt_name)); - if (kret == 0) - kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab); - } else - kret = krb5_kt_default(gssapi_krb5_context, keytab); - return (kret); -} - -static OM_uint32 acquire_initiator_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_creds cred; - krb5_principal def_princ; - krb5_get_init_creds_opt opt; - krb5_ccache ccache; - krb5_keytab keytab; - krb5_error_code kret; - - keytab = NULL; - ccache = NULL; - def_princ = NULL; - ret = GSS_S_FAILURE; - memset(&cred, 0, sizeof(cred)); - - kret = krb5_cc_default(gssapi_krb5_context, &ccache); - if (kret) - goto end; - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, - &def_princ); - if (kret != 0) { - /* we'll try to use a keytab below */ - krb5_cc_destroy(gssapi_krb5_context, ccache); - ccache = NULL; - kret = 0; - } else if (handle->principal == NULL) { - kret = krb5_copy_principal(gssapi_krb5_context, def_princ, - &handle->principal); - if (kret) - goto end; - } else if (handle->principal != NULL && - krb5_principal_compare(gssapi_krb5_context, handle->principal, - def_princ) == FALSE) { - /* Before failing, lets check the keytab */ - krb5_free_principal(gssapi_krb5_context, def_princ); - def_princ = NULL; - } - if (def_princ == NULL) { - /* We have no existing credentials cache, - * so attempt to get a TGT using a keytab. - */ - if (handle->principal == NULL) { - kret = krb5_get_default_principal(gssapi_krb5_context, - &handle->principal); - if (kret) - goto end; - } - kret = get_keytab(&keytab); - if (kret) - goto end; - krb5_get_init_creds_opt_init(&opt); - kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, - handle->principal, keytab, 0, NULL, &opt); - if (kret) - goto end; - kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); - if (kret) - goto end; - kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); - if (kret) - goto end; - handle->lifetime = cred.times.endtime; - } else { - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = handle->principal; - - realm = krb5_principal_get_realm(gssapi_krb5_context, - handle->principal); - if (realm == NULL) { - kret = KRB5_PRINC_NOMATCH; /* XXX */ - goto end; - } - - kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); - if (kret) - goto end; - - kret = krb5_get_credentials(gssapi_krb5_context, 0, - ccache, &in_cred, &out_cred); - krb5_free_principal(gssapi_krb5_context, in_cred.server); - if (kret) - goto end; - - handle->lifetime = out_cred->times.endtime; - krb5_free_creds(gssapi_krb5_context, out_cred); - } - - handle->ccache = ccache; - ret = GSS_S_COMPLETE; - -end: - if (cred.client != NULL) - krb5_free_creds_contents(gssapi_krb5_context, &cred); - if (def_princ != NULL) - krb5_free_principal(gssapi_krb5_context, def_princ); - if (keytab != NULL) - krb5_kt_close(gssapi_krb5_context, keytab); - if (ret != GSS_S_COMPLETE) { - if (ccache != NULL) - krb5_cc_close(gssapi_krb5_context, ccache); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -static OM_uint32 acquire_acceptor_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - - kret = 0; - ret = GSS_S_FAILURE; - kret = get_keytab(&handle->keytab); - if (kret) - goto end; - ret = GSS_S_COMPLETE; - -end: - if (ret != GSS_S_COMPLETE) { - if (handle->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (kret != 0) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - } - } - return (ret); -} - -OM_uint32 gss_acquire_cred - (OM_uint32 * minor_status, - const gss_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec - ) -{ - gss_cred_id_t handle; - OM_uint32 ret; - - GSSAPI_KRB5_INIT (); - - *output_cred_handle = NULL; - if (time_rec) - *time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - - if (desired_mechs) { - OM_uint32 present = 0; - - ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - desired_mechs, &present); - if (ret) - return ret; - if (!present) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - if (desired_name != GSS_C_NO_NAME) { - ret = gss_duplicate_name(minor_status, desired_name, - &handle->principal); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } - if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { - ret = acquire_initiator_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { - ret = acquire_acceptor_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, handle, actual_mechs, time_rec); - if (ret != GSS_S_COMPLETE) { - free(handle); - return (ret); - } - } else { - free(handle); - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return GSS_S_FAILURE; - } - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret == GSS_S_COMPLETE) - ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL, - actual_mechs); - if (ret != GSS_S_COMPLETE) { - if (handle->mechanisms != NULL) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - return (ret); - } - *minor_status = 0; - if (time_rec) - *time_rec = handle->lifetime; - handle->usage = cred_usage; - *output_cred_handle = handle; - return (GSS_S_COMPLETE); -} diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c deleted file mode 100644 index b207415c2..000000000 --- a/lib/gssapi/krb5/add_cred.c +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_add_cred ( - OM_uint32 *minor_status, - const gss_cred_id_t input_cred_handle, - const gss_name_t desired_name, - const gss_OID desired_mech, - gss_cred_usage_t cred_usage, - OM_uint32 initiator_time_req, - OM_uint32 acceptor_time_req, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *initiator_time_rec, - OM_uint32 *acceptor_time_rec) -{ - OM_uint32 ret, lifetime; - gss_cred_id_t cred, handle; - - handle = NULL; - cred = input_cred_handle; - - if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - - if (cred == GSS_C_NO_CREDENTIAL && output_cred_handle == NULL) { - *minor_status = 0; - return GSS_S_NO_CRED; - } - - /* check if requested output usage is compatible with output usage */ - if (output_cred_handle != NULL && - (cred->usage != cred_usage && cred->usage != GSS_C_BOTH)) { - *minor_status = GSS_KRB5_S_G_BAD_USAGE; - return(GSS_S_FAILURE); - } - - /* check that we have the same name */ - if (desired_name != GSS_C_NO_NAME && - krb5_principal_compare(gssapi_krb5_context, desired_name, - cred->principal) != FALSE) { - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - /* make a copy */ - if (output_cred_handle) { - - handle = (gss_cred_id_t)malloc(sizeof(*handle)); - if (handle == GSS_C_NO_CREDENTIAL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - - memset(handle, 0, sizeof (*handle)); - - handle->usage = cred_usage; - handle->lifetime = cred->lifetime; - handle->principal = NULL; - handle->keytab = NULL; - handle->ccache = NULL; - handle->mechanisms = NULL; - - ret = GSS_S_FAILURE; - - ret = gss_duplicate_name(minor_status, cred->principal, - &handle->principal); - if (ret) { - free(handle); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - if (cred->keytab) { - krb5_error_code kret; - char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN]; - int len; - - ret = GSS_S_FAILURE; - - kret = krb5_kt_get_type(gssapi_krb5_context, cred->keytab, - name, KRB5_KT_PREFIX_MAX_LEN); - if (kret) { - *minor_status = kret; - goto failure; - } - len = strlen(name); - name[len++] = ':'; - - kret = krb5_kt_get_name(gssapi_krb5_context, cred->keytab, - name + len, - sizeof(name) - len); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_kt_resolve(gssapi_krb5_context, name, - &handle->keytab); - if (kret){ - *minor_status = kret; - goto failure; - } - } - - if (cred->ccache) { - krb5_error_code kret; - const char *type, *name; - char *type_name; - - ret = GSS_S_FAILURE; - - type = krb5_cc_get_type(gssapi_krb5_context, cred->ccache); - if (type == NULL){ - *minor_status = ENOMEM; - goto failure; - } - - name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache); - if (name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - asprintf(&type_name, "%s:%s", type, name); - if (type_name == NULL) { - *minor_status = ENOMEM; - goto failure; - } - - kret = krb5_cc_resolve(gssapi_krb5_context, type_name, - &handle->ccache); - free(type_name); - if (kret) { - *minor_status = kret; - goto failure; - } - } - - ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); - if (ret) - goto failure; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, - &handle->mechanisms); - if (ret) - goto failure; - } - - ret = gss_inquire_cred(minor_status, cred, NULL, &lifetime, - NULL, actual_mechs); - if (ret) - goto failure; - - if (initiator_time_rec) - *initiator_time_rec = lifetime; - if (acceptor_time_rec) - *acceptor_time_rec = lifetime; - - if (output_cred_handle) - *output_cred_handle = handle; - - *minor_status = 0; - return ret; - - failure: - - if (handle) { - if (handle->principal) - gss_release_name(NULL, &handle->principal); - if (handle->keytab) - krb5_kt_close(gssapi_krb5_context, handle->keytab); - if (handle->ccache) - krb5_cc_destroy(gssapi_krb5_context, handle->ccache); - if (handle->mechanisms) - gss_release_oid_set(NULL, &handle->mechanisms); - free(handle); - } - return ret; -} diff --git a/lib/gssapi/krb5/add_oid_set_member.c b/lib/gssapi/krb5/add_oid_set_member.c deleted file mode 100644 index f768098bb..000000000 --- a/lib/gssapi/krb5/add_oid_set_member.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member_oid, - gss_OID_set * oid_set - ) -{ - gss_OID tmp; - size_t n; - OM_uint32 res; - int present; - - res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present); - if (res != GSS_S_COMPLETE) - return res; - - if (present) { - *minor_status = 0; - return GSS_S_COMPLETE; - } - - n = (*oid_set)->count + 1; - tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc)); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->elements = tmp; - (*oid_set)->count = n; - (*oid_set)->elements[n-1] = *member_oid; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/address_to_krb5addr.c b/lib/gssapi/krb5/address_to_krb5addr.c deleted file mode 100644 index c8041aa93..000000000 --- a/lib/gssapi/krb5/address_to_krb5addr.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -#include - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address) -{ - int addr_type; - struct sockaddr sa; - int sa_size = sizeof(sa); - krb5_error_code problem; - - if (gss_addr == NULL) - return GSS_S_FAILURE; - - switch (gss_addr_type) { -#ifdef HAVE_IPV6 - case GSS_C_AF_INET6: addr_type = AF_INET6; - break; -#endif /* HAVE_IPV6 */ - - case GSS_C_AF_INET: addr_type = AF_INET; - break; - default: - return GSS_S_FAILURE; - } - - problem = krb5_h_addr2sockaddr (gssapi_krb5_context, - addr_type, - gss_addr->value, - &sa, - &sa_size, - port); - if (problem) - return GSS_S_FAILURE; - - problem = krb5_sockaddr2address (gssapi_krb5_context, &sa, address); - - return problem; -} diff --git a/lib/gssapi/krb5/canonicalize_name.c b/lib/gssapi/krb5/canonicalize_name.c deleted file mode 100644 index 9bd51e0d9..000000000 --- a/lib/gssapi/krb5/canonicalize_name.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - const gss_OID mech_type, - gss_name_t * output_name - ) -{ - return gss_duplicate_name (minor_status, input_name, output_name); -} diff --git a/lib/gssapi/krb5/compare_name.c b/lib/gssapi/krb5/compare_name.c deleted file mode 100644 index 2162b1d3f..000000000 --- a/lib/gssapi/krb5/compare_name.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_compare_name - (OM_uint32 * minor_status, - const gss_name_t name1, - const gss_name_t name2, - int * name_equal - ) -{ - GSSAPI_KRB5_INIT(); - - *name_equal = krb5_principal_compare (gssapi_krb5_context, - name1, name2); - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c deleted file mode 100644 index c1a39de93..000000000 --- a/lib/gssapi/krb5/compat.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - - -static krb5_error_code -check_compat(OM_uint32 *minor_status, gss_name_t name, - const char *option, krb5_boolean *compat) -{ - krb5_error_code ret = 0; - char **p, **q; - krb5_principal match; - - - p = krb5_config_get_strings(gssapi_krb5_context, NULL, "gssapi", - option, NULL); - if(p == NULL) - return 0; - - for(q = p; *q; q++) { - - ret = krb5_parse_name(gssapi_krb5_context, *q, &match); - if (ret) - break; - - if (krb5_principal_match(gssapi_krb5_context, name, match)) { - *compat = TRUE; - break; - } - - krb5_free_principal(gssapi_krb5_context, match); - } - krb5_config_free_strings(p); - - if (ret) { - *minor_status = ret; - return GSS_S_FAILURE; - } - - return 0; -} - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx) -{ - krb5_boolean use_compat = FALSE; - OM_uint32 ret; - - ret = check_compat(minor_status, ctx->target, - "broken_3des_mic", &use_compat); - if (ret) - return ret; - if (use_compat) - ctx->more_flags |= COMPAT_OLD_DES3; - - return 0; -} diff --git a/lib/gssapi/krb5/context_time.c b/lib/gssapi/krb5/context_time.c deleted file mode 100644 index d133261b7..000000000 --- a/lib/gssapi/krb5/context_time.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_context_time - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - OM_uint32 * time_rec - ) -{ - OM_uint32 lifetime; - OM_uint32 ret; - krb5_error_code kret; - krb5_timestamp timeret; - - GSSAPI_KRB5_INIT (); - - ret = gss_inquire_context(minor_status, context_handle, - NULL, NULL, &lifetime, NULL, NULL, NULL, NULL); - if (ret) { - return ret; - } - - kret = krb5_timeofday(gssapi_krb5_context, &timeret); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - - *time_rec = lifetime - timeret; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/copy_ccache.c b/lib/gssapi/krb5/copy_ccache.c deleted file mode 100644 index 15d2e1c54..000000000 --- a/lib/gssapi/krb5/copy_ccache.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_copy_ccache(OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_ccache out) -{ - krb5_error_code kret; - - if (cred->ccache == NULL) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - kret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache, out); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/create_emtpy_oid_set.c b/lib/gssapi/krb5/create_emtpy_oid_set.c deleted file mode 100644 index 14b8757ac..000000000 --- a/lib/gssapi/krb5/create_emtpy_oid_set.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * minor_status, - gss_OID_set * oid_set - ) -{ - *oid_set = malloc(sizeof(**oid_set)); - if (*oid_set == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - (*oid_set)->count = 0; - (*oid_set)->elements = NULL; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c deleted file mode 100644 index 949280cbc..000000000 --- a/lib/gssapi/krb5/decapsulate.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type) -{ - size_t len, len_len, mech_len, foo; - int e; - u_char *p = *str; - - if (total_len < 1) - return GSS_S_DEFECTIVE_TOKEN; - if (*p++ != 0x60) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return GSS_S_DEFECTIVE_TOKEN; - p += len_len; - if (*p++ != 0x06) - return GSS_S_DEFECTIVE_TOKEN; - e = der_get_length (p, total_len - 1 - len_len - 1, - &mech_len, &foo); - if (e) - return GSS_S_DEFECTIVE_TOKEN; - p += foo; - if (mech_len != GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_MECH; - if (memcmp(p, - GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_MECH; - p += mech_len; - if (memcmp (p, type, 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - *str = p; - return GSS_S_COMPLETE; -} - -/* - * Remove the GSS-API wrapping from `in_token' giving `out_data. - * Does not copy data, so just free `in_token'. - */ - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type -) -{ - u_char *p; - OM_uint32 ret; - - p = input_token_buffer->value; - ret = gssapi_krb5_verify_header(&p, - input_token_buffer->length, - type); - if (ret) { - *minor_status = 0; - return ret; - } - - out_data->length = input_token_buffer->length - - (p - (u_char *)input_token_buffer->value); - out_data->data = p; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c deleted file mode 100644 index 4c609b3fc..000000000 --- a/lib/gssapi/krb5/delete_sec_context.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t output_token - ) -{ - GSSAPI_KRB5_INIT (); - - if (output_token) { - output_token->length = 0; - output_token->value = NULL; - } - - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - if ((*context_handle)->ticket) { - krb5_free_ticket (gssapi_krb5_context, - (*context_handle)->ticket); - free((*context_handle)->ticket); - } - - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/display_name.c b/lib/gssapi/krb5/display_name.c deleted file mode 100644 index 0078d8224..000000000 --- a/lib/gssapi/krb5/display_name.c +++ /dev/null @@ -1,73 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_display_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID * output_name_type - ) -{ - krb5_error_code kret; - char *buf; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &buf); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (buf); - output_name_buffer->length = len; - output_name_buffer->value = malloc(len + 1); - if (output_name_buffer->value == NULL) { - free (buf); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (output_name_buffer->value, buf, len); - ((char *)output_name_buffer->value)[len] = '\0'; - free (buf); - if (output_name_type) - *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/display_status.c b/lib/gssapi/krb5/display_status.c deleted file mode 100644 index 2391596dc..000000000 --- a/lib/gssapi/krb5/display_status.c +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static char *krb5_error_string; - -static char * -calling_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "A required input parameter could not be read.", /* */ - "A required output parameter could not be written.", /* */ - "A parameter was malformed" - }; - - v >>= GSS_C_CALLING_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown calling error"; - else - return msgs[v]; -} - -static char * -routine_error(OM_uint32 v) -{ - static char *msgs[] = { - NULL, /* 0 */ - "An unsupported mechanism was requested", - "An invalid name was supplied", - "A supplied name was of an unsupported type", - "Incorrect channel bindings were supplied", - "An invalid status code was supplied", - "A token had an invalid MIC", - "No credentials were supplied, " - "or the credentials were unavailable or inaccessible.", - "No context has been established", - "A token was invalid", - "A credential was invalid", - "The referenced credentials have expired", - "The context has expired", - "Miscellaneous failure (see text)", - "The quality-of-protection requested could not be provide", - "The operation is forbidden by local security policy", - "The operation or option is not available", - "The requested credential element already exists", - "The provided name was not a mechanism name.", - }; - - v >>= GSS_C_ROUTINE_ERROR_OFFSET; - - if (v == 0) - return ""; - else if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -static char * -supplementary_error(OM_uint32 v) -{ - static char *msgs[] = { - "normal completion", - "continuation call to routine required", - "duplicate per-message token detected", - "timed-out per-message token detected", - "reordered (early) per-message token detected", - "skipped predecessor token(s) detected" - }; - - v >>= GSS_C_SUPPLEMENTARY_OFFSET; - - if (v >= sizeof(msgs)/sizeof(*msgs)) - return "unknown routine error"; - else - return msgs[v]; -} - -void -gssapi_krb5_set_error_string (void) -{ - krb5_error_string = krb5_get_error_string(gssapi_krb5_context); -} - -char * -gssapi_krb5_get_error_string (void) -{ - char *ret = krb5_error_string; - krb5_error_string = NULL; - return ret; -} - -OM_uint32 gss_display_status - (OM_uint32 *minor_status, - OM_uint32 status_value, - int status_type, - const gss_OID mech_type, - OM_uint32 *message_context, - gss_buffer_t status_string) -{ - char *buf; - - GSSAPI_KRB5_INIT (); - - status_string->length = 0; - status_string->value = NULL; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = 0; - return GSS_C_GSS_CODE; - } - - if (status_type == GSS_C_GSS_CODE) { - if (GSS_SUPPLEMENTARY_INFO(status_value)) - asprintf(&buf, "%s", - supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); - else - asprintf (&buf, "%s %s", - calling_error(GSS_CALLING_ERROR(status_value)), - routine_error(GSS_ROUTINE_ERROR(status_value))); - } else if (status_type == GSS_C_MECH_CODE) { - buf = gssapi_krb5_get_error_string (); - if (buf == NULL) { - const char *tmp = krb5_get_err_text (gssapi_krb5_context, - status_value); - if (tmp == NULL) - asprintf(&buf, "unknown mech error-code %u", - (unsigned)status_value); - else - buf = strdup(tmp); - } - } else { - *minor_status = EINVAL; - return GSS_S_BAD_STATUS; - } - - if (buf == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *message_context = 0; - *minor_status = 0; - - status_string->length = strlen(buf); - status_string->value = buf; - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/duplicate_name.c b/lib/gssapi/krb5/duplicate_name.c deleted file mode 100644 index 3c3a1cd1b..000000000 --- a/lib/gssapi/krb5/duplicate_name.c +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * minor_status, - const gss_name_t src_name, - gss_name_t * dest_name - ) -{ - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - - kret = krb5_copy_principal (gssapi_krb5_context, - src_name, - dest_name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } else { - *minor_status = 0; - return GSS_S_COMPLETE; - } -} diff --git a/lib/gssapi/krb5/encapsulate.c b/lib/gssapi/krb5/encapsulate.c deleted file mode 100644 index 8f64fdd25..000000000 --- a/lib/gssapi/krb5/encapsulate.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len) -{ - size_t len_len; - - *len = 1 + 1 + GSS_KRB5_MECHANISM->length + 2 + data_len; - - len_len = length_len(*len); - - *total_len = 1 + len_len + *len; -} - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type) -{ - int e; - size_t len_len, foo; - - *p++ = 0x60; - len_len = length_len(len); - e = der_put_length (p + len_len - 1, len_len, len, &foo); - if(e || foo != len_len) - abort (); - p += len_len; - *p++ = 0x06; - *p++ = GSS_KRB5_MECHANISM->length; - memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - p += GSS_KRB5_MECHANISM->length; - memcpy (p, type, 2); - p += 2; - return p; -} - -/* - * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings. - */ - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type -) -{ - size_t len, outer_len; - u_char *p; - - gssapi_krb5_encap_length (in_data->length, &len, &outer_len); - - output_token->length = outer_len; - output_token->value = malloc (outer_len); - if (output_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header (output_token->value, len, type); - memcpy (p, in_data->data, in_data->length); - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/export_name.c b/lib/gssapi/krb5/export_name.c deleted file mode 100644 index 4d478c601..000000000 --- a/lib/gssapi/krb5/export_name.c +++ /dev/null @@ -1,94 +0,0 @@ -/* - * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_export_name - (OM_uint32 * minor_status, - const gss_name_t input_name, - gss_buffer_t exported_name - ) -{ - krb5_error_code kret; - char *buf, *name; - size_t len; - - GSSAPI_KRB5_INIT (); - kret = krb5_unparse_name (gssapi_krb5_context, - input_name, - &name); - if (kret) { - *minor_status = kret; - gssapi_krb5_set_error_string (); - return GSS_S_FAILURE; - } - len = strlen (name); - - exported_name->length = 10 + len + GSS_KRB5_MECHANISM->length; - exported_name->value = malloc(exported_name->length); - if (exported_name->value == NULL) { - free (name); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - buf = exported_name->value; - memcpy(buf, "\x04\x01", 2); - buf += 2; - buf[0] = ((GSS_KRB5_MECHANISM->length + 2) >> 8) & 0xff; - buf[1] = (GSS_KRB5_MECHANISM->length + 2) & 0xff; - buf+= 2; - buf[0] = 0x06; - buf[1] = (GSS_KRB5_MECHANISM->length) & 0xFF; - buf+= 2; - - memcpy(buf, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length); - buf += GSS_KRB5_MECHANISM->length; - - buf[0] = (len >> 24) & 0xff; - buf[1] = (len >> 16) & 0xff; - buf[2] = (len >> 8) & 0xff; - buf[3] = (len) & 0xff; - buf += 4; - - memcpy (buf, name, len); - - free (name); - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c deleted file mode 100644 index 8ec622377..000000000 --- a/lib/gssapi/krb5/export_sec_context.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_export_sec_context ( - OM_uint32 * minor_status, - gss_ctx_id_t * context_handle, - gss_buffer_t interprocess_token - ) -{ - krb5_storage *sp; - krb5_auth_context ac; - OM_uint32 ret = GSS_S_COMPLETE; - krb5_data data; - gss_buffer_desc buffer; - int flags; - OM_uint32 minor; - krb5_error_code kret; - - GSSAPI_KRB5_INIT (); - if (!((*context_handle)->flags & GSS_C_TRANS_FLAG)) { - *minor_status = 0; - return GSS_S_UNAVAILABLE; - } - - sp = krb5_storage_emem (); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - ac = (*context_handle)->auth_context; - - /* flagging included fields */ - - flags = 0; - if (ac->local_address) - flags |= SC_LOCAL_ADDRESS; - if (ac->remote_address) - flags |= SC_REMOTE_ADDRESS; - if (ac->keyblock) - flags |= SC_KEYBLOCK; - if (ac->local_subkey) - flags |= SC_LOCAL_SUBKEY; - if (ac->remote_subkey) - flags |= SC_REMOTE_SUBKEY; - - kret = krb5_store_int32 (sp, flags); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* marshall auth context */ - - kret = krb5_store_int32 (sp, ac->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->local_address) { - kret = krb5_store_address (sp, *ac->local_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_address) { - kret = krb5_store_address (sp, *ac->remote_address); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int16 (sp, ac->local_port); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int16 (sp, ac->remote_port); - if (kret) { - *minor_status = kret; - goto failure; - } - if (ac->keyblock) { - kret = krb5_store_keyblock (sp, *ac->keyblock); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->local_subkey) { - kret = krb5_store_keyblock (sp, *ac->local_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - if (ac->remote_subkey) { - kret = krb5_store_keyblock (sp, *ac->remote_subkey); - if (kret) { - *minor_status = kret; - goto failure; - } - } - kret = krb5_store_int32 (sp, ac->local_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->remote_seqnumber); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, ac->keytype); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, ac->cksumtype); - if (kret) { - *minor_status = kret; - goto failure; - } - - /* names */ - - ret = gss_export_name (minor_status, (*context_handle)->source, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - ret = gss_export_name (minor_status, (*context_handle)->target, &buffer); - if (ret) - goto failure; - data.data = buffer.value; - data.length = buffer.length; - - ret = GSS_S_FAILURE; - - kret = krb5_store_data (sp, data); - gss_release_buffer (&minor, &buffer); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_store_int32 (sp, (*context_handle)->flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->more_flags); - if (kret) { - *minor_status = kret; - goto failure; - } - kret = krb5_store_int32 (sp, (*context_handle)->lifetime); - if (kret) { - *minor_status = kret; - goto failure; - } - - kret = krb5_storage_to_data (sp, &data); - krb5_storage_free (sp); - if (kret) { - *minor_status = kret; - return GSS_S_FAILURE; - } - interprocess_token->length = data.length; - interprocess_token->value = data.data; - ret = gss_delete_sec_context (minor_status, context_handle, - GSS_C_NO_BUFFER); - if (ret != GSS_S_COMPLETE) - gss_release_buffer (NULL, interprocess_token); - *minor_status = 0; - return ret; - failure: - krb5_storage_free (sp); - return ret; -} diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c deleted file mode 100644 index ab1591423..000000000 --- a/lib/gssapi/krb5/external.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_user_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x01"}; - -gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x02"}; - -gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_string_uid_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" - "\x01\x02\x01\x03"}; - -gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ - -static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x02"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -static gss_OID_desc gss_c_nt_hostbased_service_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04"}; - -gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_anonymous_oid_desc = -{6, (void *)"\x2b\x06\01\x05\x06\x03"}; - -gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ - -static gss_OID_desc gss_c_nt_export_name_oid_desc = -{6, (void *)"\x2b\x06\x01\x05\x06\x04"}; - -gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". - */ - -static gss_OID_desc gss_krb5_nt_principal_name_oid_desc = -{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01"}; - -gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". - */ - -gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc; - -/* - * This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". - */ - -gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc; - -/* - * To support ongoing experimentation, testing, and evolution of the - * specification, the Kerberos V5 GSS-API mechanism as defined in this - * and any successor memos will be identified with the following Object - * Identifier, as defined in RFC-1510, until the specification is - * advanced to the level of Proposed Standard RFC: - * - * {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)} - * - * Upon advancement to the level of Proposed Standard RFC, the Kerberos - * V5 GSS-API mechanism will be identified by an Object Identifier - * having the value: - * - * {iso(1) member-body(2) United States(840) mit(113554) infosys(1) - * gssapi(2) krb5(2)} - */ - -#if 0 /* This is the old OID */ - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{5, (void *)"\x2b\x05\x01\x05\x02"}; - -#endif - -static gss_OID_desc gss_krb5_mechanism_oid_desc = -{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; - -gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc; - -/* - * Context for krb5 calls. - */ - -krb5_context gssapi_krb5_context; diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c deleted file mode 100644 index bdf935e65..000000000 --- a/lib/gssapi/krb5/get_mic.c +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int32_t seq_number; - size_t len, total_len; - - gssapi_krb5_encap_length (22, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK_ID */ - - memcpy (p, "\x00\x00", 2); /* SGN_ALG = DES MAC MD5 */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* Filler */ - p += 4; - - /* Fill in later (SND-SEQ) */ - memset (p, 0, 16); - p += 16; - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); /* SGN_CKSUM */ - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; /* SND_SEQ */ - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token, - krb5_keyblock *key - ) -{ - u_char *p; - Checksum cksum; - u_char seq[8]; - - int32_t seq_number; - size_t len, total_len; - - krb5_crypto crypto; - krb5_error_code kret; - krb5_data encdata; - char *tmp; - char ivec[8]; - - gssapi_krb5_encap_length (36, &len, &total_len); - - message_token->length = total_len; - message_token->value = malloc (total_len); - if (message_token->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(message_token->value, - len, - "\x01\x01"); /* TOK-ID */ - - memcpy (p, "\x04\x00", 2); /* SGN_ALG = HMAC SHA1 DES3-KD */ - p += 2; - - memcpy (p, "\xff\xff\xff\xff", 4); /* filler */ - p += 4; - - /* this should be done in parts */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - free (message_token->value); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - kret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (kret) { - free (message_token->value); - free (tmp); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - kret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - tmp, - message_buffer->length + 8, - &cksum); - free (tmp); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - kret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - if (context_handle->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - kret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, ivec); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (kret) { - free (message_token->value); - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - free_Checksum (&cksum); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_get_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_qop_t qop_req, - const gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = mic_des (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - case KEYTYPE_DES3 : - ret = mic_des3 (minor_status, context_handle, qop_req, - message_buffer, message_token, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/gssapi/krb5/gss_acquire_cred.3 b/lib/gssapi/krb5/gss_acquire_cred.3 deleted file mode 100644 index fb407dd42..000000000 --- a/lib/gssapi/krb5/gss_acquire_cred.3 +++ /dev/null @@ -1,444 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd April 2, 2003 -.Dt GSS_ACQUIRE_CRED 3 -.Os HEIMDAL -.Sh NAME -.Nm gss_accept_sec_context , -.Nm gss_acquire_cred , -.Nm gss_add_cred , -.Nm gss_add_oid_set_member , -.Nm gss_canonicalize_name , -.Nm gss_compare_name , -.Nm gss_context_time , -.Nm gss_create_empty_oid_set , -.Nm gss_delete_sec_context , -.Nm gss_display_name , -.Nm gss_display_status , -.Nm gss_duplicate_name , -.Nm gss_export_name , -.Nm gss_export_sec_context , -.Nm gss_get_mic , -.Nm gss_import_name , -.Nm gss_import_sec_context , -.Nm gss_indicate_mechs , -.Nm gss_init_sec_context , -.Nm gss_inquire_context , -.Nm gss_inquire_cred , -.Nm gss_inquire_cred_by_mech , -.Nm gss_inquire_mechs_for_name , -.Nm gss_inquire_names_for_mech , -.Nm gss_krb5_copy_ccache , -.Nm gss_process_context_token , -.Nm gss_release_buffer , -.Nm gss_release_cred , -.Nm gss_release_name , -.Nm gss_release_oid_set , -.Nm gss_seal , -.Nm gss_sign , -.Nm gss_test_oid_set_member , -.Nm gss_unseal , -.Nm gss_unwrap , -.Nm gss_verify , -.Nm gss_verify_mic , -.Nm gss_wrap , -.Nm gss_wrap_size_limit -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API library (libgssapi, -lgssapi) -.Sh SYNOPSIS -.In gssapi.h -.Pp -.Ft OM_uint32 -.Fo gss_accept_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_cred_id_t acceptor_cred_handle" -.Fa "const gss_buffer_t input_token_buffer" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "gss_name_t * src_name" -.Fa "gss_OID * mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fa "gss_cred_id_t * delegated_cred_handle" -.Fc -.Pp -.Ft OM_uint32 -.Fo gss_acquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t desired_name" -.Fa "OM_uint32 time_req" -.Fa "const gss_OID_set desired_mechs" -.Fa "gss_cred_usage_t cred_usage" -.Fa "gss_cred_id_t * output_cred_handle" -.Fa "gss_OID_set * actual_mechs" -.Fa "OM_uint32 * time_rec" -.Fc -.\" .Fn gss_add_cred -.Ft OM_uint32 -.Fo gss_add_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member_oid" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_canonicalize_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "const gss_OID mech_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_compare_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t name1" -.Fa "const gss_name_t name2" -.Fa "int * name_equal" -.Fc -.Ft OM_uint32 -.Fo gss_context_time -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_create_empty_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * oid_set" -.Fc -.Ft OM_uint32 -.Fo gss_delete_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t output_token" -.Fc -.Ft OM_uint32 -.Fo gss_display_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t output_name_buffer" -.Fa "gss_OID * output_name_type" -.Fc -.Ft OM_uint32 -.Fo gss_display_status -.Fa "OM_uint32 *minor_status" -.Fa "OM_uint32 status_value" -.Fa "int status_type" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 *message_context" -.Fa "gss_buffer_t status_string" -.Fc -.Ft OM_uint32 -.Fo gss_duplicate_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t src_name" -.Fa "gss_name_t * dest_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_name -.Fa "OM_uint32 * minor_status" -.Fa "const gss_name_t input_name" -.Fa "gss_buffer_t exported_name" -.Fc -.Ft OM_uint32 -.Fo gss_export_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t * context_handle" -.Fa "gss_buffer_t interprocess_token" -.Fc -.Ft OM_uint32 -.Fo gss_get_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_import_name -.Fa "OM_uint32 * minor_status, -.Fa "const gss_buffer_t input_name_buffer" -.Fa "const gss_OID input_name_type" -.Fa "gss_name_t * output_name" -.Fc -.Ft OM_uint32 -.Fo gss_import_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_buffer_t interprocess_token" -.Fa "gss_ctx_id_t * context_handle" -.Fc -.Ft OM_uint32 -.Fo gss_indicate_mechs -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * mech_set" -.Fc -.Ft OM_uint32 -.Fo gss_init_sec_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t initiator_cred_handle" -.Fa "gss_ctx_id_t * context_handle" -.Fa "const gss_name_t target_name" -.Fa "const gss_OID mech_type" -.Fa "OM_uint32 req_flags" -.Fa "OM_uint32 time_req" -.Fa "const gss_channel_bindings_t input_chan_bindings" -.Fa "const gss_buffer_t input_token" -.Fa "gss_OID * actual_mech_type" -.Fa "gss_buffer_t output_token" -.Fa "OM_uint32 * ret_flags" -.Fa "OM_uint32 * time_rec" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_context -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "gss_name_t * src_name" -.Fa "gss_name_t * targ_name" -.Fa "OM_uint32 * lifetime_rec" -.Fa "gss_OID * mech_type" -.Fa "OM_uint32 * ctx_flags" -.Fa "int * locally_initiated" -.Fa "int * open_context" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred -.Fa "OM_uint32 * minor_status" -.Fa "const gss_cred_id_t cred_handle" -.Fa "gss_name_t * name" -.Fa "OM_uint32 * lifetime" -.Fa "gss_cred_usage_t * cred_usage" -.Fa "gss_OID_set * mechanisms" -.Fc -.Ft OM_uint32 -.Fo gss_inquire_cred_by_mech -.Fc -.Ft OM_uint32 -.Fo gss_inquire_mechs_for_name -.Fc -.Ft OM_uint32 -.Fo gss_inquire_names_for_mech -.Fc -.Ft OM_uint32 -.Fo gss_krb5_copy_ccache -.Fa "OM_uint32 *minor" -.Fa "gss_cred_id_t cred" -.Fa "krb5_ccache out" -.Fc -.Ft OM_uint32 -.Fo gss_process_context_token -.Fc -.Ft OM_uint32 -.Fo gss_release_buffer -.Fa "OM_uint32 * minor_status" -.Fa "gss_buffer_t buffer" -.Fc -.Ft OM_uint32 -.Fo gss_release_cred -.Fa "OM_uint32 * minor_status" -.Fa "gss_cred_id_t * cred_handle" -.Fc -.Ft OM_uint32 -.Fo gss_release_name -.Fa "OM_uint32 * minor_status" -.Fa "gss_name_t * input_name" -.Fc -.Ft -.Fo gss_release_oid_set -.Fa "OM_uint32 * minor_status" -.Fa "gss_OID_set * set" -.Fc -.Ft OM_uint32 -.Fo gss_seal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "int qop_req" -.Fa "gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_sign -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "int qop_req" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t message_token" -.Fc -.Ft OM_uint32 -.Fo gss_test_oid_set_member -.Fa "OM_uint32 * minor_status" -.Fa "const gss_OID member" -.Fa "const gss_OID_set set" -.Fa "int * present" -.Fc -.Ft OM_uint32 -.Fo gss_unseal -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_unwrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "gss_buffer_t output_message_buffer" -.Fa "int * conf_state" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify -.Fa "OM_uint32 * minor_status" -.Fa "gss_ctx_id_t context_handle" -.Fa "gss_buffer_t message_buffer" -.Fa "gss_buffer_t token_buffer" -.Fa "int * qop_state" -.Fc -.Ft OM_uint32 -.Fo gss_verify_mic -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "const gss_buffer_t message_buffer" -.Fa "const gss_buffer_t token_buffer" -.Fa "gss_qop_t * qop_state" -.Fc -.Ft -.Fo gss_wrap -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "const gss_buffer_t input_message_buffer" -.Fa "int * conf_state" -.Fa "gss_buffer_t output_message_buffer" -.Fc -.Ft OM_uint32 -.Fo gss_wrap_size_limit -.Fa "OM_uint32 * minor_status" -.Fa "const gss_ctx_id_t context_handle" -.Fa "int conf_req_flag" -.Fa "gss_qop_t qop_req" -.Fa "OM_uint32 req_output_size" -.Fa "OM_uint32 * max_input_size" -.Fc -.Sh DESCRIPTION -Generic Security Service API (GSS-API) version 2, and its C binding, -is described in -.Li RFC2743 -and -.Li RFC2744 . -Version 1 (deprecated) of the C binding is described in -.Li RFC1509 . -.Pp -Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet -.It -.Li GSS_KRB5_MECHANISM -.El -.Pp -GSS-API have generic name types that all mechanism are supposed to -implement (if possible) -.Bl -bullet -.It -.Li GSS_C_NT_USER_NAME -.It -.Li GSS_C_NT_MACHINE_UID_NAME -.It -.Li GSS_C_NT_STRING_UID_NAME -.It -.Li GSS_C_NT_HOSTBASED_SERVICE -.It -.Li GSS_C_NT_ANONYMOUS -.It -.Li GSS_C_NT_EXPORT_NAME -.El -.Pp -GSS-API implementations that supports Kerberos 5 have some additional -name types -.Bl -bullet -.It -.Li GSS_KRB5_NT_PRINCIPAL_NAME -.It -.Li GSS_KRB5_NT_USER_NAME -.It -.Li GSS_KRB5_NT_MACHINE_UID_NAME -.It -.Li GSS_KRB5_NT_STRING_UID_NAME -.El -.Pp -.Fn gss_display_name -takes the gss name in -.Fa input_name -and put a printable form in -.Fa output_name_buffer . -.Fa output_name_buffer -should be freed when done using -.Fn gss_release_buffer . -.Fa output_name_type -can either be -.Dv NULL -or a pointer to a -.Li gss_OID -and will in the later case contain the OID type of the name. -The name should only be used for printing. -Access control should be done with the result of -.Fn gss_export_name . -.Pp -.Fn gss_sign , -.Fn gss_verify , -.Fn gss_seal , -and -.Fn gss_unseal -are part of the GSS-API V1 interface and are obsolete. The functions -should not be used for new applications. -They are provided so that version 1 applications can link against the -library. -.Pp -.Fn gss_krb5_copy_ccache -is an extension to the GSS-API API. -The function will extract the krb5 credential that are transfered from -the initiator to the acceptor when using token delegation in the -Kerberos mechanism. -The acceptor receives the delegated token in the last argument to -.Fn gss_accept_sec_context . -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5_ccache 3 , -.Xr gssapi 3 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.3 b/lib/gssapi/krb5/gssapi.3 deleted file mode 100644 index 9cfe7586d..000000000 --- a/lib/gssapi/krb5/gssapi.3 +++ /dev/null @@ -1,133 +0,0 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd January 23, 2003 -.Dt GSSAPI 3 -.Os -.Sh NAME -.Nm gssapi -.Nd Generic Security Service Application Program Interface library -.Sh LIBRARY -GSS-API Library (libgssapi, -lgssapi) -.Sh DESCRIPTION -The Generic Security Service Application Program Interface (GSS-API) -provides security services to callers in a generic fashion, -supportable with a range of underlying mechanisms and technologies and -hence allowing source-level portability of applications to different -environments. -.Sh LIST OF FUNCTIONS -These functions constitute the gssapi library, -.Em libgssapi . -Declarations for these functions may be obtained from the include file -.Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_copy_ccache.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi -.Sh COMPATIBILITY -The -.Nm Heimdal -GSS-API implementation had a bug in releases before 0.6 that made it -fail to inter-operate when using DES3 with other GSS-API -implementations when using -.Fn gss_get_mic -/ -.Fn gss_verify_mic . -.Pp -To turn on compatibility with older clients and servers, change the -.Nm [gssapi] -.Ar broken_3des_mic -in -.Pa krb5.conf -that contains a list of globbing expressions that will be matched -against the server name. -This config option modifies behaviour for both clients and servers. -.Pp -Example: -.Bd -literal -offset indent -[gssapi] - broken_3des_mic = cvs/*@SU.SE - broken_3des_mic = host/*@SU.SE afs/*@SU.SE -.Ed -.Sh BUGS -All of 0.5.x versions of -.Nm heimdal -had broken token delegations in the client side, the server side was -correct. -.Sh SEE ALSO -.Xr krb5 3 , -.Xr krb5.conf 5 , -.Xr kerberos 8 diff --git a/lib/gssapi/krb5/gssapi.h b/lib/gssapi/krb5/gssapi.h deleted file mode 100644 index d95750ba3..000000000 --- a/lib/gssapi/krb5/gssapi.h +++ /dev/null @@ -1,774 +0,0 @@ -/* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_H_ -#define GSSAPI_H_ - -/* - * First, include stddef.h to get size_t defined. - */ -#include - -#include - -/* - * Now define the three implementation-dependent types. - */ - -typedef u_int32_t OM_uint32; - -typedef u_int32_t gss_uint32; - -/* - * This is to avoid having to include - */ - -struct krb5_auth_context_data; - -struct Principal; - -/* typedef void *gss_name_t; */ - -typedef struct Principal *gss_name_t; - -typedef struct gss_ctx_id_t_desc_struct { - struct krb5_auth_context_data *auth_context; - gss_name_t source, target; - OM_uint32 flags; - enum { LOCAL = 1, OPEN = 2, COMPAT_OLD_DES3 = 4 } more_flags; - struct krb5_ticket *ticket; - time_t lifetime; -} gss_ctx_id_t_desc; - -typedef gss_ctx_id_t_desc *gss_ctx_id_t; - -typedef struct gss_OID_desc_struct { - OM_uint32 length; - void *elements; -} gss_OID_desc, *gss_OID; - -typedef struct gss_OID_set_desc_struct { - size_t count; - gss_OID elements; -} gss_OID_set_desc, *gss_OID_set; - -struct krb5_keytab_data; - -struct krb5_ccache_data; - -typedef int gss_cred_usage_t; - -typedef struct gss_cred_id_t_desc_struct { - gss_name_t principal; - struct krb5_keytab_data *keytab; - OM_uint32 lifetime; - gss_cred_usage_t usage; - gss_OID_set mechanisms; - struct krb5_ccache_data *ccache; -} gss_cred_id_t_desc; - -typedef gss_cred_id_t_desc *gss_cred_id_t; - -typedef struct gss_buffer_desc_struct { - size_t length; - void *value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings_t; - -/* - * For now, define a QOP-type as an OM_uint32 - */ -typedef OM_uint32 gss_qop_t; - -/* - * Flag bits for context-level services. - */ -#define GSS_C_DELEG_FLAG 1 -#define GSS_C_MUTUAL_FLAG 2 -#define GSS_C_REPLAY_FLAG 4 -#define GSS_C_SEQUENCE_FLAG 8 -#define GSS_C_CONF_FLAG 16 -#define GSS_C_INTEG_FLAG 32 -#define GSS_C_ANON_FLAG 64 -#define GSS_C_PROT_READY_FLAG 128 -#define GSS_C_TRANS_FLAG 256 - -/* - * Credential usage options - */ -#define GSS_C_BOTH 0 -#define GSS_C_INITIATE 1 -#define GSS_C_ACCEPT 2 - -/* - * Status code types for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * The constant definitions for channel-bindings address families - */ -#define GSS_C_AF_UNSPEC 0 -#define GSS_C_AF_LOCAL 1 -#define GSS_C_AF_INET 2 -#define GSS_C_AF_IMPLINK 3 -#define GSS_C_AF_PUP 4 -#define GSS_C_AF_CHAOS 5 -#define GSS_C_AF_NS 6 -#define GSS_C_AF_NBS 7 -#define GSS_C_AF_ECMA 8 -#define GSS_C_AF_DATAKIT 9 -#define GSS_C_AF_CCITT 10 -#define GSS_C_AF_SNA 11 -#define GSS_C_AF_DECnet 12 -#define GSS_C_AF_DLI 13 -#define GSS_C_AF_LAT 14 -#define GSS_C_AF_HYLINK 15 -#define GSS_C_AF_APPLETALK 16 -#define GSS_C_AF_BSC 17 -#define GSS_C_AF_DSS 18 -#define GSS_C_AF_OSI 19 -#define GSS_C_AF_X25 21 -#define GSS_C_AF_INET6 24 - -#define GSS_C_AF_NULLADDR 255 - -/* - * Various Null values - */ -#define GSS_C_NO_NAME ((gss_name_t) 0) -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NO_OID ((gss_OID) 0) -#define GSS_C_NO_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0) -#define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0) -#define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) -#define GSS_C_EMPTY_BUFFER {0, NULL} - -/* - * Some alternate names for a couple of the above - * values. These are defined for V1 compatibility. - */ -#define GSS_C_NULL_OID GSS_C_NO_OID -#define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET - -/* - * Define the default Quality of Protection for per-message - * services. Note that an implementation that offers multiple - * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero - * (as done here) to mean "default protection", or to a specific - * explicit QOP value. However, a value of 0 should always be - * interpreted by a GSSAPI implementation as a request for the - * default protection level. - */ -#define GSS_C_QOP_DEFAULT 0 - -#define GSS_KRB5_CONF_C_QOP_DES 0x0100 -#define GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 - -/* - * Expiration time of 2^32-1 seconds means infinite lifetime for a - * credential or security context - */ -#define GSS_C_INDEFINITE 0xfffffffful - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x01"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant - * GSS_C_NT_USER_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_USER_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x02"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}. - * The constant GSS_C_NT_MACHINE_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_MACHINE_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x03"}, - * corresponding to an object-identifier value of - * {iso(1) member-body(2) United States(840) mit(113554) - * infosys(1) gssapi(2) generic(1) string_uid_name(3)}. - * The constant GSS_C_NT_STRING_UID_NAME should be - * initialized to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_STRING_UID_NAME; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x02"}, - * corresponding to an object-identifier value of - * {iso(1) org(3) dod(6) internet(1) security(5) - * nametypes(6) gss-host-based-services(2)). The constant - * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point - * to that gss_OID_desc. This is a deprecated OID value, and - * implementations wishing to support hostbased-service names - * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID, - * defined below, to identify such names; - * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym - * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input - * parameter, but should not be emitted by GSS-API - * implementations - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {10, (void *)"\x2a\x86\x48\x86\xf7\x12" - * "\x01\x02\x01\x04"}, corresponding to an - * object-identifier value of {iso(1) member-body(2) - * Unites States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The constant - * GSS_C_NT_HOSTBASED_SERVICE should be initialized - * to point to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_HOSTBASED_SERVICE; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\01\x05\x06\x03"}, - * corresponding to an object identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 3(gss-anonymous-name)}. The constant - * and GSS_C_NT_ANONYMOUS should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_ANONYMOUS; - -/* - * The implementation must reserve static storage for a - * gss_OID_desc object containing the value - * {6, (void *)"\x2b\x06\x01\x05\x06\x04"}, - * corresponding to an object-identifier value of - * {1(iso), 3(org), 6(dod), 1(internet), 5(security), - * 6(nametypes), 4(gss-api-exported-name)}. The constant - * GSS_C_NT_EXPORT_NAME should be initialized to point - * to that gss_OID_desc. - */ -extern gss_OID GSS_C_NT_EXPORT_NAME; - -/* - * This if for kerberos5 names. - */ - -extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; -extern gss_OID GSS_KRB5_NT_USER_NAME; -extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME; -extern gss_OID GSS_KRB5_NT_STRING_UID_NAME; - -extern gss_OID GSS_KRB5_MECHANISM; - -/* for compatibility with MIT api */ - -#define gss_mech_krb5 GSS_KRB5_MECHANISM - -/* Major status codes */ - -#define GSS_S_COMPLETE 0 - -/* - * Some "helper" definitions to make the status code macros obvious. - */ -#define GSS_C_CALLING_ERROR_OFFSET 24 -#define GSS_C_ROUTINE_ERROR_OFFSET 16 -#define GSS_C_SUPPLEMENTARY_OFFSET 0 -#define GSS_C_CALLING_ERROR_MASK 0377ul -#define GSS_C_ROUTINE_ERROR_MASK 0377ul -#define GSS_C_SUPPLEMENTARY_MASK 0177777ul - -/* - * The macros that test status codes for error conditions. - * Note that the GSS_ERROR() macro has changed slightly from - * the V1 GSSAPI so that it now evaluates its argument - * only once. - */ -#define GSS_CALLING_ERROR(x) \ - (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET)) -#define GSS_ROUTINE_ERROR(x) \ - (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)) -#define GSS_SUPPLEMENTARY_INFO(x) \ - (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET)) -#define GSS_ERROR(x) \ - (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \ - (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))) - -/* - * Now the actual status code definitions - */ - -/* - * Calling errors: - */ -#define GSS_S_CALL_INACCESSIBLE_READ \ - (1ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_INACCESSIBLE_WRITE \ - (2ul << GSS_C_CALLING_ERROR_OFFSET) -#define GSS_S_CALL_BAD_STRUCTURE \ - (3ul << GSS_C_CALLING_ERROR_OFFSET) - -/* - * Routine errors: - */ -#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET) - -#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_MIC GSS_S_BAD_SIG -#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET) -#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET) - -/* - * Supplementary info bits: - */ -#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0)) -#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1)) -#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2)) -#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3)) -#define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4)) - -/* - * From RFC1964: - * - * 4.1.1. Non-Kerberos-specific codes - */ - -#define GSS_KRB5_S_G_BAD_SERVICE_NAME 1 - /* "No @ in SERVICE-NAME name string" */ -#define GSS_KRB5_S_G_BAD_STRING_UID 2 - /* "STRING-UID-NAME contains nondigits" */ -#define GSS_KRB5_S_G_NOUSER 3 - /* "UID does not resolve to username" */ -#define GSS_KRB5_S_G_VALIDATE_FAILED 4 - /* "Validation error" */ -#define GSS_KRB5_S_G_BUFFER_ALLOC 5 - /* "Couldn't allocate gss_buffer_t data" */ -#define GSS_KRB5_S_G_BAD_MSG_CTX 6 - /* "Message context invalid" */ -#define GSS_KRB5_S_G_WRONG_SIZE 7 - /* "Buffer is the wrong size" */ -#define GSS_KRB5_S_G_BAD_USAGE 8 - /* "Credential usage type is unknown" */ -#define GSS_KRB5_S_G_UNKNOWN_QOP 9 - /* "Unknown quality of protection specified" */ - - /* - * 4.1.2. Kerberos-specific-codes - */ - -#define GSS_KRB5_S_KG_CCACHE_NOMATCH 10 - /* "Principal in credential cache does not match desired name" */ -#define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11 - /* "No principal in keytab matches desired name" */ -#define GSS_KRB5_S_KG_TGT_MISSING 12 - /* "Credential cache has no TGT" */ -#define GSS_KRB5_S_KG_NO_SUBKEY 13 - /* "Authenticator has no subkey" */ -#define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14 - /* "Context is already fully established" */ -#define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15 - /* "Unknown signature type in token" */ -#define GSS_KRB5_S_KG_BAD_LENGTH 16 - /* "Invalid field length in token" */ -#define GSS_KRB5_S_KG_CTX_INCOMPLETE 17 - /* "Attempt to use incomplete security context" */ - -/* - * Finally, function prototypes for the GSS-API routines. - */ - -OM_uint32 gss_acquire_cred - (OM_uint32 * /*minor_status*/, - const gss_name_t /*desired_name*/, - OM_uint32 /*time_req*/, - const gss_OID_set /*desired_mechs*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_release_cred - (OM_uint32 * /*minor_status*/, - gss_cred_id_t * /*cred_handle*/ - ); - -OM_uint32 gss_init_sec_context - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*initiator_cred_handle*/, - gss_ctx_id_t * /*context_handle*/, - const gss_name_t /*target_name*/, - const gss_OID /*mech_type*/, - OM_uint32 /*req_flags*/, - OM_uint32 /*time_req*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - const gss_buffer_t /*input_token*/, - gss_OID * /*actual_mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_accept_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - const gss_cred_id_t /*acceptor_cred_handle*/, - const gss_buffer_t /*input_token_buffer*/, - const gss_channel_bindings_t /*input_chan_bindings*/, - gss_name_t * /*src_name*/, - gss_OID * /*mech_type*/, - gss_buffer_t /*output_token*/, - OM_uint32 * /*ret_flags*/, - OM_uint32 * /*time_rec*/, - gss_cred_id_t * /*delegated_cred_handle*/ - ); - -OM_uint32 gss_process_context_token - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*token_buffer*/ - ); - -OM_uint32 gss_delete_sec_context - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*output_token*/ - ); - -OM_uint32 gss_context_time - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - OM_uint32 * /*time_rec*/ - ); - -OM_uint32 gss_get_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify_mic - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*message_buffer*/, - const gss_buffer_t /*token_buffer*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_wrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - const gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unwrap - (OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - const gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - gss_qop_t * /*qop_state*/ - ); - -OM_uint32 gss_display_status - (OM_uint32 * /*minor_status*/, - OM_uint32 /*status_value*/, - int /*status_type*/, - const gss_OID /*mech_type*/, - OM_uint32 * /*message_context*/, - gss_buffer_t /*status_string*/ - ); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*mech_set*/ - ); - -OM_uint32 gss_compare_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*name1*/, - const gss_name_t /*name2*/, - int * /*name_equal*/ - ); - -OM_uint32 gss_display_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*output_name_buffer*/, - gss_OID * /*output_name_type*/ - ); - -OM_uint32 gss_import_name - (OM_uint32 * /*minor_status*/, - const gss_buffer_t /*input_name_buffer*/, - const gss_OID /*input_name_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_export_name - (OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_buffer_t /*exported_name*/ - ); - -OM_uint32 gss_release_name - (OM_uint32 * /*minor_status*/, - gss_name_t * /*input_name*/ - ); - -OM_uint32 gss_release_buffer - (OM_uint32 * /*minor_status*/, - gss_buffer_t /*buffer*/ - ); - -OM_uint32 gss_release_oid_set - (OM_uint32 * /*minor_status*/, - gss_OID_set * /*set*/ - ); - -OM_uint32 gss_inquire_cred - (OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - gss_name_t * /*name*/, - OM_uint32 * /*lifetime*/, - gss_cred_usage_t * /*cred_usage*/, - gss_OID_set * /*mechanisms*/ - ); - -OM_uint32 gss_inquire_context ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - gss_name_t * /*src_name*/, - gss_name_t * /*targ_name*/, - OM_uint32 * /*lifetime_rec*/, - gss_OID * /*mech_type*/, - OM_uint32 * /*ctx_flags*/, - int * /*locally_initiated*/, - int * /*open_context*/ - ); - -OM_uint32 gss_wrap_size_limit ( - OM_uint32 * /*minor_status*/, - const gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - gss_qop_t /*qop_req*/, - OM_uint32 /*req_output_size*/, - OM_uint32 * /*max_input_size*/ - ); - -OM_uint32 gss_add_cred ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*input_cred_handle*/, - const gss_name_t /*desired_name*/, - const gss_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - OM_uint32 /*initiator_time_req*/, - OM_uint32 /*acceptor_time_req*/, - gss_cred_id_t * /*output_cred_handle*/, - gss_OID_set * /*actual_mechs*/, - OM_uint32 * /*initiator_time_rec*/, - OM_uint32 * /*acceptor_time_rec*/ - ); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * /*minor_status*/, - const gss_cred_id_t /*cred_handle*/, - const gss_OID /*mech_type*/, - gss_name_t * /*name*/, - OM_uint32 * /*initiator_lifetime*/, - OM_uint32 * /*acceptor_lifetime*/, - gss_cred_usage_t * /*cred_usage*/ - ); - -OM_uint32 gss_export_sec_context ( - OM_uint32 * /*minor_status*/, - gss_ctx_id_t * /*context_handle*/, - gss_buffer_t /*interprocess_token*/ - ); - -OM_uint32 gss_import_sec_context ( - OM_uint32 * /*minor_status*/, - const gss_buffer_t /*interprocess_token*/, - gss_ctx_id_t * /*context_handle*/ - ); - -OM_uint32 gss_create_empty_oid_set ( - OM_uint32 * /*minor_status*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_add_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member_oid*/, - gss_OID_set * /*oid_set*/ - ); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * /*minor_status*/, - const gss_OID /*member*/, - const gss_OID_set /*set*/, - int * /*present*/ - ); - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * /*minor_status*/, - const gss_OID /*mechanism*/, - gss_OID_set * /*name_types*/ - ); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - gss_OID_set * /*mech_types*/ - ); - -OM_uint32 gss_canonicalize_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*input_name*/, - const gss_OID /*mech_type*/, - gss_name_t * /*output_name*/ - ); - -OM_uint32 gss_duplicate_name ( - OM_uint32 * /*minor_status*/, - const gss_name_t /*src_name*/, - gss_name_t * /*dest_name*/ - ); - -/* - * The following routines are obsolete variants of gss_get_mic, - * gss_verify_mic, gss_wrap and gss_unwrap. They should be - * provided by GSSAPI V2 implementations for backwards - * compatibility with V1 applications. Distinct entrypoints - * (as opposed to #defines) should be provided, both to allow - * GSSAPI V1 applications to link against GSSAPI V2 implementations, - * and to retain the slight parameter type differences between the - * obsolete versions of these routines and their current forms. - */ - -OM_uint32 gss_sign - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*qop_req*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*message_token*/ - ); - -OM_uint32 gss_verify - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*message_buffer*/, - gss_buffer_t /*token_buffer*/, - int * /*qop_state*/ - ); - -OM_uint32 gss_seal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - int /*conf_req_flag*/, - int /*qop_req*/, - gss_buffer_t /*input_message_buffer*/, - int * /*conf_state*/, - gss_buffer_t /*output_message_buffer*/ - ); - -OM_uint32 gss_unseal - (OM_uint32 * /*minor_status*/, - gss_ctx_id_t /*context_handle*/, - gss_buffer_t /*input_message_buffer*/, - gss_buffer_t /*output_message_buffer*/, - int * /*conf_state*/, - int * /*qop_state*/ - ); - -/* - * kerberos mechanism specific functions - */ - -OM_uint32 gsskrb5_register_acceptor_identity - (const char */*identity*/); - -OM_uint32 gss_krb5_copy_ccache - (OM_uint32 */*minor*/, - gss_cred_id_t /*cred*/, - struct krb5_ccache_data */*out*/); - -#endif /* GSSAPI_H_ */ diff --git a/lib/gssapi/krb5/gssapi_locl.h b/lib/gssapi/krb5/gssapi_locl.h deleted file mode 100644 index 3cf709618..000000000 --- a/lib/gssapi/krb5/gssapi_locl.h +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef GSSAPI_LOCL_H -#define GSSAPI_LOCL_H - -#ifdef HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -extern krb5_context gssapi_krb5_context; - -extern krb5_keytab gssapi_krb5_keytab; - -krb5_error_code gssapi_krb5_init (void); - -#define GSSAPI_KRB5_INIT() do { \ - krb5_error_code kret; \ - if((kret = gssapi_krb5_init ()) != 0) { \ - *minor_status = kret; \ - return GSS_S_FAILURE; \ - } \ -} while (0) - -OM_uint32 -gssapi_krb5_create_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - OM_uint32 flags, - const krb5_data *fwd_data, - Checksum *result); - -OM_uint32 -gssapi_krb5_verify_8003_checksum ( - OM_uint32 *minor_status, - const gss_channel_bindings_t input_chan_bindings, - const Checksum *cksum, - OM_uint32 *flags, - krb5_data *fwd_data); - -OM_uint32 -gssapi_krb5_encapsulate( - OM_uint32 *minor_status, - const krb5_data *in_data, - gss_buffer_t output_token, - u_char *type); - -OM_uint32 -gssapi_krb5_decapsulate( - OM_uint32 *minor_status, - gss_buffer_t input_token_buffer, - krb5_data *out_data, - char *type); - -void -gssapi_krb5_encap_length (size_t data_len, - size_t *len, - size_t *total_len); - -u_char * -gssapi_krb5_make_header (u_char *p, - size_t len, - u_char *type); - -OM_uint32 -gssapi_krb5_verify_header(u_char **str, - size_t total_len, - char *type); - -OM_uint32 -gss_verify_mic_internal(OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key); - -krb5_error_code -gss_address_to_krb5addr(OM_uint32 gss_addr_type, - gss_buffer_desc *gss_addr, - int16_t port, - krb5_address *address); - -/* sec_context flags */ - -#define SC_LOCAL_ADDRESS 0x01 -#define SC_REMOTE_ADDRESS 0x02 -#define SC_KEYBLOCK 0x04 -#define SC_LOCAL_SUBKEY 0x08 -#define SC_REMOTE_SUBKEY 0x10 - -int -gss_oid_equal(const gss_OID a, const gss_OID b); - -void -gssapi_krb5_set_error_string (void); - -char * -gssapi_krb5_get_error_string (void); - -OM_uint32 -_gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx); - -#endif diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c deleted file mode 100644 index f3af21743..000000000 --- a/lib/gssapi/krb5/import_name.c +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -parse_krb5_name (OM_uint32 *minor_status, - const char *name, - gss_name_t *output_name) -{ - krb5_error_code kerr; - - kerr = krb5_parse_name (gssapi_krb5_context, name, output_name); - - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_krb5_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - OM_uint32 ret; - char *tmp; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - ret = parse_krb5_name(minor_status, tmp, output_name); - free(tmp); - - return ret; -} - -static OM_uint32 -import_hostbased_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - krb5_error_code kerr; - char *tmp; - char *p; - char *host; - char local_hostname[MAXHOSTNAMELEN]; - - *output_name = NULL; - - tmp = malloc (input_name_buffer->length + 1); - if (tmp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy (tmp, - input_name_buffer->value, - input_name_buffer->length); - tmp[input_name_buffer->length] = '\0'; - - p = strchr (tmp, '@'); - if (p != NULL) { - *p = '\0'; - host = p + 1; - } else { - if (gethostname(local_hostname, sizeof(local_hostname)) < 0) { - *minor_status = errno; - free (tmp); - return GSS_S_FAILURE; - } - host = local_hostname; - } - - kerr = krb5_sname_to_principal (gssapi_krb5_context, - host, - tmp, - KRB5_NT_SRV_HST, - output_name); - free (tmp); - *minor_status = kerr; - if (kerr == 0) - return GSS_S_COMPLETE; - else if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED) { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_BAD_NAME; - } else { - gssapi_krb5_set_error_string (); - *minor_status = kerr; - return GSS_S_FAILURE; - } -} - -static OM_uint32 -import_export_name (OM_uint32 *minor_status, - const gss_buffer_t input_name_buffer, - gss_name_t *output_name) -{ - unsigned char *p; - uint32_t length; - OM_uint32 ret; - char *name; - - if (input_name_buffer->length < 10 + GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - /* TOK, MECH_OID_LEN, DER(MECH_OID), NAME_LEN, NAME */ - - p = input_name_buffer->value; - - if (memcmp(&p[0], "\x04\x01\x00", 3) != 0 || - p[3] != GSS_KRB5_MECHANISM->length + 2 || - p[4] != 0x06 || - p[5] != GSS_KRB5_MECHANISM->length || - memcmp(&p[6], GSS_KRB5_MECHANISM->elements, - GSS_KRB5_MECHANISM->length) != 0) - return GSS_S_BAD_NAME; - - p += 6 + GSS_KRB5_MECHANISM->length; - - length = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]; - p += 4; - - if (length > input_name_buffer->length - 10 - GSS_KRB5_MECHANISM->length) - return GSS_S_BAD_NAME; - - name = malloc(length + 1); - if (name == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - memcpy(name, p, length); - name[length] = '\0'; - - ret = parse_krb5_name(minor_status, name, output_name); - free(name); - - return ret; -} - -int -gss_oid_equal(const gss_OID a, const gss_OID b) -{ - if (a == b) - return 1; - else if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length) - return 0; - else - return memcmp(a->elements, b->elements, a->length) == 0; -} - -OM_uint32 gss_import_name - (OM_uint32 * minor_status, - const gss_buffer_t input_name_buffer, - const gss_OID input_name_type, - gss_name_t * output_name - ) -{ - GSSAPI_KRB5_INIT (); - - *minor_status = 0; - *output_name = GSS_C_NO_NAME; - - if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE)) - return import_hostbased_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NO_OID) - || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME) - || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME)) - /* default printable syntax */ - return import_krb5_name (minor_status, - input_name_buffer, - output_name); - else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) { - return import_export_name(minor_status, - input_name_buffer, - output_name); - } else { - *minor_status = 0; - return GSS_S_BAD_NAMETYPE; - } -} diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c deleted file mode 100644 index f309b4b06..000000000 --- a/lib/gssapi/krb5/import_sec_context.c +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_import_sec_context ( - OM_uint32 * minor_status, - const gss_buffer_t interprocess_token, - gss_ctx_id_t * context_handle - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_storage *sp; - krb5_auth_context ac; - krb5_address local, remote; - krb5_address *localp, *remotep; - krb5_data data; - gss_buffer_desc buffer; - krb5_keyblock keyblock; - int32_t tmp; - int32_t flags; - OM_uint32 minor; - - GSSAPI_KRB5_INIT (); - - localp = remotep = NULL; - - sp = krb5_storage_from_mem (interprocess_token->value, - interprocess_token->length); - if (sp == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - krb5_storage_free (sp); - return GSS_S_FAILURE; - } - memset (*context_handle, 0, sizeof(**context_handle)); - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - /* flags */ - - *minor_status = 0; - - if (krb5_ret_int32 (sp, &flags) != 0) - goto failure; - - /* retrieve the auth context */ - - ac = (*context_handle)->auth_context; - krb5_ret_int32 (sp, &ac->flags); - if (flags & SC_LOCAL_ADDRESS) { - if (krb5_ret_address (sp, localp = &local) != 0) - goto failure; - } - - if (flags & SC_REMOTE_ADDRESS) { - if (krb5_ret_address (sp, remotep = &remote) != 0) - goto failure; - } - - krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - localp = remotep = NULL; - - if (krb5_ret_int16 (sp, &ac->local_port) != 0) - goto failure; - - if (krb5_ret_int16 (sp, &ac->remote_port) != 0) - goto failure; - if (flags & SC_KEYBLOCK) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_LOCAL_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (flags & SC_REMOTE_SUBKEY) { - if (krb5_ret_keyblock (sp, &keyblock) != 0) - goto failure; - krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); - krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); - } - if (krb5_ret_int32 (sp, &ac->local_seqnumber)) - goto failure; - if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) - goto failure; - - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->keytype = tmp; - if (krb5_ret_int32 (sp, &tmp) != 0) - goto failure; - ac->cksumtype = tmp; - - /* names */ - - if (krb5_ret_data (sp, &data)) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->source); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->source); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_data (sp, &data) != 0) - goto failure; - buffer.value = data.data; - buffer.length = data.length; - - ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, - &(*context_handle)->target); - if (ret) { - ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, - &(*context_handle)->target); - if (ret) { - krb5_data_free (&data); - goto failure; - } - } - krb5_data_free (&data); - - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->flags = tmp; - if (krb5_ret_int32 (sp, &tmp)) - goto failure; - (*context_handle)->more_flags = tmp; - if (krb5_ret_int32 (sp, &tmp) == 0) - (*context_handle)->lifetime = tmp; - else - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - return GSS_S_COMPLETE; - -failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if ((*context_handle)->source != NULL) - gss_release_name(&minor, &(*context_handle)->source); - if ((*context_handle)->target != NULL) - gss_release_name(&minor, &(*context_handle)->target); - if (localp) - krb5_free_address (gssapi_krb5_context, localp); - if (remotep) - krb5_free_address (gssapi_krb5_context, remotep); - free (*context_handle); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} diff --git a/lib/gssapi/krb5/indicate_mechs.c b/lib/gssapi/krb5/indicate_mechs.c deleted file mode 100644 index 1af384367..000000000 --- a/lib/gssapi/krb5/indicate_mechs.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_indicate_mechs - (OM_uint32 * minor_status, - gss_OID_set * mech_set - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_set); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, mech_set); - if (ret) - return ret; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/init.c b/lib/gssapi/krb5/init.c deleted file mode 100644 index ec63bcfc4..000000000 --- a/lib/gssapi/krb5/init.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -krb5_error_code -gssapi_krb5_init (void) -{ - if(gssapi_krb5_context == NULL) - return krb5_init_context (&gssapi_krb5_context); - return 0; -} diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c deleted file mode 100644 index efd5ae9c4..000000000 --- a/lib/gssapi/krb5/init_sec_context.c +++ /dev/null @@ -1,559 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* - * copy the addresses from `input_chan_bindings' (if any) to - * the auth context `ac' - */ - -static OM_uint32 -set_addresses (krb5_auth_context ac, - const gss_channel_bindings_t input_chan_bindings) -{ - /* Port numbers are expected to be in application_data.value, - * initator's port first */ - - krb5_address initiator_addr, acceptor_addr; - krb5_error_code kret; - - if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS - || input_chan_bindings->application_data.length != - 2 * sizeof(ac->local_port)) - return 0; - - memset(&initiator_addr, 0, sizeof(initiator_addr)); - memset(&acceptor_addr, 0, sizeof(acceptor_addr)); - - ac->local_port = - *(int16_t *) input_chan_bindings->application_data.value; - - ac->remote_port = - *((int16_t *) input_chan_bindings->application_data.value + 1); - - kret = gss_address_to_krb5addr(input_chan_bindings->acceptor_addrtype, - &input_chan_bindings->acceptor_address, - ac->remote_port, - &acceptor_addr); - if (kret) - return kret; - - kret = gss_address_to_krb5addr(input_chan_bindings->initiator_addrtype, - &input_chan_bindings->initiator_address, - ac->local_port, - &initiator_addr); - if (kret) { - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - return kret; - } - - kret = krb5_auth_con_setaddrs(gssapi_krb5_context, - ac, - &initiator_addr, /* local address */ - &acceptor_addr); /* remote address */ - - krb5_free_address (gssapi_krb5_context, &initiator_addr); - krb5_free_address (gssapi_krb5_context, &acceptor_addr); - -#if 0 - free(input_chan_bindings->application_data.value); - input_chan_bindings->application_data.value = NULL; - input_chan_bindings->application_data.length = 0; -#endif - - return kret; -} - -/* - * handle delegated creds in init-sec-context - */ - -static void -do_delegation (krb5_auth_context ac, - krb5_ccache ccache, - krb5_creds *cred, - const gss_name_t target_name, - krb5_data *fwd_data, - int *flags) -{ - krb5_creds creds; - krb5_kdc_flags fwd_flags; - krb5_error_code kret; - - memset (&creds, 0, sizeof(creds)); - krb5_data_zero (fwd_data); - - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &creds.client); - if (kret) - goto out; - - kret = krb5_build_principal(gssapi_krb5_context, - &creds.server, - strlen(creds.client->realm), - creds.client->realm, - KRB5_TGS_NAME, - creds.client->realm, - NULL); - if (kret) - goto out; - - creds.times.endtime = 0; - - fwd_flags.i = 0; - fwd_flags.b.forwarded = 1; - fwd_flags.b.forwardable = 1; - - if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ - target_name->name.name_string.len < 2) - goto out; - - kret = krb5_get_forwarded_creds(gssapi_krb5_context, - ac, - ccache, - fwd_flags.i, - target_name->name.name_string.val[1], - &creds, - fwd_data); - - out: - if (kret) - *flags &= ~GSS_C_DELEG_FLAG; - else - *flags |= GSS_C_DELEG_FLAG; - - if (creds.client) - krb5_free_principal(gssapi_krb5_context, creds.client); - if (creds.server) - krb5_free_principal(gssapi_krb5_context, creds.server); -} - -/* - * first stage of init-sec-context - */ - -static OM_uint32 -init_auth -(OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - krb5_error_code kret; - krb5_flags ap_options; - krb5_creds this_cred, *cred; - krb5_data outbuf; - krb5_ccache ccache; - u_int32_t flags; - Authenticator *auth; - krb5_data authenticator; - Checksum cksum; - krb5_enctype enctype; - krb5_data fwd_data; - - krb5_data_zero(&outbuf); - krb5_data_zero(&fwd_data); - - *minor_status = 0; - - *context_handle = malloc(sizeof(**context_handle)); - if (*context_handle == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - (*context_handle)->auth_context = NULL; - (*context_handle)->source = NULL; - (*context_handle)->target = NULL; - (*context_handle)->flags = 0; - (*context_handle)->more_flags = 0; - (*context_handle)->ticket = NULL; - (*context_handle)->lifetime = GSS_C_INDEFINITE; - - kret = krb5_auth_con_init (gssapi_krb5_context, - &(*context_handle)->auth_context); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = set_addresses ((*context_handle)->auth_context, - input_chan_bindings); - if (kret) { - *minor_status = kret; - ret = GSS_S_BAD_BINDINGS; - goto failure; - } - - { - int32_t tmp; - - krb5_auth_con_getflags(gssapi_krb5_context, - (*context_handle)->auth_context, - &tmp); - tmp |= KRB5_AUTH_CONTEXT_DO_SEQUENCE; - krb5_auth_con_setflags(gssapi_krb5_context, - (*context_handle)->auth_context, - tmp); - } - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - } else - ccache = initiator_cred_handle->ccache; - - kret = krb5_cc_get_principal (gssapi_krb5_context, - ccache, - &(*context_handle)->source); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_copy_principal (gssapi_krb5_context, - target_name, - &(*context_handle)->target); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = _gss_DES3_get_mic_compat(minor_status, *context_handle); - if (ret) - goto failure; - - - memset(&this_cred, 0, sizeof(this_cred)); - this_cred.client = (*context_handle)->source; - this_cred.server = (*context_handle)->target; - if (time_req && time_req != GSS_C_INDEFINITE) { - krb5_timestamp ts; - - krb5_timeofday (gssapi_krb5_context, &ts); - this_cred.times.endtime = ts + time_req; - } else - this_cred.times.endtime = 0; - this_cred.session.keytype = 0; - - kret = krb5_get_credentials (gssapi_krb5_context, - KRB5_TC_MATCH_KEYTYPE, - ccache, - &this_cred, - &cred); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - (*context_handle)->lifetime = cred->times.endtime; - - krb5_auth_con_setkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - - kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, - (*context_handle)->auth_context, - &cred->session); - if(kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - flags = 0; - ap_options = 0; - if (req_flags & GSS_C_DELEG_FLAG) - do_delegation ((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); - - if (req_flags & GSS_C_MUTUAL_FLAG) { - flags |= GSS_C_MUTUAL_FLAG; - ap_options |= AP_OPTS_MUTUAL_REQUIRED; - } - - if (req_flags & GSS_C_REPLAY_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_SEQUENCE_FLAG) - ; /* XXX */ - if (req_flags & GSS_C_ANON_FLAG) - ; /* XXX */ - flags |= GSS_C_CONF_FLAG; - flags |= GSS_C_INTEG_FLAG; - flags |= GSS_C_SEQUENCE_FLAG; - flags |= GSS_C_TRANS_FLAG; - - if (ret_flags) - *ret_flags = flags; - (*context_handle)->flags = flags; - (*context_handle)->more_flags |= LOCAL; - - ret = gssapi_krb5_create_8003_checksum (minor_status, - input_chan_bindings, - flags, - &fwd_data, - &cksum); - krb5_data_free (&fwd_data); - if (ret) - goto failure; - -#if 1 - enctype = (*context_handle)->auth_context->keyblock->keytype; -#else - if ((*context_handle)->auth_context->enctype) - enctype = (*context_handle)->auth_context->enctype; - else { - kret = krb5_keytype_to_enctype(gssapi_krb5_context, - (*context_handle)->auth_context->keyblock->keytype, - &enctype); - if (kret) - return kret; - } -#endif - - kret = krb5_build_authenticator (gssapi_krb5_context, - (*context_handle)->auth_context, - enctype, - cred, - &cksum, - &auth, - &authenticator, - KRB5_KU_AP_REQ_AUTH); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - kret = krb5_build_ap_req (gssapi_krb5_context, - enctype, - cred, - ap_options, - authenticator, - &outbuf); - - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - ret = GSS_S_FAILURE; - goto failure; - } - - ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token, - "\x01\x00"); - if (ret) - goto failure; - - krb5_data_free (&outbuf); - - if (flags & GSS_C_MUTUAL_FLAG) { - return GSS_S_CONTINUE_NEEDED; - } else { - if (time_rec) - *time_rec = (*context_handle)->lifetime; - - (*context_handle)->more_flags |= OPEN; - return GSS_S_COMPLETE; - } - - failure: - krb5_auth_con_free (gssapi_krb5_context, - (*context_handle)->auth_context); - if((*context_handle)->source) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->source); - if((*context_handle)->target) - krb5_free_principal (gssapi_krb5_context, - (*context_handle)->target); - free (*context_handle); - krb5_data_free (&outbuf); - *context_handle = GSS_C_NO_CONTEXT; - return ret; -} - -static OM_uint32 -repl_mutual - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - OM_uint32 ret; - krb5_error_code kret; - krb5_data indata; - krb5_ap_rep_enc_part *repl; - - output_token->length = 0; - output_token->value = NULL; - - if (actual_mech_type) - *actual_mech_type = GSS_KRB5_MECHANISM; - - ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata, - "\x02\x00"); - if (ret) - /* XXX - Handle AP_ERROR */ - return ret; - - kret = krb5_rd_rep (gssapi_krb5_context, - (*context_handle)->auth_context, - &indata, - &repl); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - krb5_free_ap_rep_enc_part (gssapi_krb5_context, - repl); - - (*context_handle)->more_flags |= OPEN; - - if (time_rec) - *time_rec = (*context_handle)->lifetime; - if (ret_flags) - *ret_flags = (*context_handle)->flags; - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -/* - * gss_init_sec_context - */ - -OM_uint32 gss_init_sec_context - (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, - gss_ctx_id_t * context_handle, - const gss_name_t target_name, - const gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - const gss_channel_bindings_t input_chan_bindings, - const gss_buffer_t input_token, - gss_OID * actual_mech_type, - gss_buffer_t output_token, - OM_uint32 * ret_flags, - OM_uint32 * time_rec - ) -{ - GSSAPI_KRB5_INIT (); - - output_token->length = 0; - output_token->value = NULL; - - if (ret_flags) - *ret_flags = 0; - if (time_rec) - *time_rec = 0; - - if (target_name == GSS_C_NO_NAME) { - if (actual_mech_type) - *actual_mech_type = GSS_C_NO_OID; - *minor_status = 0; - return GSS_S_BAD_NAME; - } - - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) - return init_auth (minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); - else - return repl_mutual(minor_status, - initiator_cred_handle, - context_handle, - target_name, - mech_type, - req_flags, - time_req, - input_chan_bindings, - input_token, - actual_mech_type, - output_token, - ret_flags, - time_rec); -} diff --git a/lib/gssapi/krb5/inquire_context.c b/lib/gssapi/krb5/inquire_context.c deleted file mode 100644 index fbab36920..000000000 --- a/lib/gssapi/krb5/inquire_context.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_context ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - gss_name_t * src_name, - gss_name_t * targ_name, - OM_uint32 * lifetime_rec, - gss_OID * mech_type, - OM_uint32 * ctx_flags, - int * locally_initiated, - int * open_context - ) -{ - OM_uint32 ret; - - if (src_name) { - ret = gss_duplicate_name (minor_status, - context_handle->source, - src_name); - if (ret) - return ret; - } - - if (targ_name) { - ret = gss_duplicate_name (minor_status, - context_handle->target, - targ_name); - if (ret) - return ret; - } - - if (lifetime_rec) - *lifetime_rec = context_handle->lifetime; - - if (mech_type) - *mech_type = GSS_KRB5_MECHANISM; - - if (ctx_flags) - *ctx_flags = context_handle->flags; - - if (locally_initiated) - *locally_initiated = context_handle->more_flags & LOCAL; - - if (open_context) - *open_context = context_handle->more_flags & OPEN; - - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/inquire_cred.c b/lib/gssapi/krb5/inquire_cred.c deleted file mode 100644 index 2e873f275..000000000 --- a/lib/gssapi/krb5/inquire_cred.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_cred - (OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - gss_name_t * name, - OM_uint32 * lifetime, - gss_cred_usage_t * cred_usage, - gss_OID_set * mechanisms - ) -{ - OM_uint32 ret; - - *minor_status = 0; - - if (name) - *name = NULL; - if (mechanisms) - *mechanisms = GSS_C_NO_OID_SET; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_FAILURE; - } - - if (name != NULL) { - if (cred_handle->principal != NULL) { - ret = gss_duplicate_name(minor_status, cred_handle->principal, - name); - if (ret) - return ret; - } else if (cred_handle->usage == GSS_C_ACCEPT) { - *minor_status = krb5_sname_to_principal(gssapi_krb5_context, NULL, - NULL, KRB5_NT_SRV_HST, name); - if (*minor_status) - return GSS_S_FAILURE; - } else { - *minor_status = krb5_get_default_principal(gssapi_krb5_context, - name); - if (*minor_status) - return GSS_S_FAILURE; - } - } - if (lifetime != NULL) { - *lifetime = cred_handle->lifetime; - } - if (cred_usage != NULL) { - *cred_usage = cred_handle->usage; - } - if (mechanisms != NULL) { - ret = gss_create_empty_oid_set(minor_status, mechanisms); - if (ret) { - return ret; - } - ret = gss_add_oid_set_member(minor_status, - &cred_handle->mechanisms->elements[0], - mechanisms); - if (ret) { - return ret; - } - } - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/inquire_cred_by_mech.c b/lib/gssapi/krb5/inquire_cred_by_mech.c deleted file mode 100644 index e09a54e87..000000000 --- a/lib/gssapi/krb5/inquire_cred_by_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_cred_by_mech ( - OM_uint32 * minor_status, - const gss_cred_id_t cred_handle, - const gss_OID mech_type, - gss_name_t * name, - OM_uint32 * initiator_lifetime, - OM_uint32 * acceptor_lifetime, - gss_cred_usage_t * cred_usage - ) -{ - OM_uint32 ret; - OM_uint32 lifetime; - - if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && - gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { - *minor_status = EINVAL; - return GSS_S_BAD_MECH; - } - - ret = gss_inquire_cred (minor_status, - cred_handle, - name, - &lifetime, - cred_usage, - NULL); - - if (ret == 0 && cred_handle != GSS_C_NO_CREDENTIAL) { - gss_cred_usage_t usage; - - usage = cred_handle->usage; - - if (initiator_lifetime) { - if (usage == GSS_C_INITIATE || usage == GSS_C_BOTH) - *initiator_lifetime = lifetime; - } - if (acceptor_lifetime) { - if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH) - *acceptor_lifetime = lifetime; - } - } - - return ret; -} diff --git a/lib/gssapi/krb5/inquire_mechs_for_name.c b/lib/gssapi/krb5/inquire_mechs_for_name.c deleted file mode 100644 index fb3709f93..000000000 --- a/lib/gssapi/krb5/inquire_mechs_for_name.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_inquire_mechs_for_name ( - OM_uint32 * minor_status, - const gss_name_t input_name, - gss_OID_set * mech_types - ) -{ - OM_uint32 ret; - - ret = gss_create_empty_oid_set(minor_status, mech_types); - if (ret) - return ret; - - ret = gss_add_oid_set_member(minor_status, - GSS_KRB5_MECHANISM, - mech_types); - if (ret) - gss_release_oid_set(NULL, mech_types); - - return ret; -} diff --git a/lib/gssapi/krb5/inquire_names_for_mech.c b/lib/gssapi/krb5/inquire_names_for_mech.c deleted file mode 100644 index 7441d99b9..000000000 --- a/lib/gssapi/krb5/inquire_names_for_mech.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - - -static gss_OID *name_list[] = { - &GSS_C_NT_HOSTBASED_SERVICE, - &GSS_C_NT_USER_NAME, - &GSS_KRB5_NT_PRINCIPAL_NAME, - &GSS_C_NT_EXPORT_NAME, - NULL -}; - -OM_uint32 gss_inquire_names_for_mech ( - OM_uint32 * minor_status, - const gss_OID mechanism, - gss_OID_set * name_types - ) -{ - OM_uint32 ret; - int i; - - *minor_status = 0; - - if (gss_oid_equal(mechanism, GSS_KRB5_MECHANISM) == 0 && - gss_oid_equal(mechanism, GSS_C_NULL_OID) == 0) { - *name_types = GSS_C_NO_OID_SET; - return GSS_S_BAD_MECH; - } - - ret = gss_create_empty_oid_set(minor_status, name_types); - if (ret != GSS_S_COMPLETE) - return ret; - - for (i = 0; name_list[i] != NULL; i++) { - ret = gss_add_oid_set_member(minor_status, - *(name_list[i]), - name_types); - if (ret != GSS_S_COMPLETE) - break; - } - - if (ret != GSS_S_COMPLETE) - gss_release_oid_set(NULL, name_types); - - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/process_context_token.c b/lib/gssapi/krb5/process_context_token.c deleted file mode 100644 index 59778ba1a..000000000 --- a/lib/gssapi/krb5/process_context_token.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_process_context_token ( - OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t token_buffer - ) -{ - OM_uint32 ret = GSS_S_FAILURE; - gss_buffer_desc empty_buffer; - gss_qop_t qop_state; - - empty_buffer.length = 0; - empty_buffer.value = NULL; - - qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); - - if (ret == GSS_S_COMPLETE) - ret = gss_delete_sec_context(minor_status, - (gss_ctx_id_t *)&context_handle, - GSS_C_NO_BUFFER); - if (ret == GSS_S_COMPLETE) - *minor_status = 0; - - return ret; -} diff --git a/lib/gssapi/krb5/release_buffer.c b/lib/gssapi/krb5/release_buffer.c deleted file mode 100644 index 60782bff7..000000000 --- a/lib/gssapi/krb5/release_buffer.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_buffer - (OM_uint32 * minor_status, - gss_buffer_t buffer - ) -{ - *minor_status = 0; - free (buffer->value); - buffer->value = NULL; - buffer->length = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/release_cred.c b/lib/gssapi/krb5/release_cred.c deleted file mode 100644 index 00be94ae0..000000000 --- a/lib/gssapi/krb5/release_cred.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_cred - (OM_uint32 * minor_status, - gss_cred_id_t * cred_handle - ) -{ - *minor_status = 0; - - if (*cred_handle == GSS_C_NO_CREDENTIAL) { - return GSS_S_COMPLETE; - } - - GSSAPI_KRB5_INIT (); - - if ((*cred_handle)->principal != NULL) - krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); - if ((*cred_handle)->keytab != NULL) - krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); - gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); - free(*cred_handle); - *cred_handle = GSS_C_NO_CREDENTIAL; - return GSS_S_COMPLETE; -} - diff --git a/lib/gssapi/krb5/release_name.c b/lib/gssapi/krb5/release_name.c deleted file mode 100644 index 042153a48..000000000 --- a/lib/gssapi/krb5/release_name.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_name - (OM_uint32 * minor_status, - gss_name_t * input_name - ) -{ - GSSAPI_KRB5_INIT (); - if (minor_status) - *minor_status = 0; - krb5_free_principal(gssapi_krb5_context, - *input_name); - *input_name = GSS_C_NO_NAME; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/release_oid_set.c b/lib/gssapi/krb5/release_oid_set.c deleted file mode 100644 index 4bdcf4285..000000000 --- a/lib/gssapi/krb5/release_oid_set.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_release_oid_set - (OM_uint32 * minor_status, - gss_OID_set * set - ) -{ - if (minor_status) - *minor_status = 0; - free ((*set)->elements); - free (*set); - *set = GSS_C_NO_OID_SET; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/test_acquire_cred.c b/lib/gssapi/krb5/test_acquire_cred.c deleted file mode 100644 index 6f1ad5ab8..000000000 --- a/lib/gssapi/krb5/test_acquire_cred.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include "gssapi_locl.h" -#include - -RCSID("$Id$"); - -static void -print_time(OM_uint32 time_rec) -{ - if (time_rec == GSS_C_INDEFINITE) { - printf("cred never expire\n"); - } else { - time_t t = time_rec; - printf("expiration time: %s", ctime(&t)); - } -} - -int -main(int argc, char **argv) -{ - OM_uint32 major_status, minor_status; - gss_cred_id_t cred_handle, copy_cred; - OM_uint32 time_rec; - - major_status = gss_acquire_cred(&minor_status, - GSS_C_NO_NAME, - 0, - NULL, - GSS_C_INITIATE, - &cred_handle, - NULL, - &time_rec); - if (GSS_ERROR(major_status)) - errx(1, "acquire_cred failed"); - - - print_time(time_rec); - - major_status = gss_add_cred (&minor_status, - cred_handle, - GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, - GSS_C_INITIATE, - 0, - 0, - ©_cred, - NULL, - &time_rec, - NULL); - - if (GSS_ERROR(major_status)) - errx(1, "add_cred failed"); - - print_time(time_rec); - - major_status = gss_release_cred(&minor_status, - &cred_handle); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); - - major_status = gss_release_cred(&minor_status, - ©_cred); - if (GSS_ERROR(major_status)) - errx(1, "release_cred failed"); - - return 0; -} diff --git a/lib/gssapi/krb5/test_oid_set_member.c b/lib/gssapi/krb5/test_oid_set_member.c deleted file mode 100644 index cc15d78b8..000000000 --- a/lib/gssapi/krb5/test_oid_set_member.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 gss_test_oid_set_member ( - OM_uint32 * minor_status, - const gss_OID member, - const gss_OID_set set, - int * present - ) -{ - size_t i; - - *minor_status = 0; - *present = 0; - for (i = 0; i < set->count; ++i) - if (gss_oid_equal(member, &set->elements[i]) != 0) { - *present = 1; - break; - } - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c deleted file mode 100644 index 2e66f30eb..000000000 --- a/lib/gssapi/krb5/unwrap.c +++ /dev/null @@ -1,417 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_get_remotekey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_KRB5_S_KG_NO_SUBKEY; /* XXX */ - *key = skey; - return 0; -} - -static OM_uint32 -unwrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x00\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xFF\xFF", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 16; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - input_message_buffer->length - len, - schedule, - &zero, - DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, input_message_buffer->length - len); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 24, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -static OM_uint32 -unwrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state, - krb5_keyblock *key - ) -{ - u_char *p, *pad; - size_t len; - u_char seq[8]; - krb5_data seq_data; - u_char cksum[20]; - int i; - int32_t seq_number; - size_t padlength; - OM_uint32 ret; - int cstate; - krb5_crypto crypto; - Checksum csum; - int cmp; - - p = input_message_buffer->value; - ret = gssapi_krb5_verify_header (&p, - input_message_buffer->length, - "\x02\x01"); - if (ret) - return ret; - - if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\x02\x00", 2) == 0) { - cstate = 1; - } else if (memcmp (p, "\xff\xff", 2) == 0) { - cstate = 0; - } else - return GSS_S_BAD_MIC; - p += 2; - if(conf_state != NULL) - *conf_state = cstate; - if (memcmp (p, "\xff\xff", 2) != 0) - return GSS_S_DEFECTIVE_TOKEN; - p += 2; - p += 28; - - len = p - (u_char *)input_message_buffer->value; - - if(cstate) { - /* decrypt data */ - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_decrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, input_message_buffer->length - len, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == input_message_buffer->length - len); - - memcpy (p, tmp.data, tmp.length); - krb5_data_free(&tmp); - } - /* check pad */ - - pad = (u_char *)input_message_buffer->value + input_message_buffer->length - 1; - padlength = *pad; - - for (i = padlength; i > 0 && *pad == padlength; i--, pad--) - ; - if (i != 0) - return GSS_S_BAD_MIC; - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 28; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - { - des_cblock ivec; - - memcpy(&ivec, p + 8, 8); - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - if (seq_data.length != 8) { - krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; - } - - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* verify checksum */ - - memcpy (cksum, p + 8, 20); - - memcpy (p + 20, p - 8, 8); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = cksum; - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - p + 20, - input_message_buffer->length - len + 8, - &csum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* copy out data */ - - output_message_buffer->length = input_message_buffer->length - - len - padlength - 8; - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; - memcpy (output_message_buffer->value, - p + 36, - output_message_buffer->length); - return GSS_S_COMPLETE; -} - -OM_uint32 gss_unwrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - gss_qop_t * qop_state - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - *minor_status = 0; - - switch (keytype) { - case KEYTYPE_DES : - ret = unwrap_des (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - case KEYTYPE_DES3 : - ret = unwrap_des3 (minor_status, context_handle, - input_message_buffer, output_message_buffer, - conf_state, qop_state, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/gssapi/krb5/v1.c b/lib/gssapi/krb5/v1.c deleted file mode 100644 index 781a87881..000000000 --- a/lib/gssapi/krb5/v1.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -/* These functions are for V1 compatibility */ - -OM_uint32 gss_sign - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int qop_req, - gss_buffer_t message_buffer, - gss_buffer_t message_token - ) -{ - return gss_get_mic(minor_status, - context_handle, - (gss_qop_t)qop_req, - message_buffer, - message_token); -} - -OM_uint32 gss_verify - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int * qop_state - ) -{ - return gss_verify_mic(minor_status, - context_handle, - message_buffer, - token_buffer, - (gss_qop_t *)qop_state); -} - -OM_uint32 gss_seal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - return gss_wrap(minor_status, - context_handle, - conf_req_flag, - (gss_qop_t)qop_req, - input_message_buffer, - conf_state, - output_message_buffer); -} - -OM_uint32 gss_unseal - (OM_uint32 * minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int * conf_state, - int * qop_state - ) -{ - return gss_unwrap(minor_status, - context_handle, - input_message_buffer, - output_message_buffer, - conf_state, - (gss_qop_t *)qop_state); -} diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c deleted file mode 100644 index 875d47b76..000000000 --- a/lib/gssapi/krb5/verify_mic.c +++ /dev/null @@ -1,313 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -static OM_uint32 -verify_mic_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16], seq_data[8]; - des_key_schedule schedule; - des_cblock zero; - des_cblock deskey; - int32_t seq_number; - OM_uint32 ret; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) { - *minor_status = 0; - return ret; - } - - if (memcmp(p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - p += 16; - - /* verify checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, message_buffer->value, - message_buffer->length); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - if (memcmp (p - 8, hash, 8) != 0) { - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - /* verify sequence number */ - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq_data[0] = (seq_number >> 0) & 0xFF; - seq_data[1] = (seq_number >> 8) & 0xFF; - seq_data[2] = (seq_number >> 16) & 0xFF; - seq_data[3] = (seq_number >> 24) & 0xFF; - memset (seq_data + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - - p -= 16; - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)hash, DES_DECRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - - if (memcmp (p, seq_data, 8) != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -verify_mic_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - krb5_keyblock *key, - char *type - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - OM_uint32 ret; - krb5_crypto crypto; - krb5_data seq_data; - int cmp; - Checksum csum; - char *tmp; - char ivec[8]; - - p = token_buffer->value; - ret = gssapi_krb5_verify_header (&p, - token_buffer->length, - type); - if (ret) { - *minor_status = 0; - return ret; - } - - if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ - return GSS_S_BAD_SIG; - p += 2; - if (memcmp (p, "\xff\xff\xff\xff", 4) != 0) - return GSS_S_BAD_MIC; - p += 4; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret){ - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* verify sequence number */ - if (context_handle->more_flags & COMPAT_OLD_DES3) - memset(ivec, 0, 8); - else - memcpy(ivec, p + 8, 8); - - ret = krb5_decrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - p, 8, &seq_data, ivec); - if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; - } - - if (seq_data.length != 8) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; - } - - krb5_auth_getremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0xFF : 0, - 4); - cmp = memcmp (seq, seq_data.data, seq_data.length); - krb5_data_free (&seq_data); - if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; - } - - /* verify checksum */ - - tmp = malloc (message_buffer->length + 8); - if (tmp == NULL) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - memcpy (tmp, p - 8, 8); - memcpy (tmp + 8, message_buffer->value, message_buffer->length); - - csum.cksumtype = CKSUMTYPE_HMAC_SHA1_DES3; - csum.checksum.length = 20; - csum.checksum.data = p + 8; - - ret = krb5_verify_checksum (gssapi_krb5_context, crypto, - KRB5_KU_USAGE_SIGN, - tmp, message_buffer->length + 8, - &csum); - free (tmp); - if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_BAD_MIC; - } - - krb5_auth_con_setremoteseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_verify_mic_internal - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state, - char * type - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_remotekey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - switch (keytype) { - case KEYTYPE_DES : - ret = verify_mic_des (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - case KEYTYPE_DES3 : - ret = verify_mic_des3 (minor_status, context_handle, - message_buffer, token_buffer, qop_state, key, - type); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - - return ret; -} - -OM_uint32 -gss_verify_mic - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - const gss_buffer_t message_buffer, - const gss_buffer_t token_buffer, - gss_qop_t * qop_state - ) -{ - OM_uint32 ret; - - if (qop_state != NULL) - *qop_state = GSS_C_QOP_DEFAULT; - - ret = gss_verify_mic_internal(minor_status, context_handle, - message_buffer, token_buffer, - qop_state, "\x01\x01"); - - return ret; -} diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c deleted file mode 100644 index 033a6d8bf..000000000 --- a/lib/gssapi/krb5/wrap.c +++ /dev/null @@ -1,448 +0,0 @@ -/* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "gssapi_locl.h" - -RCSID("$Id$"); - -OM_uint32 -gss_krb5_get_localkey(const gss_ctx_id_t context_handle, - krb5_keyblock **key) -{ - krb5_keyblock *skey; - - krb5_auth_con_getlocalsubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getremotesubkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - krb5_auth_con_getkey(gssapi_krb5_context, - context_handle->auth_context, - &skey); - if(skey == NULL) - return GSS_S_FAILURE; - *key = skey; - return 0; -} - -static OM_uint32 -sub_wrap_size ( - OM_uint32 req_output_size, - OM_uint32 * max_input_size, - int blocksize, - int extrasize - ) -{ - size_t len, total_len, padlength; - padlength = blocksize - (req_output_size % blocksize); - len = req_output_size + 8 + padlength + extrasize; - gssapi_krb5_encap_length(len, &len, &total_len); - *max_input_size = (OM_uint32)total_len; - return GSS_S_COMPLETE; -} - -OM_uint32 -gss_wrap_size_limit ( - OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - OM_uint32 req_output_size, - OM_uint32 * max_input_size - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); - break; - case KEYTYPE_DES3 : - ret = sub_wrap_size(req_output_size, max_input_size, 8, 34); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - *minor_status = 0; - return ret; -} - -static OM_uint32 -wrap_des - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - MD5_CTX md5; - u_char hash[16]; - des_key_schedule schedule; - des_cblock deskey; - des_cblock zero; - int i; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 22; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x00\x00", 2); - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x00\x00", 2); - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* fill in later */ - memset (p, 0, 16); - p += 16; - - /* confounder + data + pad */ - krb5_generate_random_block(p, 8); - memcpy (p + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 8 + input_message_buffer->length, padlength, padlength); - - /* checksum */ - MD5_Init (&md5); - MD5_Update (&md5, p - 24, 8); - MD5_Update (&md5, p, datalen); - MD5_Final (hash, &md5); - - memset (&zero, 0, sizeof(zero)); - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - des_set_key (&deskey, schedule); - des_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash), - schedule, &zero); - memcpy (p - 8, hash, 8); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - p -= 16; - p[0] = (seq_number >> 0) & 0xFF; - p[1] = (seq_number >> 8) & 0xFF; - p[2] = (seq_number >> 16) & 0xFF; - p[3] = (seq_number >> 24) & 0xFF; - memset (p + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - des_set_key (&deskey, schedule); - des_cbc_encrypt ((void *)p, (void *)p, 8, - schedule, (des_cblock *)(p + 8), DES_ENCRYPT); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 16; - - if(conf_req_flag) { - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - - for (i = 0; i < sizeof(deskey); ++i) - deskey[i] ^= 0xf0; - des_set_key (&deskey, schedule); - memset (&zero, 0, sizeof(zero)); - des_cbc_encrypt ((void *)p, - (void *)p, - datalen, - schedule, - &zero, - DES_ENCRYPT); - - memset (deskey, 0, sizeof(deskey)); - memset (schedule, 0, sizeof(schedule)); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -static OM_uint32 -wrap_des3 - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer, - krb5_keyblock *key - ) -{ - u_char *p; - u_char seq[8]; - int32_t seq_number; - size_t len, total_len, padlength, datalen; - u_int32_t ret; - krb5_crypto crypto; - Checksum cksum; - krb5_data encdata; - - padlength = 8 - (input_message_buffer->length % 8); - datalen = input_message_buffer->length + padlength + 8; - len = datalen + 34; - gssapi_krb5_encap_length (len, &len, &total_len); - - output_message_buffer->length = total_len; - output_message_buffer->value = malloc (total_len); - if (output_message_buffer->value == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - p = gssapi_krb5_make_header(output_message_buffer->value, - len, - "\x02\x01"); /* TOK_ID */ - - /* SGN_ALG */ - memcpy (p, "\x04\x00", 2); /* HMAC SHA1 DES3-KD */ - p += 2; - /* SEAL_ALG */ - if(conf_req_flag) - memcpy (p, "\x02\x00", 2); /* DES3-KD */ - else - memcpy (p, "\xff\xff", 2); - p += 2; - /* Filler */ - memcpy (p, "\xff\xff", 2); - p += 2; - - /* calculate checksum (the above + confounder + data + pad) */ - - memcpy (p + 20, p - 8, 8); - krb5_generate_random_block(p + 28, 8); - memcpy (p + 28 + 8, input_message_buffer->value, - input_message_buffer->length); - memset (p + 28 + 8 + input_message_buffer->length, padlength, padlength); - - ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - ret = krb5_create_checksum (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SIGN, - 0, - p + 20, - datalen + 8, - &cksum); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - /* zero out SND_SEQ + SGN_CKSUM in case */ - memset (p, 0, 28); - - memcpy (p + 8, cksum.checksum.data, cksum.checksum.length); - free_Checksum (&cksum); - - /* sequence number */ - krb5_auth_con_getlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - &seq_number); - - seq[0] = (seq_number >> 0) & 0xFF; - seq[1] = (seq_number >> 8) & 0xFF; - seq[2] = (seq_number >> 16) & 0xFF; - seq[3] = (seq_number >> 24) & 0xFF; - memset (seq + 4, - (context_handle->more_flags & LOCAL) ? 0 : 0xFF, - 4); - - - ret = krb5_crypto_init(gssapi_krb5_context, key, ETYPE_DES3_CBC_NONE, - &crypto); - if (ret) { - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - { - des_cblock ivec; - - memcpy (&ivec, p + 8, 8); - ret = krb5_encrypt_ivec (gssapi_krb5_context, - crypto, - KRB5_KU_USAGE_SEQ, - seq, 8, &encdata, - &ivec); - } - krb5_crypto_destroy (gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - - assert (encdata.length == 8); - - memcpy (p, encdata.data, encdata.length); - krb5_data_free (&encdata); - - krb5_auth_con_setlocalseqnumber (gssapi_krb5_context, - context_handle->auth_context, - ++seq_number); - - /* encrypt the data */ - p += 28; - - if(conf_req_flag) { - krb5_data tmp; - - ret = krb5_crypto_init(gssapi_krb5_context, key, - ETYPE_DES3_CBC_NONE, &crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - ret = krb5_encrypt(gssapi_krb5_context, crypto, KRB5_KU_USAGE_SEAL, - p, datalen, &tmp); - krb5_crypto_destroy(gssapi_krb5_context, crypto); - if (ret) { - gssapi_krb5_set_error_string (); - free (output_message_buffer->value); - *minor_status = ret; - return GSS_S_FAILURE; - } - assert (tmp.length == datalen); - - memcpy (p, tmp.data, datalen); - krb5_data_free(&tmp); - } - if(conf_state != NULL) - *conf_state = conf_req_flag; - *minor_status = 0; - return GSS_S_COMPLETE; -} - -OM_uint32 gss_wrap - (OM_uint32 * minor_status, - const gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, - const gss_buffer_t input_message_buffer, - int * conf_state, - gss_buffer_t output_message_buffer - ) -{ - krb5_keyblock *key; - OM_uint32 ret; - krb5_keytype keytype; - - ret = gss_krb5_get_localkey(context_handle, &key); - if (ret) { - gssapi_krb5_set_error_string (); - *minor_status = ret; - return GSS_S_FAILURE; - } - krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); - - switch (keytype) { - case KEYTYPE_DES : - ret = wrap_des (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - case KEYTYPE_DES3 : - ret = wrap_des3 (minor_status, context_handle, conf_req_flag, - qop_req, input_message_buffer, conf_state, - output_message_buffer, key); - break; - default : - *minor_status = KRB5_PROG_ETYPE_NOSUPP; - ret = GSS_S_FAILURE; - break; - } - krb5_free_keyblock (gssapi_krb5_context, key); - return ret; -} diff --git a/lib/gssapi/release_cred.c b/lib/gssapi/release_cred.c index 00be94ae0..c618b314f 100644 --- a/lib/gssapi/release_cred.c +++ b/lib/gssapi/release_cred.c @@ -52,8 +52,14 @@ OM_uint32 gss_release_cred krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); if ((*cred_handle)->keytab != NULL) krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->ccache != NULL) - krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + if ((*cred_handle)->ccache != NULL) { + const krb5_cc_ops *ops; + ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); + if (ops == &krb5_mcc_ops) + krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); + else + krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); + } gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); free(*cred_handle); *cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/lib/gssapi/unwrap.c b/lib/gssapi/unwrap.c index 2e66f30eb..80a58fcb1 100644 --- a/lib/gssapi/unwrap.c +++ b/lib/gssapi/unwrap.c @@ -407,6 +407,11 @@ OM_uint32 gss_unwrap input_message_buffer, output_message_buffer, conf_state, qop_state, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_unwrap_arcfour (minor_status, context_handle, + input_message_buffer, output_message_buffer, + conf_state, qop_state, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/lib/gssapi/verify_mic.c b/lib/gssapi/verify_mic.c index 875d47b76..d81fec8dc 100644 --- a/lib/gssapi/verify_mic.c +++ b/lib/gssapi/verify_mic.c @@ -59,10 +59,8 @@ verify_mic_des ret = gssapi_krb5_verify_header (&p, token_buffer->length, type); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp(p, "\x00\x00", 2) != 0) return GSS_S_BAD_SIG; @@ -88,7 +86,6 @@ verify_mic_des if (memcmp (p - 8, hash, 8) != 0) { memset (deskey, 0, sizeof(deskey)); memset (schedule, 0, sizeof(schedule)); - *minor_status = 0; return GSS_S_BAD_MIC; } @@ -114,7 +111,6 @@ verify_mic_des memset (schedule, 0, sizeof(schedule)); if (memcmp (p, seq_data, 8) != 0) { - *minor_status = 0; return GSS_S_BAD_MIC; } @@ -122,7 +118,6 @@ verify_mic_des context_handle->auth_context, ++seq_number); - *minor_status = 0; return GSS_S_COMPLETE; } @@ -143,7 +138,7 @@ verify_mic_des3 OM_uint32 ret; krb5_crypto crypto; krb5_data seq_data; - int cmp; + int cmp, docompat; Checksum csum; char *tmp; char ivec[8]; @@ -152,10 +147,8 @@ verify_mic_des3 ret = gssapi_krb5_verify_header (&p, token_buffer->length, type); - if (ret) { - *minor_status = 0; + if (ret) return ret; - } if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */ return GSS_S_BAD_SIG; @@ -173,7 +166,9 @@ verify_mic_des3 } /* verify sequence number */ - if (context_handle->more_flags & COMPAT_OLD_DES3) + docompat = 0; +retry: + if (docompat) memset(ivec, 0, 8); else memcpy(ivec, p + 8, 8); @@ -183,16 +178,22 @@ verify_mic_des3 KRB5_KU_USAGE_SEQ, p, 8, &seq_data, ivec); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; + if (docompat++) { + gssapi_krb5_set_error_string (); + krb5_crypto_destroy (gssapi_krb5_context, crypto); + *minor_status = ret; + return GSS_S_FAILURE; + } else + goto retry; } if (seq_data.length != 8) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } krb5_auth_getremoteseqnumber (gssapi_krb5_context, @@ -208,8 +209,11 @@ verify_mic_des3 cmp = memcmp (seq, seq_data.data, seq_data.length); krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } /* verify checksum */ @@ -245,7 +249,6 @@ verify_mic_des3 ++seq_number); krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = 0; return GSS_S_COMPLETE; } @@ -269,6 +272,7 @@ gss_verify_mic_internal *minor_status = ret; return GSS_S_FAILURE; } + *minor_status = 0; krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype); switch (keytype) { case KEYTYPE_DES : @@ -281,6 +285,11 @@ gss_verify_mic_internal message_buffer, token_buffer, qop_state, key, type); break; + case KEYTYPE_ARCFOUR : + ret = _gssapi_verify_mic_arcfour (minor_status, context_handle, + message_buffer, token_buffer, + qop_state, key, type); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/lib/gssapi/wrap.c b/lib/gssapi/wrap.c index 033a6d8bf..1adca10e5 100644 --- a/lib/gssapi/wrap.c +++ b/lib/gssapi/wrap.c @@ -98,6 +98,7 @@ gss_wrap_size_limit ( switch (keytype) { case KEYTYPE_DES : + case KEYTYPE_ARCFOUR: ret = sub_wrap_size(req_output_size, max_input_size, 8, 22); break; case KEYTYPE_DES3 : @@ -438,6 +439,11 @@ OM_uint32 gss_wrap qop_req, input_message_buffer, conf_state, output_message_buffer, key); break; + case KEYTYPE_ARCFOUR: + ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag, + qop_req, input_message_buffer, conf_state, + output_message_buffer, key); + break; default : *minor_status = KRB5_PROG_ETYPE_NOSUPP; ret = GSS_S_FAILURE; diff --git a/lib/hdb/Makefile.am b/lib/hdb/Makefile.am index ba27f0b82..b93b0eda9 100644 --- a/lib/hdb/Makefile.am +++ b/lib/hdb/Makefile.am @@ -20,7 +20,7 @@ LDADD = libhdb.la \ $(LIB_roken) lib_LTLIBRARIES = libhdb.la -libhdb_la_LDFLAGS = -version-info 7:5:0 +libhdb_la_LDFLAGS = -version-info 7:7:0 libhdb_la_SOURCES = \ common.c \ diff --git a/lib/hdb/db3.c b/lib/hdb/db3.c index 7d62181c6..672c7ba63 100644 --- a/lib/hdb/db3.c +++ b/lib/hdb/db3.c @@ -37,7 +37,13 @@ RCSID("$Id$"); #if HAVE_DB3 +#ifdef HAVE_DB4_DB_H +#include +#elif defined(HAVE_DB3_DB_H) +#include +#else #include +#endif static krb5_error_code DB_close(krb5_context context, HDB *db) @@ -87,7 +93,6 @@ static krb5_error_code DB_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry, int flag) { - DB *d = (DB*)db->db; DBT key, value; DBC *dbcp = db->dbc; krb5_data key_data, data; @@ -262,10 +267,18 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode) } db_create(&d, NULL, 0); db->db = d; +#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) + if ((ret = d->open(db->db, NULL, fn, NULL, DB_BTREE, myflags, mode))) { +#else if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) { +#endif if(ret == ENOENT) /* try to open without .db extension */ +#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) + if (d->open(db->db, NULL, db->name, NULL, DB_BTREE, myflags, mode)) { +#else if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) { +#endif free(fn); krb5_set_error_string(context, "opening %s: %s", db->name, strerror(ret)); diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c index 1ca351fb4..e8cfcf29a 100644 --- a/lib/hdb/hdb-ldap.c +++ b/lib/hdb/hdb-ldap.c @@ -62,69 +62,101 @@ static char *krb5principal_attrs[] = NULL }; -/* based on samba: source/passdb/ldap.c */ static krb5_error_code -LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute, - unsigned char *value, size_t len) +LDAP__setmod(LDAPMod *** modlist, int modop, const char *attribute, + int *pIndex) { - LDAPMod **mods = *modlist; - int i, j; + int cMods; - if (mods == NULL) { - mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *)); - if (mods == NULL) { + if (*modlist == NULL) { + *modlist = (LDAPMod **)ber_memcalloc(1, sizeof(LDAPMod *)); + if (*modlist == NULL) { return ENOMEM; } - mods[0] = NULL; } - for (i = 0; mods[i] != NULL; ++i) { - if ((mods[i]->mod_op & (~LDAP_MOD_BVALUES)) == modop - && (!strcasecmp(mods[i]->mod_type, attribute))) { + for (cMods = 0; (*modlist)[cMods] != NULL; cMods++) { + if ((*modlist)[cMods]->mod_op == modop && + strcasecmp((*modlist)[cMods]->mod_type, attribute) == 0) { break; } } - if (mods[i] == NULL) { - mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *)); - if (mods == NULL) { + *pIndex = cMods; + + if ((*modlist)[cMods] == NULL) { + LDAPMod *mod; + + *modlist = (LDAPMod **)ber_memrealloc(*modlist, + (cMods + 2) * sizeof(LDAPMod *)); + if (*modlist == NULL) { return ENOMEM; } - mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod)); - if (mods[i] == NULL) { + (*modlist)[cMods] = (LDAPMod *)ber_memalloc(sizeof(LDAPMod)); + if ((*modlist)[cMods] == NULL) { return ENOMEM; } - mods[i]->mod_op = modop | LDAP_MOD_BVALUES; - mods[i]->mod_bvalues = NULL; - mods[i]->mod_type = strdup(attribute); - if (mods[i]->mod_type == NULL) { + + mod = (*modlist)[cMods]; + mod->mod_op = modop; + mod->mod_type = ber_strdup(attribute); + if (mod->mod_type == NULL) { + ber_memfree(mod); + (*modlist)[cMods] = NULL; return ENOMEM; } - mods[i + 1] = NULL; + + if (modop & LDAP_MOD_BVALUES) { + mod->mod_bvalues = NULL; + } else { + mod->mod_values = NULL; + } + + (*modlist)[cMods + 1] = NULL; + } + + return 0; +} + +static krb5_error_code +LDAP_addmod_len(LDAPMod *** modlist, int modop, const char *attribute, + unsigned char *value, size_t len) +{ + int cMods, cValues = 0; + krb5_error_code ret; + + ret = LDAP__setmod(modlist, modop | LDAP_MOD_BVALUES, attribute, &cMods); + if (ret != 0) { + return ret; } if (value != NULL) { - j = 0; - if (mods[i]->mod_bvalues != NULL) { - for (; mods[i]->mod_bvalues[j] != NULL; j++); + struct berval *bValue; + struct berval ***pbValues = &((*modlist)[cMods]->mod_bvalues); + + if (*pbValues != NULL) { + for (cValues = 0; (*pbValues)[cValues] != NULL; cValues++) + ; + *pbValues = (struct berval **)ber_memrealloc(*pbValues, (cValues + 2) + * sizeof(struct berval *)); + } else { + *pbValues = (struct berval **)ber_memalloc(2 * sizeof(struct berval *)); } - mods[i]->mod_bvalues = - (struct berval **) realloc(mods[i]->mod_bvalues, - (j + 2) * sizeof(struct berval *)); - if (mods[i]->mod_bvalues == NULL) { + if (*pbValues == NULL) { return ENOMEM; } - /* Caller allocates memory on our behalf, unlike LDAP_addmod. */ - mods[i]->mod_bvalues[j] = - (struct berval *) malloc(sizeof(struct berval)); - if (mods[i]->mod_bvalues[j] == NULL) { + (*pbValues)[cValues] = (struct berval *)ber_memalloc(sizeof(struct berval));; + if ((*pbValues)[cValues] == NULL) { return ENOMEM; } - mods[i]->mod_bvalues[j]->bv_val = value; - mods[i]->mod_bvalues[j]->bv_len = len; - mods[i]->mod_bvalues[j + 1] = NULL; + + bValue = (*pbValues)[cValues]; + bValue->bv_val = value; + bValue->bv_len = len; + + (*pbValues)[cValues + 1] = NULL; } - *modlist = mods; + return 0; } @@ -132,59 +164,34 @@ static krb5_error_code LDAP_addmod(LDAPMod *** modlist, int modop, const char *attribute, const char *value) { - LDAPMod **mods = *modlist; - int i, j; + int cMods, cValues = 0; + krb5_error_code ret; - if (mods == NULL) { - mods = (LDAPMod **) calloc(1, sizeof(LDAPMod *)); - if (mods == NULL) { - return ENOMEM; - } - mods[0] = NULL; + ret = LDAP__setmod(modlist, modop, attribute, &cMods); + if (ret != 0) { + return ret; } - for (i = 0; mods[i] != NULL; ++i) { - if (mods[i]->mod_op == modop - && (!strcasecmp(mods[i]->mod_type, attribute))) { - break; - } - } + if (value != NULL) { + char ***pValues = &((*modlist)[cMods]->mod_values); - if (mods[i] == NULL) { - mods = (LDAPMod **) realloc(mods, (i + 2) * sizeof(LDAPMod *)); - if (mods == NULL) { - return ENOMEM; + if (*pValues != NULL) { + for (cValues = 0; (*pValues)[cValues] != NULL; cValues++) + ; + *pValues = (char **)ber_memrealloc(*pValues, (cValues + 2) * sizeof(char *)); + } else { + *pValues = (char **)ber_memalloc(2 * sizeof(char *)); } - mods[i] = (LDAPMod *) malloc(sizeof(LDAPMod)); - if (mods[i] == NULL) { + if (*pValues == NULL) { return ENOMEM; } - mods[i]->mod_op = modop; - mods[i]->mod_values = NULL; - mods[i]->mod_type = strdup(attribute); - if (mods[i]->mod_type == NULL) { + (*pValues)[cValues] = ber_strdup(value); + if ((*pValues)[cValues] == NULL) { return ENOMEM; } - mods[i + 1] = NULL; + (*pValues)[cValues + 1] = NULL; } - if (value != NULL) { - j = 0; - if (mods[i]->mod_values != NULL) { - for (; mods[i]->mod_values[j] != NULL; j++); - } - mods[i]->mod_values = (char **) realloc(mods[i]->mod_values, - (j + 2) * sizeof(char *)); - if (mods[i]->mod_values == NULL) { - return ENOMEM; - } - mods[i]->mod_values[j] = strdup(value); - if (mods[i]->mod_values[j] == NULL) { - return ENOMEM; - } - mods[i]->mod_values[j + 1] = NULL; - } - *modlist = mods; return 0; } @@ -421,12 +428,10 @@ LDAP_entry2mods(krb5_context context, HDB * db, hdb_entry * ent, } } - memset(&oflags, 0, sizeof(oflags)); - memcpy(&oflags, &orig.flags, sizeof(HDBFlags)); - memset(&nflags, 0, sizeof(nflags)); - memcpy(&nflags, &ent->flags, sizeof(HDBFlags)); + oflags = HDBFlags2int(orig.flags); + nflags = HDBFlags2int(ent->flags); - if (memcmp(&oflags, &nflags, sizeof(HDBFlags))) { + if (oflags != nflags) { rc = asprintf(&tmp, "%lu", nflags); if (rc < 0) { krb5_set_error_string(context, "asprintf: out of memory"); @@ -629,7 +634,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, char **values; memset(ent, 0, sizeof(*ent)); - memset(&ent->flags, 0, sizeof(HDBFlags)); + ent->flags = int2HDBFlags(0); ret = LDAP_get_string_value(db, msg, "krb5PrincipalName", @@ -801,7 +806,7 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg, } else { tmp = 0; } - memcpy(&ent->flags, &tmp, sizeof(HDBFlags)); + ent->flags = int2HDBFlags(tmp); values = ldap_get_values((LDAP *) db->db, msg, "krb5EncryptionType"); if (values != NULL) { @@ -953,6 +958,13 @@ LDAP_rename(krb5_context context, HDB * db, const char *new_name) static krb5_error_code LDAP__connect(krb5_context context, HDB * db) { int rc, version = LDAP_VERSION3; + /* + * Empty credentials to do a SASL bind with LDAP. Note that empty + * different from NULL credentials. If you provide NULL + * credentials instead of empty credentials you will get a SASL + * bind in progress message. + */ + struct berval bv = { 0, "" }; if (db->db != NULL) { /* connection has been opened. ping server. */ @@ -986,6 +998,14 @@ static krb5_error_code LDAP__connect(krb5_context context, HDB * db) return HDB_ERR_BADVERSION; } + rc = ldap_sasl_bind_s((LDAP *) db->db, NULL, "EXTERNAL", &bv, NULL, NULL, NULL); + if (rc != LDAP_SUCCESS) { + krb5_set_error_string(context, "ldap_sasl_bind_s: %s", ldap_err2string(rc)); + ldap_unbind_ext((LDAP *) db->db, NULL, NULL); + db->db = NULL; + return HDB_ERR_BADVERSION; + } + return 0; } @@ -1104,7 +1124,7 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, ret = asprintf(&dn, "cn=%s,%s", name, db->name); } else { /* A bit bogus, but we don't have a search base */ - ret = asprintf(&dn, "cn=%s", name, db->name); + ret = asprintf(&dn, "cn=%s", name); } if (ret < 0) { krb5_set_error_string(context, "asprintf: out of memory"); @@ -1134,7 +1154,8 @@ LDAP_store(krb5_context context, HDB * db, unsigned flags, if (rc == LDAP_SUCCESS) { ret = 0; } else { - krb5_set_error_string(context, "%s: %s", errfn, ldap_err2string(rc)); + krb5_set_error_string(context, "%s: %s (dn=%s) %s", + errfn, name, dn, ldap_err2string(rc)); ret = HDB_ERR_CANT_LOCK_DB; } diff --git a/lib/hdb/hdb_locl.h b/lib/hdb/hdb_locl.h index a7f8138b0..1bd6befe7 100644 --- a/lib/hdb/hdb_locl.h +++ b/lib/hdb/hdb_locl.h @@ -54,6 +54,9 @@ #ifdef HAVE_SYS_FILE_H #include #endif +#ifdef HAVE_LIMITS_H +#include +#endif #include #include "crypto-headers.h" diff --git a/lib/kadm5/ChangeLog b/lib/kadm5/ChangeLog index 1879c1996..51b559bf7 100644 --- a/lib/kadm5/ChangeLog +++ b/lib/kadm5/ChangeLog @@ -1,3 +1,19 @@ +2003-12-30 Love Hörnquist Åstrand + + * chpass_s.c: from 1.14->1.15: + (change): fix same-password-again by decrypting keys and setting + an error code. From: Buck Huppmann + +2003-12-21 Love Hörnquist Åstrand + + * init_c.c: 1.47->1.48: (_kadm5_c_init_context): catch errors from + strdup and other krb5_ functions + +2003-08-15 Love Hörnquist Åstrand + + * ipropd_slave.c: 1.27->1.28: (receive_everything): switch close + and rename From: Alf Wachsmann + 2003-04-16 Love Hörnquist Åstrand * send_recv.c: check return values from krb5_data_alloc diff --git a/lib/kadm5/Makefile.am b/lib/kadm5/Makefile.am index 410eafacf..034144d96 100644 --- a/lib/kadm5/Makefile.am +++ b/lib/kadm5/Makefile.am @@ -3,8 +3,8 @@ include $(top_srcdir)/Makefile.am.common lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la -libkadm5srv_la_LDFLAGS = -version-info 7:5:0 -libkadm5clnt_la_LDFLAGS = -version-info 6:3:2 +libkadm5srv_la_LDFLAGS = -version-info 7:6:0 +libkadm5clnt_la_LDFLAGS = -version-info 6:4:2 sbin_PROGRAMS = dump_log replay_log truncate_log libkadm5srv_la_LIBADD = ../krb5/libkrb5.la ../hdb/libhdb.la ../roken/libroken.la diff --git a/lib/kadm5/chpass_s.c b/lib/kadm5/chpass_s.c index d75c945a5..1ee1cf02c 100644 --- a/lib/kadm5/chpass_s.c +++ b/lib/kadm5/chpass_s.c @@ -53,7 +53,7 @@ change(void *server_handle, if(ret) return ret; ret = context->db->fetch(context->context, context->db, - 0, &ent); + HDB_F_DECRYPT, &ent); if(ret == HDB_ERR_NOENTRY) goto out; @@ -73,9 +73,11 @@ change(void *server_handle, keys, num_keys); _kadm5_free_keys (server_handle, num_keys, keys); - if (cmp == 0) - goto out2; - + if (cmp == 0) { + krb5_set_error_string(context->context, "Password reuse forbidden"); + ret = KADM5_PASS_REUSE; + goto out2; + } ret = _kadm5_set_modifier(context, &ent); if(ret) goto out2; diff --git a/lib/kadm5/init_c.c b/lib/kadm5/init_c.c index f142ec153..ec349ac07 100644 --- a/lib/kadm5/init_c.c +++ b/lib/kadm5/init_c.c @@ -72,24 +72,37 @@ _kadm5_c_init_context(kadm5_client_context **ctx, krb5_add_et_list (context, initialize_kadm5_error_table_r); set_funcs(*ctx); (*ctx)->context = context; - if(params->mask & KADM5_CONFIG_REALM) + if(params->mask & KADM5_CONFIG_REALM) { + ret = 0; (*ctx)->realm = strdup(params->realm); - else - krb5_get_default_realm((*ctx)->context, &(*ctx)->realm); + if ((*ctx)->realm == NULL) + ret = ENOMEM; + } else + ret = krb5_get_default_realm((*ctx)->context, &(*ctx)->realm); + if (ret) { + free(*ctx); + return ret; + } if(params->mask & KADM5_CONFIG_ADMIN_SERVER) (*ctx)->admin_server = strdup(params->admin_server); else { char **hostlist; ret = krb5_get_krb_admin_hst (context, &(*ctx)->realm, &hostlist); - if (ret) + if (ret) { + free((*ctx)->realm); + free(*ctx); return ret; + } (*ctx)->admin_server = strdup(*hostlist); krb5_free_krbhst (context, hostlist); } - if ((*ctx)->admin_server == NULL) + if ((*ctx)->admin_server == NULL) { return ENOMEM; + free((*ctx)->realm); + free(*ctx); + } colon = strchr ((*ctx)->admin_server, ':'); if (colon != NULL) *colon++ = '\0'; diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c index a3ec74782..f22851d42 100644 --- a/lib/kadm5/ipropd_slave.c +++ b/lib/kadm5/ipropd_slave.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -301,12 +301,14 @@ receive_everything (krb5_context context, int fd, krb5_data_free (&data); - ret = mydb->close (context, mydb); - if (ret) - krb5_err (context, 1, ret, "db->close"); ret = mydb->rename (context, mydb, server_context->db->name); if (ret) krb5_err (context, 1, ret, "db->rename"); + + ret = mydb->close (context, mydb); + if (ret) + krb5_err (context, 1, ret, "db->close"); + ret = mydb->destroy (context, mydb); if (ret) krb5_err (context, 1, ret, "db->destroy"); diff --git a/lib/kadm5/truncate_log.c b/lib/kadm5/truncate_log.c index 24cf56a8b..7f8061be1 100644 --- a/lib/kadm5/truncate_log.c +++ b/lib/kadm5/truncate_log.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 Kungliga Tekniska Högskolan + * Copyright (c) 2000, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -83,6 +83,7 @@ main(int argc, char **argv) server_context = (kadm5_server_context *)kadm_handle; ret = kadm5_log_truncate (server_context); + if(ret) krb5_err (context, 1, ret, "kadm5_log_truncate"); return 0; } diff --git a/lib/kafs/ChangeLog b/lib/kafs/ChangeLog index 1adce00ca..2f1bb02e7 100644 --- a/lib/kafs/ChangeLog +++ b/lib/kafs/ChangeLog @@ -1,3 +1,22 @@ +2004-06-22 Love + + * afssys.c: 1.70->1.72: s/arla/nnpfs/ + +2004-06-22 Love Hörquist Åstrand + + * afssys.c: 1.70: support the linux /proc/fs/mumel/afs_ioctl afs + "syscall" interface + +2003-04-23 Love Hörquist Åstrand + + * common.c, kafs.h: drop the int argument (the error code) from + the logging function + +2003-04-22 Johan Danielsson + + * afskrb5.c (v5_convert): better match what other functions do + with values from krb5.conf, like case insensitivity + 2003-04-16 Love Hörquist Åstrand * kafs.3: Change .Fd #include to .In header.h diff --git a/lib/kafs/Makefile.am b/lib/kafs/Makefile.am index de218fba7..b1f63ee07 100644 --- a/lib/kafs/Makefile.am +++ b/lib/kafs/Makefile.am @@ -54,7 +54,7 @@ endif # AIX libkafs_la_LIBADD = $(DEPLIB_krb5) ../roken/libroken.la $(DEPLIB_krb4) lib_LTLIBRARIES = libkafs.la -libkafs_la_LDFLAGS = -version-info 3:5:3 +libkafs_la_LDFLAGS = -version-info 4:0:4 foodir = $(libdir) foo_DATA = $(AFS_EXTRA_LIBS) # EXTRA_DATA = afslib.so diff --git a/lib/kafs/afskrb5.c b/lib/kafs/afskrb5.c index 0171cf33c..194702248 100644 --- a/lib/kafs/afskrb5.c +++ b/lib/kafs/afskrb5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001, 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1995-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -129,11 +129,12 @@ v5_convert(krb5_context context, krb5_ccache id, "afs-use-524", "yes", &val); free(c); - if (strcmp("no", val) == 0) { - ret = v5_to_kt(cred, uid, kt, 0); - } else if (strcmp("local", val) == 0 || strcmp("2b", val) == 0) { + if (strcasecmp(val, "local") == 0 || + strcasecmp(val, "2b") == 0) ret = v5_to_kt(cred, uid, kt, 1); - } else { /* "yes" */ + else if(strcasecmp(val, "yes") == 0 || + strcasecmp(val, "true") == 0 || + atoi(val)) { struct credentials c; if (id == NULL) @@ -141,11 +142,14 @@ v5_convert(krb5_context context, krb5_ccache id, else ret = krb524_convert_creds_kdc_ccache(context, id, cred, &c); if (ret) - return ret; + goto out; ret = _kafs_v4_to_kt(&c, uid, kt); - } + } else + ret = v5_to_kt(cred, uid, kt, 0); + out: + free(val); return ret; } diff --git a/lib/kafs/afssys.c b/lib/kafs/afssys.c index f6694bbad..ff6283092 100644 --- a/lib/kafs/afssys.c +++ b/lib/kafs/afssys.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2000, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2000, 2002, 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,6 +35,16 @@ RCSID("$Id$"); +struct procdata { + unsigned long param4; + unsigned long param3; + unsigned long param2; + unsigned long param1; + unsigned long syscall; +}; +#define VIOC_SYSCALL _IOW('C', 1, void *) + + int _kafs_debug; /* this should be done in a better way */ #define NO_ENTRY_POINT 0 @@ -42,10 +52,12 @@ int _kafs_debug; /* this should be done in a better way */ #define MULTIPLE_ENTRY_POINT 2 #define SINGLE_ENTRY_POINT2 3 #define SINGLE_ENTRY_POINT3 4 -#define AIX_ENTRY_POINTS 5 -#define UNKNOWN_ENTRY_POINT 6 +#define LINUX_PROC_POINT 5 +#define AIX_ENTRY_POINTS 6 +#define UNKNOWN_ENTRY_POINT 7 static int afs_entry_point = UNKNOWN_ENTRY_POINT; static int afs_syscalls[2]; +static char *afs_procpath; /* Magic to get AIX syscalls to work */ #ifdef _AIX @@ -132,6 +144,37 @@ map_syscall_name_to_number (const char *str, int *res) return -1; } +static int +try_proc(const char *path) +{ + int fd; + fd = open(path, O_RDWR); + if (fd < 0) + return 1; + close(fd); + afs_procpath = strdup(path); + if (afs_procpath == NULL) + return 1; + afs_entry_point = LINUX_PROC_POINT; + return 0; +} + +static int +do_proc(struct procdata *data) +{ + int fd, ret, saved_errno; + fd = open(afs_procpath, O_RDWR); + if (fd < 0) { + errno = EINVAL; + return -1; + } + ret = ioctl(fd, VIOC_SYSCALL, data); + saved_errno = errno; + close(fd); + errno = saved_errno; + return ret; +} + int k_pioctl(char *a_path, int o_opcode, @@ -152,12 +195,19 @@ k_pioctl(char *a_path, return syscall(afs_syscalls[0], a_path, o_opcode, a_paramsP, a_followSymlinks); #endif + case LINUX_PROC_POINT: { + struct procdata data = { 0, 0, 0, 0, AFSCALL_PIOCTL }; + data.param1 = (unsigned long)a_path; + data.param2 = (unsigned long)o_opcode; + data.param3 = (unsigned long)a_paramsP; + data.param4 = (unsigned long)a_followSymlinks; + return do_proc(&data); + } #ifdef _AIX case AIX_ENTRY_POINTS: return Pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks); #endif - } - + } errno = ENOSYS; #ifdef SIGSYS kill(getpid(), SIGSYS); /* You lose! */ @@ -200,6 +250,10 @@ k_setpag(void) case MULTIPLE_ENTRY_POINT: return syscall(afs_syscalls[1]); #endif + case LINUX_PROC_POINT: { + struct procdata data = { 0, 0, 0, 0, AFSCALL_SETPAG }; + return do_proc(&data); + } #ifdef _AIX case AIX_ENTRY_POINTS: return Setpag(); @@ -388,6 +442,13 @@ k_hasafs(void) goto done; #endif + if (try_proc("/proc/fs/openafs/afs_ioctl") == 0) + goto done; + if (try_proc("/proc/fs/nnpfs/afs_ioctl") == 0) + goto done; + if (env && try_proc(env) == 0) + goto done; + done: #ifdef SIGSYS signal(SIGSYS, saved_func); diff --git a/lib/kafs/common.c b/lib/kafs/common.c index 2e2474798..a55f6ac2b 100644 --- a/lib/kafs/common.c +++ b/lib/kafs/common.c @@ -45,7 +45,7 @@ RCSID("$Id$"); #define ToAsciiUpper(c) ((c) - 'a' + 'A') -static void (*kafs_verbose)(void *, const char *, int); +static void (*kafs_verbose)(void *, const char *); static void *kafs_verbose_ctx; void @@ -60,7 +60,7 @@ _kafs_foldup(char *a, const char *b) } void -kafs_set_verbose(void (*f)(void *, const char *, int), void *ctx) +kafs_set_verbose(void (*f)(void *, const char *), void *ctx) { if (f) { kafs_verbose = f; @@ -374,7 +374,7 @@ _kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, asprintf(&str, "%s tried afs%s%s@%s -> %d", data->name, cell[0] == '\0' ? "" : "/", cell, realm, ret); - (*kafs_verbose)(kafs_verbose_ctx, str, ret); + (*kafs_verbose)(kafs_verbose_ctx, str); free(str); } diff --git a/lib/kafs/kafs.h b/lib/kafs/kafs.h index 81d1ceaa2..b475a1b16 100644 --- a/lib/kafs/kafs.h +++ b/lib/kafs/kafs.h @@ -144,8 +144,7 @@ int k_afs_cell_of_file __P((const char *path, char *cell, int len)); #define KRB5_H_INCLUDED #endif -void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *, int), - void *)); +void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *), void *)); int kafs_settoken_rxkad __P((const char *, struct ClearToken *, void *ticket, size_t ticket_len)); #ifdef KRB_H_INCLUDED diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index c2f72ce8d..319026b55 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -132,7 +132,7 @@ libkrb5_la_SOURCES = \ write_message.c \ $(ERR_FILES) -libkrb5_la_LDFLAGS = -version-info 18:4:1 +libkrb5_la_LDFLAGS = -version-info 20:0:3 $(libkrb5_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h @@ -173,6 +173,7 @@ man_MANS = \ krb5_parse_name.3 \ krb5_principal_get_realm.3 \ krb5_set_default_realm.3 \ + krb5_set_password.3 \ krb5_sname_to_principal.3 \ krb5_timeofday.3 \ krb5_unparse_name.3 \ diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c index a50f56d2e..8f5ff6b17 100644 --- a/lib/krb5/changepw.c +++ b/lib/krb5/changepw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,13 +35,40 @@ RCSID("$Id$"); +static void +str2data (krb5_data *d, + const char *fmt, + ...) __attribute__ ((format (printf, 2, 3))); + +static void +str2data (krb5_data *d, + const char *fmt, + ...) +{ + va_list args; + + va_start(args, fmt); + d->length = vasprintf ((char **)&d->data, fmt, args); + va_end(args); +} + +/* + * Change password protocol defined by + * draft-ietf-cat-kerb-chg-password-02.txt + * + * Share the response part of the protocol with MS set password + * (RFC3244) + */ + static krb5_error_code -send_request (krb5_context context, - krb5_auth_context *auth_context, - krb5_creds *creds, - int sock, - char *passwd, - const char *host) +chgpw_send_request (krb5_context context, + krb5_auth_context *auth_context, + krb5_creds *creds, + krb5_principal targprinc, + int is_stream, + int sock, + char *passwd, + const char *host) { krb5_error_code ret; krb5_data ap_req_data; @@ -53,6 +80,13 @@ send_request (krb5_context context, struct iovec iov[3]; struct msghdr msghdr; + if (is_stream) + return KRB5_KPASSWD_MALFORMED; + + if (targprinc && + krb5_principal_compare(context, creds->client, targprinc) != TRUE) + return KRB5_KPASSWD_MALFORMED; + krb5_data_zero (&ap_req_data); ret = krb5_mk_req_extended (context, @@ -114,26 +148,120 @@ out2: return ret; } -static void -str2data (krb5_data *d, - const char *fmt, - ...) __attribute__ ((format (printf, 2, 3))); +/* + * Set password protocol as defined by RFC3244 -- + * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols + */ -static void -str2data (krb5_data *d, - const char *fmt, - ...) +static krb5_error_code +setpw_send_request (krb5_context context, + krb5_auth_context *auth_context, + krb5_creds *creds, + krb5_principal targprinc, + int is_stream, + int sock, + char *passwd, + const char *host) { - va_list args; + krb5_error_code ret; + krb5_data ap_req_data; + krb5_data krb_priv_data; + krb5_data pwd_data; + ChangePasswdDataMS chpw; + size_t len; + u_char header[4 + 6]; + u_char *p; + struct iovec iov[3]; + struct msghdr msghdr; - va_start(args, fmt); - d->length = vasprintf ((char **)&d->data, fmt, args); - va_end(args); + krb5_data_zero (&ap_req_data); + + ret = krb5_mk_req_extended (context, + auth_context, + AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, + NULL, /* in_data */ + creds, + &ap_req_data); + if (ret) + return ret; + + chpw.newpasswd.length = strlen(passwd); + chpw.newpasswd.data = passwd; + if (targprinc) { + chpw.targname = &targprinc->name; + chpw.targrealm = &targprinc->realm; + } else { + chpw.targname = NULL; + chpw.targrealm = NULL; + } + + ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length, + &chpw, &len, ret); + if (ret) { + krb5_data_free (&ap_req_data); + return ret; + } + + if(pwd_data.length != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + + ret = krb5_mk_priv (context, + *auth_context, + &pwd_data, + &krb_priv_data, + NULL); + if (ret) + goto out2; + + len = 6 + ap_req_data.length + krb_priv_data.length; + p = header; + if (is_stream) { + _krb5_put_int(p, len, 4); + p += 4; + } + *p++ = (len >> 8) & 0xFF; + *p++ = (len >> 0) & 0xFF; + *p++ = 0xff; + *p++ = 0x80; + *p++ = (ap_req_data.length >> 8) & 0xFF; + *p++ = (ap_req_data.length >> 0) & 0xFF; + + memset(&msghdr, 0, sizeof(msghdr)); + msghdr.msg_name = NULL; + msghdr.msg_namelen = 0; + msghdr.msg_iov = iov; + msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov); +#if 0 + msghdr.msg_control = NULL; + msghdr.msg_controllen = 0; +#endif + + iov[0].iov_base = (void*)header; + if (is_stream) + iov[0].iov_len = 10; + else + iov[0].iov_len = 6; + iov[1].iov_base = ap_req_data.data; + iov[1].iov_len = ap_req_data.length; + iov[2].iov_base = krb_priv_data.data; + iov[2].iov_len = krb_priv_data.length; + + if (sendmsg (sock, &msghdr, 0) < 0) { + ret = errno; + krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret)); + } + + krb5_data_free (&krb_priv_data); +out2: + krb5_data_free (&ap_req_data); + krb5_data_free (&pwd_data); + return ret; } static krb5_error_code process_reply (krb5_context context, krb5_auth_context auth_context, + int is_stream, int sock, int *result_code, krb5_data *result_code_string, @@ -141,30 +269,101 @@ process_reply (krb5_context context, const char *host) { krb5_error_code ret; - u_char reply[BUFSIZ]; - size_t len; + u_char reply[1024 * 3]; + ssize_t len; u_int16_t pkt_len, pkt_ver; - krb5_data ap_rep_data, priv_data; + krb5_data ap_rep_data; int save_errno; - ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL); - if (ret < 0) { - save_errno = errno; - krb5_set_error_string(context, "recvfrom %s: %s", - host, strerror(save_errno)); - return save_errno; + len = 0; + if (is_stream) { + while (len < sizeof(reply)) { + unsigned long size; + + ret = recvfrom (sock, reply + len, sizeof(reply) - len, + 0, NULL, NULL); + if (ret < 0) { + save_errno = errno; + krb5_set_error_string(context, "recvfrom %s: %s", + host, strerror(save_errno)); + return save_errno; + } else if (ret == 0) { + krb5_set_error_string(context, "recvfrom timeout %s", host); + return 1; + } + len += ret; + if (len < 4) + continue; + _krb5_get_int(reply, &size, 4); + if (size + 4 < len) + continue; + memmove(reply, reply + 4, size); + len = size; + break; + } + if (len == sizeof(reply)) { + krb5_set_error_string(context, "message too large from %s", + host); + return ENOMEM; + } + } else { + ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL); + if (ret < 0) { + save_errno = errno; + krb5_set_error_string(context, "recvfrom %s: %s", + host, strerror(save_errno)); + return save_errno; + } + len = ret; + } + + if (len < 6) { + str2data (result_string, "server %s sent to too short message " + "(%d bytes)", host, len); + *result_code = KRB5_KPASSWD_MALFORMED; + return 0; } - len = ret; pkt_len = (reply[0] << 8) | (reply[1]); pkt_ver = (reply[2] << 8) | (reply[3]); + if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) { + KRB_ERROR error; + size_t size; + u_char *p; + + memset(&error, 0, sizeof(error)); + + ret = decode_KRB_ERROR(reply, len, &error, &size); + if (ret) + return ret; + + if (error.e_data->length < 2) { + str2data(result_string, "server %s sent too short " + "e_data to print anything usable", host); + free_KRB_ERROR(&error); + *result_code = KRB5_KPASSWD_MALFORMED; + return 0; + } + + p = error.e_data->data; + *result_code = (p[0] << 8) | p[1]; + if (error.e_data->length == 2) + str2data(result_string, "server only sent error code"); + else + krb5_data_copy (result_string, + p + 2, + error.e_data->length - 2); + free_KRB_ERROR(&error); + return 0; + } + if (pkt_len != len) { str2data (result_string, "client: wrong len in reply"); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } - if (pkt_ver != 0x0001) { + if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) { str2data (result_string, "client: wrong version number (%d)", pkt_ver); *result_code = KRB5_KPASSWD_MALFORMED; @@ -173,15 +372,21 @@ process_reply (krb5_context context, ap_rep_data.data = reply + 6; ap_rep_data.length = (reply[4] << 8) | (reply[5]); - priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length; - priv_data.length = len - ap_rep_data.length - 6; - if ((u_char *)priv_data.data + priv_data.length > reply + len) - return KRB5_KPASSWD_MALFORMED; + if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) { + str2data (result_string, "client: wrong AP len in reply"); + *result_code = KRB5_KPASSWD_MALFORMED; + return 0; + } + if (ap_rep_data.length) { krb5_ap_rep_enc_part *ap_rep; + krb5_data priv_data; u_char *p; + priv_data.data = (u_char*)ap_rep_data.data + ap_rep_data.length; + priv_data.length = len - ap_rep_data.length - 6; + ret = krb5_rd_rep (context, auth_context, &ap_rep_data, @@ -207,13 +412,14 @@ process_reply (krb5_context context, "client: bad length in result"); return 0; } - p = result_code_string->data; + + p = result_code_string->data; - *result_code = (p[0] << 8) | p[1]; - krb5_data_copy (result_string, - (unsigned char*)result_code_string->data + 2, - result_code_string->length - 2); - return 0; + *result_code = (p[0] << 8) | p[1]; + krb5_data_copy (result_string, + (unsigned char*)result_code_string->data + 2, + result_code_string->length - 2); + return 0; } else { KRB_ERROR error; size_t size; @@ -237,19 +443,77 @@ process_reply (krb5_context context, } } + /* * change the password using the credentials in `creds' (for the * principal indicated in them) to `newpw', storing the result of * the operation in `result_*' and an error code or 0. */ -krb5_error_code -krb5_change_password (krb5_context context, +typedef krb5_error_code (*kpwd_send_request) (krb5_context, + krb5_auth_context *, + krb5_creds *, + krb5_principal, + int, + int, + char *, + const char *); +typedef krb5_error_code (*kpwd_process_reply) (krb5_context, + krb5_auth_context, + int, + int, + int *, + krb5_data *, + krb5_data *, + const char *); + +struct kpwd_proc { + const char *name; + int flags; +#define SUPPORT_TCP 1 +#define SUPPORT_UDP 2 + kpwd_send_request send_req; + kpwd_process_reply process_rep; +} procs[] = { + { + "MS set password", + SUPPORT_TCP|SUPPORT_UDP, + setpw_send_request, + process_reply + }, + { + "change password", + SUPPORT_UDP, + chgpw_send_request, + process_reply + }, + { NULL } +}; + +static struct kpwd_proc * +find_chpw_proto(const char *name) +{ + struct kpwd_proc *p; + for (p = procs; p->name != NULL; p++) { + if (strcmp(p->name, name) == 0) + return p; + } + return NULL; +} + +/* + * + */ + +static krb5_error_code +change_password_loop (krb5_context context, krb5_creds *creds, + krb5_principal targprinc, char *newpw, int *result_code, krb5_data *result_code_string, - krb5_data *result_string) + krb5_data *result_string, + struct kpwd_proc *proc) { krb5_error_code ret; krb5_auth_context auth_context = NULL; @@ -273,6 +537,22 @@ krb5_change_password (krb5_context context, while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) { struct addrinfo *ai, *a; + int is_stream; + + switch (hi->proto) { + case KRB5_KRBHST_UDP: + if ((proc->flags & SUPPORT_UDP) == 0) + continue; + is_stream = 0; + break; + case KRB5_KRBHST_TCP: + if ((proc->flags & SUPPORT_TCP) == 0) + continue; + is_stream = 1; + break; + default: + continue; + } ret = krb5_krbhst_get_addrinfo(context, hi, &ai); if (ret) @@ -304,12 +584,15 @@ krb5_change_password (krb5_context context, if (!replied) { replied = 0; - ret = send_request (context, - &auth_context, - creds, - sock, - newpw, - hi->hostname); + + ret = (*proc->send_req) (context, + &auth_context, + creds, + targprinc, + is_stream, + sock, + newpw, + hi->hostname); if (ret) { close(sock); goto out; @@ -334,13 +617,14 @@ krb5_change_password (krb5_context context, goto out; } if (ret == 1) { - ret = process_reply (context, - auth_context, - sock, - result_code, - result_code_string, - result_string, - hi->hostname); + ret = (*proc->process_rep) (context, + auth_context, + is_stream, + sock, + result_code, + result_code_string, + result_string, + hi->hostname); if (ret == 0) done = 1; else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL) @@ -367,7 +651,148 @@ krb5_change_password (krb5_context context, } } -const char * + +/* + * change the password using the credentials in `creds' (for the + * principal indicated in them) to `newpw', storing the result of + * the operation in `result_*' and an error code or 0. + */ + +krb5_error_code +krb5_change_password (krb5_context context, + krb5_creds *creds, + char *newpw, + int *result_code, + krb5_data *result_code_string, + krb5_data *result_string) +{ + struct kpwd_proc *p = find_chpw_proto("change password"); + + *result_code = KRB5_KPASSWD_MALFORMED; + result_code_string->data = result_string->data = NULL; + result_code_string->length = result_string->length = 0; + + if (p == NULL) + return KRB5_KPASSWD_MALFORMED; + + return change_password_loop(context, creds, NULL, newpw, + result_code, result_code_string, + result_string, p); +} + +/* + * + */ + +krb5_error_code +krb5_set_password(krb5_context context, + krb5_creds *creds, + char *newpw, + krb5_principal targprinc, + int *result_code, + krb5_data *result_code_string, + krb5_data *result_string) +{ + krb5_principal principal = NULL; + krb5_error_code ret = 0; + int i; + + *result_code = KRB5_KPASSWD_MALFORMED; + result_code_string->data = result_string->data = NULL; + result_code_string->length = result_string->length = 0; + + if (targprinc == NULL) { + ret = krb5_get_default_principal(context, &principal); + if (ret) + return ret; + } else + principal = targprinc; + + for (i = 0; procs[i].name != NULL; i++) { + *result_code = 0; + ret = change_password_loop(context, creds, targprinc, newpw, + result_code, result_code_string, + result_string, + &procs[i]); + if (ret == 0 && *result_code == 0) + break; + } + + if (targprinc == NULL) + krb5_free_principal(context, principal); + return ret; +} + +/* + * + */ + +krb5_error_code +krb5_set_password_using_ccache(krb5_context context, + krb5_ccache ccache, + char *newpw, + krb5_principal targprinc, + int *result_code, + krb5_data *result_code_string, + krb5_data *result_string) +{ + krb5_creds creds, *credsp; + krb5_error_code ret; + krb5_principal principal = NULL; + + *result_code = KRB5_KPASSWD_MALFORMED; + result_code_string->data = result_string->data = NULL; + result_code_string->length = result_string->length = 0; + + memset(&creds, 0, sizeof(creds)); + + if (targprinc == NULL) { + ret = krb5_cc_get_principal(context, ccache, &principal); + if (ret) + return ret; + } else + principal = targprinc; + + ret = krb5_make_principal(context, &creds.server, + krb5_principal_get_realm(context, principal), + "kadmin", "changepw", NULL); + if (ret) + goto out; + + ret = krb5_cc_get_principal(context, ccache, &creds.client); + if (ret) { + krb5_free_principal(context, creds.server); + goto out; + } + + ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); + krb5_free_principal(context, creds.server); + krb5_free_principal(context, creds.client); + if (ret) + goto out; + + ret = krb5_set_password(context, + credsp, + newpw, + principal, + result_code, + result_code_string, + result_string); + + krb5_free_creds(context, credsp); + + return ret; + out: + if (targprinc == NULL) + krb5_free_principal(context, principal); + return ret; +} + +/* + * + */ + +const char* krb5_passwd_result_to_string (krb5_context context, int result) { @@ -376,10 +801,13 @@ krb5_passwd_result_to_string (krb5_context context, "Malformed", "Hard error", "Auth error", - "Soft error" + "Soft error" , + "Access denied", + "Bad version", + "Initial flag needed" }; - if (result < 0 || result > KRB5_KPASSWD_SOFTERROR) + if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED) return "unknown result code"; else return strings[result]; diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c index d3f8d01e9..9415ede27 100644 --- a/lib/krb5/config_file.c +++ b/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -113,12 +113,12 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, * Store the error message in `error_message'. */ -static int +static krb5_error_code parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message) { char buf[BUFSIZ]; - int ret; + krb5_error_code ret; krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; @@ -152,14 +152,14 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, * */ -static int +static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message) { krb5_config_binding *tmp; char *p1, *p2; - int ret = 0; + krb5_error_code ret = 0; p1 = p; while (*p && *p != '=' && !isspace((unsigned char)*p)) @@ -250,6 +250,11 @@ krb5_config_parse_file_debug (const char *fname, ret = EINVAL; /* XXX */ goto out; } else if(*p != '\0') { + if (s == NULL) { + *error_message = "binding before section"; + ret = EINVAL; + goto out; + } ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) goto out; diff --git a/lib/krb5/context.c b/lib/krb5/context.c index 2c6bb3826..67f9d333e 100644 --- a/lib/krb5/context.c +++ b/lib/krb5/context.c @@ -415,6 +415,8 @@ krb5_get_err_text(krb5_context context, krb5_error_code code) p = com_right(context->et_list, code); if(p == NULL) p = strerror(code); + if (p == NULL) + p = "Unknown error"; return p; } diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index bb9601809..449df63b6 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -139,14 +139,15 @@ static krb5_error_code derive_key(krb5_context context, struct key_data *key, const void *constant, size_t len); -static void hmac(krb5_context context, - struct checksum_type *cm, - const void *data, - size_t len, - unsigned usage, - struct key_data *keyblock, - Checksum *result); +static krb5_error_code hmac(krb5_context context, + struct checksum_type *cm, + const void *data, + size_t len, + unsigned usage, + struct key_data *keyblock, + Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); +static krb5_error_code usage2arcfour (krb5_context, int *); /************************************************************ * * @@ -593,12 +594,16 @@ krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, _krb5_put_int(data + datalen - 4, keypart, 4); - hmac(context, c, data, datalen, 0, &ksign, &result); + ret = hmac(context, c, data, datalen, 0, &ksign, &result); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(p, result.checksum.data, len); memcpy(tmpcksum, result.checksum.data, result.checksum.length); for (i = 0; i < iter; i++) { - hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); + ret = hmac(context, c, tmpcksum, result.checksum.length, + 0, &ksign, &result); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(tmpcksum, result.checksum.data, result.checksum.length); for (j = 0; j < len; j++) p[j] ^= tmpcksum[j]; @@ -1384,7 +1389,7 @@ SHA1_checksum(krb5_context context, } /* HMAC according to RFC2104 */ -static void +static krb5_error_code hmac(krb5_context context, struct checksum_type *cm, const void *data, @@ -1398,6 +1403,17 @@ hmac(krb5_context context, size_t key_len; int i; + ipad = malloc(cm->blocksize + len); + if (ipad == NULL) + return ENOMEM; + opad = malloc(cm->blocksize + cm->checksumsize); + if (opad == NULL) { + free(ipad); + return ENOMEM; + } + memset(ipad, 0x36, cm->blocksize); + memset(opad, 0x5c, cm->blocksize); + if(keyblock->key->keyvalue.length > cm->blocksize){ (*cm->checksum)(context, keyblock, @@ -1411,10 +1427,6 @@ hmac(krb5_context context, key = keyblock->key->keyvalue.data; key_len = keyblock->key->keyvalue.length; } - ipad = malloc(cm->blocksize + len); - opad = malloc(cm->blocksize + cm->checksumsize); - memset(ipad, 0x36, cm->blocksize); - memset(opad, 0x5c, cm->blocksize); for(i = 0; i < key_len; i++){ ipad[i] ^= key[i]; opad[i] ^= key[i]; @@ -1430,8 +1442,40 @@ hmac(krb5_context context, free(ipad); memset(opad, 0, cm->blocksize + cm->checksumsize); free(opad); + + return 0; } +krb5_error_code +krb5_hmac(krb5_context context, + krb5_cksumtype cktype, + const void *data, + size_t len, + unsigned usage, + krb5_keyblock *key, + Checksum *result) +{ + struct checksum_type *c = _find_checksum(cktype); + struct key_data kd; + krb5_error_code ret; + + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + cktype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + kd.key = key; + kd.schedule = NULL; + + ret = hmac(context, c, data, len, usage, &kd, result); + + if (kd.schedule) + krb5_free_data(context, kd.schedule); + + return ret; + } + static void SP_HMAC_SHA1_checksum(krb5_context context, struct key_data *key, @@ -1443,11 +1487,14 @@ SP_HMAC_SHA1_checksum(krb5_context context, struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1); Checksum res; char sha1_data[20]; + krb5_error_code ret; res.checksum.data = sha1_data; res.checksum.length = sizeof(sha1_data); - hmac(context, c, data, len, usage, key, &res); + ret = hmac(context, c, data, len, usage, key, &res); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy(result->checksum.data, res.checksum.data, result->checksum.length); } @@ -1472,10 +1519,13 @@ HMAC_MD5_checksum(krb5_context context, unsigned char t[4]; unsigned char tmp[16]; unsigned char ksign_c_data[16]; + krb5_error_code ret; ksign_c.checksum.length = sizeof(ksign_c_data); ksign_c.checksum.data = ksign_c_data; - hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); + ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c); + if (ret) + krb5_abortx(context, "hmac failed"); ksign.key = &kb; kb.keyvalue = ksign_c.checksum; MD5_Init (&md5); @@ -1486,7 +1536,9 @@ HMAC_MD5_checksum(krb5_context context, MD5_Update (&md5, t, 4); MD5_Update (&md5, data, len); MD5_Final (tmp, &md5); - hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); + ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result); + if (ret) + krb5_abortx(context, "hmac failed"); } /* @@ -1507,6 +1559,7 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_keyblock kb; unsigned char t[4]; unsigned char ksign_c_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -1515,10 +1568,14 @@ HMAC_MD5_checksum_enc(krb5_context context, ksign_c.checksum.length = sizeof(ksign_c_data); ksign_c.checksum.data = ksign_c_data; - hmac(context, c, t, sizeof(t), 0, key, &ksign_c); + ret = hmac(context, c, t, sizeof(t), 0, key, &ksign_c); + if (ret) + krb5_abortx(context, "hmac failed"); ksign.key = &kb; kb.keyvalue = ksign_c.checksum; - hmac(context, c, data, len, 0, &ksign, result); + ret = hmac(context, c, data, len, 0, &ksign, result); + if (ret) + krb5_abortx(context, "hmac failed"); } struct checksum_type checksum_none = { @@ -1740,18 +1797,18 @@ get_checksum_key(krb5_context context, } static krb5_error_code -do_checksum (krb5_context context, - struct checksum_type *ct, - krb5_crypto crypto, - unsigned usage, - void *data, - size_t len, - Checksum *result) +create_checksum (krb5_context context, + struct checksum_type *ct, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + Checksum *result) { krb5_error_code ret; struct key_data *dkey; int keyed_checksum; - + keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { krb5_clear_error_string (context); @@ -1769,17 +1826,26 @@ do_checksum (krb5_context context, return 0; } -static krb5_error_code -create_checksum(krb5_context context, - krb5_crypto crypto, - unsigned usage, /* not krb5_key_usage */ - krb5_cksumtype type, /* 0 -> pick from crypto */ - void *data, - size_t len, - Checksum *result) +static int +arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) +{ + return (ct->type == CKSUMTYPE_HMAC_MD5) && + (crypto->key.key->keytype == KEYTYPE_ARCFOUR); +} + +krb5_error_code +krb5_create_checksum(krb5_context context, + krb5_crypto crypto, + krb5_key_usage usage, + int type, + void *data, + size_t len, + Checksum *result) { struct checksum_type *ct = NULL; + unsigned keyusage; + /* type 0 -> pick from crypto */ if (type) { ct = _find_checksum(type); } else if (crypto) { @@ -1793,21 +1859,15 @@ create_checksum(krb5_context context, type); return KRB5_PROG_SUMTYPE_NOSUPP; } - return do_checksum (context, ct, crypto, usage, data, len, result); -} -krb5_error_code -krb5_create_checksum(krb5_context context, - krb5_crypto crypto, - krb5_key_usage usage, - int type, - void *data, - size_t len, - Checksum *result) -{ - return create_checksum(context, crypto, - CHECKSUM_USAGE(usage), - type, data, len, result); + if (arcfour_checksum_p(ct, crypto)) { + keyusage = usage; + usage2arcfour(context, &keyusage); + } else + keyusage = CHECKSUM_USAGE(usage); + + return create_checksum(context, ct, crypto, keyusage, + data, len, result); } static krb5_error_code @@ -1825,7 +1885,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if(ct == NULL) { + if (ct == NULL) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1871,8 +1931,24 @@ krb5_verify_checksum(krb5_context context, size_t len, Checksum *cksum) { - return verify_checksum(context, crypto, - CHECKSUM_USAGE(usage), data, len, cksum); + struct checksum_type *ct; + unsigned keyusage; + + ct = _find_checksum(cksum->cksumtype); + if(ct == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + cksum->cksumtype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + if (arcfour_checksum_p(ct, crypto)) { + keyusage = usage; + usage2arcfour(context, &keyusage); + } else + keyusage = CHECKSUM_USAGE(usage); + + return verify_checksum(context, crypto, keyusage, + data, len, cksum); } krb5_error_code @@ -2108,7 +2184,7 @@ AES_CTS_encrypt(krb5_context context, k = &k[1]; if (len < AES_BLOCK_SIZE) - abort(); + krb5_abortx(context, "invalid use of AES_CTS_encrypt"); if (len == AES_BLOCK_SIZE) { if (encrypt) AES_encrypt(data, data, k); @@ -2148,6 +2224,7 @@ ARCFOUR_subencrypt(krb5_context context, RC4_KEY rc4_key; unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -2157,7 +2234,9 @@ ARCFOUR_subencrypt(krb5_context context, k1_c.checksum.length = sizeof(k1_c_data); k1_c.checksum.data = k1_c_data; - hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); @@ -2170,7 +2249,9 @@ ARCFOUR_subencrypt(krb5_context context, cksum.checksum.length = 16; cksum.checksum.data = data; - hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); ke.key = &kb; kb.keyvalue = k1_c.checksum; @@ -2178,7 +2259,9 @@ ARCFOUR_subencrypt(krb5_context context, k3_c.checksum.length = sizeof(k3_c_data); k3_c.checksum.data = k3_c_data; - hmac(NULL, c, data, 16, 0, &ke, &k3_c); + ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); @@ -2205,6 +2288,7 @@ ARCFOUR_subdecrypt(krb5_context context, unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; unsigned char cksum_data[16]; + krb5_error_code ret; t[0] = (usage >> 0) & 0xFF; t[1] = (usage >> 8) & 0xFF; @@ -2214,7 +2298,9 @@ ARCFOUR_subdecrypt(krb5_context context, k1_c.checksum.length = sizeof(k1_c_data); k1_c.checksum.data = k1_c_data; - hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c); + if (ret) + krb5_abortx(context, "hmac failed"); memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data)); @@ -2227,7 +2313,9 @@ ARCFOUR_subdecrypt(krb5_context context, k3_c.checksum.length = sizeof(k3_c_data); k3_c.checksum.data = k3_c_data; - hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c); + if (ret) + krb5_abortx(context, "hmac failed"); RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data); RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16); @@ -2238,7 +2326,9 @@ ARCFOUR_subdecrypt(krb5_context context, cksum.checksum.length = 16; cksum.checksum.data = cksum_data; - hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum); + if (ret) + krb5_abortx(context, "hmac failed"); memset (k1_c_data, 0, sizeof(k1_c_data)); memset (k2_c_data, 0, sizeof(k2_c_data)); @@ -2255,54 +2345,28 @@ ARCFOUR_subdecrypt(krb5_context context, /* * convert the usage numbers used in * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in - * draft-brezak-win2k-krb-rc4-hmac-03.txt + * draft-brezak-win2k-krb-rc4-hmac-04.txt */ static krb5_error_code usage2arcfour (krb5_context context, int *usage) { switch (*usage) { - case KRB5_KU_PA_ENC_TIMESTAMP : - *usage = 1; - return 0; - case KRB5_KU_TICKET : - *usage = 2; - return 0; - case KRB5_KU_AS_REP_ENC_PART : + case KRB5_KU_AS_REP_ENC_PART : /* 3 */ + case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */ *usage = 8; return 0; - case KRB5_KU_TGS_REQ_AUTH_DAT_SESSION : - case KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY : - case KRB5_KU_TGS_REQ_AUTH_CKSUM : - case KRB5_KU_TGS_REQ_AUTH : - *usage = 7; + case KRB5_KU_USAGE_SEAL : /* 22 */ + *usage = 13; return 0; - case KRB5_KU_TGS_REP_ENC_PART_SESSION : - case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : - *usage = 8; - return 0; - case KRB5_KU_AP_REQ_AUTH_CKSUM : - case KRB5_KU_AP_REQ_AUTH : - case KRB5_KU_AP_REQ_ENC_PART : - *usage = 11; - return 0; - case KRB5_KU_KRB_PRIV : + case KRB5_KU_USAGE_SIGN : /* 23 */ + *usage = 15; + return 0; + case KRB5_KU_USAGE_SEQ: /* 24 */ *usage = 0; return 0; - case KRB5_KU_KRB_CRED : - case KRB5_KU_KRB_SAFE_CKSUM : - case KRB5_KU_OTHER_ENCRYPTED : - case KRB5_KU_OTHER_CKSUM : - case KRB5_KU_KRB_ERROR : - case KRB5_KU_AD_KDC_ISSUED : - case KRB5_KU_MANDATORY_TICKET_EXTENSION : - case KRB5_KU_AUTH_DATA_TICKET_EXTENSION : - case KRB5_KU_USAGE_SEAL : - case KRB5_KU_USAGE_SIGN : - case KRB5_KU_USAGE_SEQ : default : - krb5_set_error_string(context, "unknown arcfour usage type %d", *usage); - return KRB5_PROG_ETYPE_NOSUPP; + return 0; } } @@ -2730,9 +2794,9 @@ encrypt_internal_derived(krb5_context context, memcpy(q, data, len); ret = create_checksum(context, + et->keyed_checksum, crypto, INTEGRITY_USAGE(usage), - et->keyed_checksum->type, p, block_sz, &cksum); @@ -2799,9 +2863,9 @@ encrypt_internal(krb5_context context, memcpy(q, data, len); ret = create_checksum(context, + et->checksum, crypto, 0, - et->checksum->type, p, block_sz, &cksum); @@ -2895,6 +2959,11 @@ decrypt_internal_derived(krb5_context context, return EINVAL; /* XXX - better error code? */ } + if (((len - checksum_sz) % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + p = malloc(len); if(len != 0 && p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -2963,6 +3032,11 @@ decrypt_internal(krb5_context context, size_t checksum_sz, l; struct encryption_type *et = crypto->et; + if ((len % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + checksum_sz = CHECKSUMSIZE(et->checksum); p = malloc(len); if(len != 0 && p == NULL) { @@ -3021,25 +3095,34 @@ decrypt_internal_special(krb5_context context, struct encryption_type *et = crypto->et; size_t cksum_sz = CHECKSUMSIZE(et->checksum); size_t sz = len - cksum_sz - et->confoundersize; - char *cdata = (char *)data; - char *tmp; + unsigned char *p; krb5_error_code ret; - tmp = malloc (sz); - if (tmp == NULL) { + if ((len % et->padsize) != 0) { + krb5_clear_error_string(context); + return KRB5_BAD_MSIZE; + } + + p = malloc (len); + if (p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } + memcpy(p, data, len); - ret = (*et->encrypt)(context, &crypto->key, data, len, FALSE, usage, ivec); + ret = (*et->encrypt)(context, &crypto->key, p, len, FALSE, usage, ivec); if (ret) { - free(tmp); + free(p); return ret; } - memcpy (tmp, cdata + cksum_sz + et->confoundersize, sz); - - result->data = tmp; + memmove (p, p + cksum_sz + et->confoundersize, sz); + result->data = realloc(p, sz); + if(result->data == NULL) { + free(p); + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } result->length = sz; return 0; } diff --git a/lib/krb5/eai_to_heim_errno.c b/lib/krb5/eai_to_heim_errno.c index 06cf602b5..6820a4c5c 100644 --- a/lib/krb5/eai_to_heim_errno.c +++ b/lib/krb5/eai_to_heim_errno.c @@ -47,8 +47,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) switch(eai_errno) { case EAI_NOERROR: return 0; +#ifdef EAI_ADDRFAMILY case EAI_ADDRFAMILY: return HEIM_EAI_ADDRFAMILY; +#endif case EAI_AGAIN: return HEIM_EAI_AGAIN; case EAI_BADFLAGS: @@ -59,8 +61,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) return HEIM_EAI_FAMILY; case EAI_MEMORY: return HEIM_EAI_MEMORY; +#if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME case EAI_NODATA: return HEIM_EAI_NODATA; +#endif case EAI_NONAME: return HEIM_EAI_NONAME; case EAI_SERVICE: diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c index 29903b79f..1616436c6 100644 --- a/lib/krb5/fcache.c +++ b/lib/krb5/fcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -65,6 +65,73 @@ fcc_get_name(krb5_context context, return FILENAME(id); } +int +_krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, + const char *filename) +{ + int ret; +#ifdef HAVE_FCNTL + struct flock l; + + l.l_start = 0; + l.l_len = 0; + l.l_type = exclusive ? F_WRLCK : F_RDLCK; + l.l_whence = SEEK_SET; + ret = fcntl(fd, F_SETLKW, &l); +#else + ret = flock(fd, exclusive ? LOCK_EX : LOCK_SH); +#endif + if(ret < 0) + ret = errno; + if(ret == EACCES) /* fcntl can return EACCES instead of EAGAIN */ + ret = EAGAIN; + + switch (ret) { + case 0: + break; + case EINVAL: /* filesystem doesn't support locking, let the user have it */ + ret = 0; + break; + case EAGAIN: + krb5_set_error_string(context, "timed out locking cache file %s", + filename); + break; + default: + krb5_set_error_string(context, "error locking cache file %s: %s", + filename, strerror(ret)); + break; + } + return ret; +} + +int +_krb5_xunlock(int fd) +{ +#ifdef HAVE_FCNTL_LOCK + struct flock l; + l.l_start = 0; + l.l_len = 0; + l.l_type = F_UNLCK; + l.l_whence = SEEK_SET; + return fcntl(fd, F_SETLKW, &l); +#else + return flock(fd, LOCK_UN); +#endif +} + +static krb5_error_code +fcc_lock(krb5_context context, krb5_ccache id, + int fd, krb5_boolean exclusive) +{ + return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id)); +} + +static krb5_error_code +fcc_unlock(krb5_context context, int fd) +{ + return _krb5_xunlock(fd); +} + static krb5_error_code fcc_resolve(krb5_context context, krb5_ccache *id, const char *res) { @@ -142,7 +209,6 @@ erase_file(const char *filename) close (fd); return errno; } - ret = fstat (fd, &sb2); if (ret < 0) { close (fd); @@ -227,6 +293,34 @@ storage_set_flags(krb5_context context, krb5_storage *sp, int vno) } static krb5_error_code +fcc_open(krb5_context context, + krb5_ccache id, + int *fd_ret, + int flags, + mode_t mode) +{ + krb5_boolean exclusive = ((flags | O_WRONLY) == flags || + (flags | O_RDWR) == flags); + krb5_error_code ret; + const char *filename = FILENAME(id); + int fd; + fd = open(filename, flags, mode); + if(fd < 0) { + ret = errno; + krb5_set_error_string(context, "open(%s): %s", filename, + strerror(ret)); + return ret; + } + + if((ret = fcc_lock(context, id, fd, exclusive)) != 0) { + close(fd); + return ret; + } + *fd_ret = fd; + return 0; +} + +static krb5_error_code fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) @@ -238,13 +332,9 @@ fcc_initialize(krb5_context context, unlink (filename); - fd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); - if(fd == -1) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", filename, - strerror(ret)); + ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); + if(ret) return ret; - } { krb5_storage *sp; sp = krb5_storage_from_fd(fd); @@ -269,15 +359,16 @@ fcc_initialize(krb5_context context, } } ret |= krb5_store_principal(sp, primary_principal); + krb5_storage_free(sp); } - if(close(fd) < 0) + fcc_unlock(context, fd); + if (close(fd) < 0) if (ret == 0) { ret = errno; - krb5_set_error_string (context, "close %s: %s", filename, - strerror(ret)); + krb5_set_error_string (context, "close %s: %s", + FILENAME(id), strerror(ret)); } - return ret; } @@ -294,11 +385,7 @@ static krb5_error_code fcc_destroy(krb5_context context, krb5_ccache id) { - char *f; - f = FILENAME(id); - - erase_file(f); - + erase_file(FILENAME(id)); return 0; } @@ -309,49 +396,37 @@ fcc_store_cred(krb5_context context, { int ret; int fd; - char *f; - f = FILENAME(id); - - fd = open(f, O_WRONLY | O_APPEND | O_BINARY); - if(fd < 0) { - ret = errno; - krb5_set_error_string (context, "open(%s): %s", f, strerror(ret)); + ret = fcc_open(context, id, &fd, O_WRONLY | O_APPEND | O_BINARY, 0); + if(ret) return ret; - } { krb5_storage *sp; sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); - ret = krb5_store_creds(sp, creds); + if (krb5_config_get_bool_default(context, NULL, FALSE, + "libdefaults", + "fcc-mit-ticketflags", + NULL)) + ret = _krb5_store_creds_heimdal_0_7(sp, creds); + else + ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); krb5_storage_free(sp); } + fcc_unlock(context, fd); if (close(fd) < 0) if (ret == 0) { ret = errno; - krb5_set_error_string (context, "close %s: %s", f, strerror(ret)); + krb5_set_error_string (context, "close %s: %s", + FILENAME(id), strerror(ret)); } return ret; } static krb5_error_code -fcc_read_cred (krb5_context context, - krb5_fcache *fc, - krb5_storage *sp, - krb5_creds *creds) -{ - krb5_error_code ret; - - storage_set_flags(context, sp, fc->version); - - ret = krb5_ret_creds(sp, creds); - return ret; -} - -static krb5_error_code init_fcc (krb5_context context, - krb5_fcache *fcache, + krb5_ccache id, krb5_storage **ret_sp, int *ret_fd) { @@ -360,48 +435,79 @@ init_fcc (krb5_context context, krb5_storage *sp; krb5_error_code ret; - fd = open(fcache->filename, O_RDONLY | O_BINARY); - if(fd < 0) { - ret = errno; - krb5_set_error_string(context, "open(%s): %s", fcache->filename, - strerror(ret)); + ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); + + if(ret) return ret; - } + sp = krb5_storage_from_fd(fd); + if(sp == NULL) { + ret = ENOMEM; + goto out; + } krb5_storage_set_eof_code(sp, KRB5_CC_END); ret = krb5_ret_int8(sp, &pvno); - if(ret == KRB5_CC_END) - return ENOENT; - if(ret) - return ret; + if(ret != 0) { + if(ret == KRB5_CC_END) + ret = ENOENT; /* empty file */ + goto out; + } if(pvno != 5) { - krb5_storage_free(sp); - close(fd); - return KRB5_CCACHE_BADVNO; + ret = KRB5_CCACHE_BADVNO; + goto out; } - krb5_ret_int8(sp, &tag); /* should not be host byte order */ - fcache->version = tag; - storage_set_flags(context, sp, fcache->version); + ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ + if(ret != 0) { + ret = KRB5_CC_FORMAT; + goto out; + } + FCACHE(id)->version = tag; + storage_set_flags(context, sp, FCACHE(id)->version); switch (tag) { case KRB5_FCC_FVNO_4: { int16_t length; - krb5_ret_int16 (sp, &length); + ret = krb5_ret_int16 (sp, &length); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } while(length > 0) { int16_t tag, data_len; int i; int8_t dummy; - krb5_ret_int16 (sp, &tag); - krb5_ret_int16 (sp, &data_len); + ret = krb5_ret_int16 (sp, &tag); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + ret = krb5_ret_int16 (sp, &data_len); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } switch (tag) { case FCC_TAG_DELTATIME : - krb5_ret_int32 (sp, &context->kdc_sec_offset); - krb5_ret_int32 (sp, &context->kdc_usec_offset); + ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } break; default : - for (i = 0; i < data_len; ++i) - krb5_ret_int8 (sp, &dummy); + for (i = 0; i < data_len; ++i) { + ret = krb5_ret_int8 (sp, &dummy); + if(ret) { + ret = KRB5_CC_FORMAT; + goto out; + } + } break; } length -= 4 + data_len; @@ -413,13 +519,19 @@ init_fcc (krb5_context context, case KRB5_FCC_FVNO_1: break; default : - krb5_storage_free (sp); - close (fd); - return KRB5_CCACHE_BADVNO; + ret = KRB5_CCACHE_BADVNO; + goto out; } *ret_sp = sp; *ret_fd = fd; + return 0; + out: + if(sp != NULL) + krb5_storage_free(sp); + fcc_unlock(context, fd); + close(fd); + return ret; } static krb5_error_code @@ -428,36 +540,47 @@ fcc_get_principal(krb5_context context, krb5_principal *principal) { krb5_error_code ret; - krb5_fcache *f = FCACHE(id); int fd; krb5_storage *sp; - ret = init_fcc (context, f, &sp, &fd); + ret = init_fcc (context, id, &sp, &fd); if (ret) return ret; ret = krb5_ret_principal(sp, principal); krb5_storage_free(sp); + fcc_unlock(context, fd); close(fd); return ret; } static krb5_error_code +fcc_end_get (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor); + +static krb5_error_code fcc_get_first (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { krb5_error_code ret; krb5_principal principal; - krb5_fcache *f = FCACHE(id); *cursor = malloc(sizeof(struct fcc_cursor)); - ret = init_fcc (context, f, &FCC_CURSOR(*cursor)->sp, + ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, &FCC_CURSOR(*cursor)->fd); - if (ret) + if (ret) { + free(*cursor); + return ret; + } + ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); + if(ret) { + fcc_end_get(context, id, cursor); return ret; - krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); + } krb5_free_principal (context, principal); + fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return 0; } @@ -467,7 +590,14 @@ fcc_get_next (krb5_context context, krb5_cc_cursor *cursor, krb5_creds *creds) { - return fcc_read_cred (context, FCACHE(id), FCC_CURSOR(*cursor)->sp, creds); + krb5_error_code ret; + if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0) + return ret; + + ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); + + fcc_unlock(context, FCC_CURSOR(*cursor)->fd); + return ret; } static krb5_error_code @@ -478,6 +608,7 @@ fcc_end_get (krb5_context context, krb5_storage_free(FCC_CURSOR(*cursor)->sp); close (FCC_CURSOR(*cursor)->fd); free(*cursor); + *cursor = NULL; return 0; } diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index 76b86c122..dd6795f1a 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -225,26 +225,37 @@ init_tgs_req (krb5_context context, { krb5_auth_context ac; - krb5_keyblock *key; + krb5_keyblock *key = NULL; ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; - ret = krb5_generate_subkey (context, &krbtgt->session, &key); - if (ret) { - krb5_auth_con_free (context, ac); - goto fail; - } - ret = krb5_auth_con_setlocalsubkey(context, ac, key); - if (ret) { - krb5_free_keyblock (context, key); - krb5_auth_con_free (context, ac); - goto fail; + + if (krb5_config_get_bool_default(context, NULL, FALSE, + "realms", + krbtgt->server->realm, + "tgs_require_subkey", + NULL)) + { + ret = krb5_generate_subkey (context, &krbtgt->session, &key); + if (ret) { + krb5_auth_con_free (context, ac); + goto fail; + } + + ret = krb5_auth_con_setlocalsubkey(context, ac, key); + if (ret) { + if (key) + krb5_free_keyblock (context, key); + krb5_auth_con_free (context, ac); + goto fail; + } } ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key); if (ret) { - krb5_free_keyblock (context, key); + if (key) + krb5_free_keyblock (context, key); krb5_auth_con_free (context, ac); goto fail; } @@ -256,7 +267,8 @@ init_tgs_req (krb5_context context, krbtgt, usage); if(ret) { - krb5_free_keyblock (context, key); + if (key) + krb5_free_keyblock (context, key); krb5_auth_con_free(context, ac); goto fail; } @@ -265,36 +277,44 @@ init_tgs_req (krb5_context context, krb5_auth_con_free(context, ac); } fail: - if (ret) - /* XXX - don't free addresses? */ + if (ret) { + t->req_body.addresses = NULL; free_TGS_REQ (t); + } return ret; } -static krb5_error_code -get_krbtgt(krb5_context context, - krb5_ccache id, - krb5_realm realm, - krb5_creds **cred) +krb5_error_code +_krb5_get_krbtgt(krb5_context context, + krb5_ccache id, + krb5_realm realm, + krb5_creds **cred) { krb5_error_code ret; krb5_creds tmp_cred; memset(&tmp_cred, 0, sizeof(tmp_cred)); + ret = krb5_cc_get_principal(context, id, &tmp_cred.client); + if (ret) + return ret; + ret = krb5_make_principal(context, &tmp_cred.server, realm, KRB5_TGS_NAME, realm, NULL); - if(ret) + if(ret) { + krb5_free_principal(context, tmp_cred.client); return ret; + } ret = krb5_get_credentials(context, KRB5_GC_CACHED, id, &tmp_cred, cred); + krb5_free_principal(context, tmp_cred.client); krb5_free_principal(context, tmp_cred.server); if(ret) return ret; @@ -467,7 +487,7 @@ get_cred_kdc_usage(krb5_context context, krb5_clear_error_string(context); } krb5_data_free(&resp); -out: + out: if(subkey){ krb5_free_keyblock_contents(context, subkey); free(subkey); @@ -537,10 +557,10 @@ krb5_get_kdc_cred(krb5_context context, krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } - ret = get_krbtgt (context, - id, - in_creds->server->realm, - &krbtgt); + ret = _krb5_get_krbtgt (context, + id, + in_creds->server->realm, + &krbtgt); if(ret) { free(*out_creds); return ret; @@ -635,8 +655,16 @@ get_cred_from_kdc_flags(krb5_context context, if(ret) return ret; - try_realm = krb5_config_get_string(context, NULL, "libdefaults", - "capath", server_realm, NULL); + try_realm = krb5_config_get_string(context, NULL, "capaths", + client_realm, server_realm, NULL); + +#if 1 + /* XXX remove in future release */ + if(try_realm == NULL) + try_realm = krb5_config_get_string(context, NULL, "libdefaults", + "capath", server_realm, NULL); +#endif + if (try_realm == NULL) try_realm = client_realm; @@ -644,7 +672,7 @@ get_cred_from_kdc_flags(krb5_context context, &tmp_creds.server, try_realm, KRB5_TGS_NAME, - server_realm, + server_realm, NULL); if(ret){ krb5_free_principal(context, tmp_creds.client); diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c index 8e181d8aa..263813554 100644 --- a/lib/krb5/get_for_creds.c +++ b/lib/krb5/get_for_creds.c @@ -41,7 +41,7 @@ add_addrs(krb5_context context, struct addrinfo *ai) { krb5_error_code ret; - unsigned n, i, j; + unsigned n, i; void *tmp; struct addrinfo *a; @@ -49,29 +49,34 @@ add_addrs(krb5_context context, for (a = ai; a != NULL; a = a->ai_next) ++n; - i = addr->len; - addr->len += n; - tmp = realloc(addr->val, addr->len * sizeof(*addr->val)); + tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val)); if (tmp == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; goto fail; } addr->val = tmp; - for (j = i; j < addr->len; ++j) { + for (i = addr->len; i < (addr->len + n); ++i) { addr->val[i].addr_type = 0; krb5_data_zero(&addr->val[i].address); } + i = addr->len; for (a = ai; a != NULL; a = a->ai_next) { - ret = krb5_sockaddr2address (context, a->ai_addr, &addr->val[i]); - if (ret == 0) - ++i; + krb5_address ad; + + ret = krb5_sockaddr2address (context, a->ai_addr, &ad); + if (ret == 0) { + if (krb5_address_search(context, &ad, addr)) + krb5_free_address(context, &ad); + else + addr->val[i++] = ad; + } else if (ret == KRB5_PROG_ATYPE_NOSUPP) krb5_clear_error_string (context); else goto fail; + addr->len = i; } - addr->len = i; return 0; fail: krb5_free_addresses (context, addr); @@ -157,42 +162,66 @@ krb5_get_forwarded_creds (krb5_context context, { krb5_error_code ret; krb5_creds *out_creds; - krb5_addresses addrs; + krb5_addresses addrs, *paddrs; KRB_CRED cred; KrbCredInfo *krb_cred_info; EncKrbCredPart enc_krb_cred_part; size_t len; unsigned char *buf; size_t buf_size; - int32_t sec, usec; krb5_kdc_flags kdc_flags; krb5_crypto crypto; struct addrinfo *ai; int save_errno; krb5_keyblock *key; + krb5_creds *ticket; + char *realm; + + if (in_creds->client && in_creds->client->realm) + realm = in_creds->client->realm; + else + realm = in_creds->server->realm; addrs.len = 0; addrs.val = NULL; - - ret = getaddrinfo (hostname, NULL, NULL, &ai); - if (ret) { - save_errno = errno; - krb5_set_error_string(context, "resolving %s: %s", - hostname, gai_strerror(ret)); - return krb5_eai_to_heim_errno(ret, save_errno); + paddrs = &addrs; + + /* + * If tickets are address-less, forward address-less tickets. + */ + + ret = _krb5_get_krbtgt (context, + ccache, + realm, + &ticket); + if(ret == 0) { + if (ticket->addresses.len == 0) + paddrs = NULL; + krb5_free_creds (context, ticket); } - - ret = add_addrs (context, &addrs, ai); - freeaddrinfo (ai); - if (ret) - return ret; - + + if (paddrs != NULL) { + + ret = getaddrinfo (hostname, NULL, NULL, &ai); + if (ret) { + save_errno = errno; + krb5_set_error_string(context, "resolving %s: %s", + hostname, gai_strerror(ret)); + return krb5_eai_to_heim_errno(ret, save_errno); + } + + ret = add_addrs (context, &addrs, ai); + freeaddrinfo (ai); + if (ret) + return ret; + } + kdc_flags.i = flags; ret = krb5_get_kdc_cred (context, ccache, kdc_flags, - &addrs, + paddrs, NULL, in_creds, &out_creds); @@ -224,29 +253,36 @@ krb5_get_forwarded_creds (krb5_context context, goto out4; } - krb5_us_timeofday (context, &sec, &usec); - - ALLOC(enc_krb_cred_part.timestamp, 1); - if (enc_krb_cred_part.timestamp == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; - } - *enc_krb_cred_part.timestamp = sec; - ALLOC(enc_krb_cred_part.usec, 1); - if (enc_krb_cred_part.usec == NULL) { - ret = ENOMEM; - krb5_set_error_string(context, "malloc: out of memory"); - goto out4; + if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { + int32_t sec, usec; + + krb5_us_timeofday (context, &sec, &usec); + + ALLOC(enc_krb_cred_part.timestamp, 1); + if (enc_krb_cred_part.timestamp == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto out4; + } + *enc_krb_cred_part.timestamp = sec; + ALLOC(enc_krb_cred_part.usec, 1); + if (enc_krb_cred_part.usec == NULL) { + ret = ENOMEM; + krb5_set_error_string(context, "malloc: out of memory"); + goto out4; + } + *enc_krb_cred_part.usec = usec; + } else { + enc_krb_cred_part.timestamp = NULL; + enc_krb_cred_part.usec = NULL; } - *enc_krb_cred_part.usec = usec; if (auth_context->local_address && auth_context->local_port) { krb5_boolean noaddr; - const krb5_realm *realm; + krb5_const_realm realm; - realm = krb5_princ_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", FALSE, + realm = krb5_principal_get_realm(context, out_creds->server); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, &noaddr); if (!noaddr) { ret = krb5_make_addrport (context, @@ -261,10 +297,10 @@ krb5_get_forwarded_creds (krb5_context context, if (auth_context->remote_address) { if (auth_context->remote_port) { krb5_boolean noaddr; - const krb5_realm *realm; + krb5_const_realm realm; - realm = krb5_princ_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", + realm = krb5_principal_get_realm(context, out_creds->server); + krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE, &noaddr); if (!noaddr) { ret = krb5_make_addrport (context, @@ -367,11 +403,11 @@ krb5_get_forwarded_creds (krb5_context context, out_data->length = len; out_data->data = buf; return 0; -out4: + out4: free_EncKrbCredPart(&enc_krb_cred_part); -out3: + out3: free_KRB_CRED(&cred); -out2: + out2: krb5_free_creds (context, out_creds); return ret; } diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c index 2fe9054df..1203e6867 100644 --- a/lib/krb5/get_in_tkt.c +++ b/lib/krb5/get_in_tkt.c @@ -543,9 +543,9 @@ init_as_req (krb5_context context, else krb5_data_zero(&salt.saltvalue); ret = add_padata(context, a->padata, creds->client, - key_proc, keyseed, - &preauth->val[i].info.val[j].etype, 1, - sp); + key_proc, keyseed, + &preauth->val[i].info.val[j].etype, 1, + sp); if (ret == 0) break; } @@ -821,7 +821,7 @@ krb5_get_in_tkt(krb5_context context, ret_as_reply); if(ret) return ret; - ret = krb5_cc_store_cred (context, ccache, creds); - krb5_free_creds_contents (context, creds); + if (ccache) + ret = krb5_cc_store_cred (context, ccache, creds); return ret; } diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 2fc2e6ab3..c082aa015 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -398,6 +398,8 @@ krb5_get_init_creds_password(krb5_context context, krb5_data password_data; int done; + memset(&kdc_reply, 0, sizeof(kdc_reply)); + ret = get_init_creds_common(context, creds, client, start_time, in_tkt_service, options, &addrs, &etypes, &this_cred, &pre_auth_types, @@ -486,8 +488,8 @@ krb5_get_init_creds_password(krb5_context context, data); out: memset (buf, 0, sizeof(buf)); - if (ret == 0) - krb5_free_kdc_rep (context, &kdc_reply); + + krb5_free_kdc_rep (context, &kdc_reply); free (pre_auth_types); free (etypes); diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index d7ee7ae1d..8e90dae06 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -1,42 +1,44 @@ -.\" Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" .\" $Id$ .\" -.Dd April 11, 1999 +.Dd March 9, 2004 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME -.Nm /etc/krb5.conf +.Nm krb5.conf .Nd configuration file for Kerberos 5 +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm @@ -88,7 +90,8 @@ values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, -des3-cbc-sha1. +des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and +aes256-cts-hmac-sha1-96 . .It address an address can be either a IPv4 or a IPv6 address. .El @@ -124,6 +127,13 @@ addresses, making the tickets valid from any address. Default ticket lifetime. .It Li renew_lifetime = Va time Default renewable ticket lifetime. +.It Li encrypt = Va boolean +Use encryption, when available. +.It Li forward = Va boolean +Forward credentials to remote host (for +.Xr rsh 1 , +.Xr telnet 1 , +etc). .El .It Li [libdefaults] .Bl -tag -width "xxx" -offset indent @@ -147,23 +157,14 @@ manual page. .Bl -tag -width "xxx" -offset indent .It Va destination-realm Li = Va next-hop-realm .It ... -.El -Normally, all requests to realms different from the one of the current -client are sent to this KDC to get cross-realm tickets. -If this KDC does not have a cross-realm key with the desired realm and -the hierarchical path to that realm does not work, a path can be -configured using this directive. -The text shown above instructs the KDC to try to obtain a cross-realm -ticket to -.Va next-hop-realm -when the desired realm is -.Va destination-realm . -This configuration should preferably be done on the KDC where it will -help all its clients but can also be done on the client itself. .It Li } -.It Li default_etypes = Va etypes... +.El +This is deprecated, see the +.Li capaths +section below. +.It Li default_etypes = Va etypes ... A list of default encryption types to use. -.It Li default_etypes_des = Va etypes... +.It Li default_etypes_des = Va etypes ... A list of default encryption types to use when requesting a DES credential. .It Li default_keytab_name = Va keytab The keytab to use if no other is specified, default is @@ -193,7 +194,7 @@ fatal error. The application has to be able to read the corresponding service key for this to work. Some applications, like -.Xr su 8 , +.Xr su 1 , enable this option unconditionally. .It Li warn_pwexpire = Va time How soon to warn for expiring password. @@ -202,7 +203,7 @@ Default is seven days. A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec Enable using DNS via HTTP. -.It Li extra_addresses = Va address... +.It Li extra_addresses = Va address ... A list of addresses to get tickets for along with all local addresses. .It Li time_format = Va string How to print time strings in logs, this string is passed to @@ -223,6 +224,13 @@ Also get Kerberos 4 tickets in .Nm login , and other programs. This option is also valid in the [realms] section. +.It Li fcc-mit-ticketflags = Va boolean +Use MIT compatible format for file credential cache. +It's the field ticketflags that is stored in reverse bit order for +older than Heimdal 0.7. +Setting this flag to +.Dv TRUE +make it store the MIT way, this is default for Heimdal 0.7. .El .It Li [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. @@ -259,13 +267,13 @@ specifies over what medium the kdc should be contacted. Possible services are .Dq udp , -.Dq tcp , +.Dq tcp , and .Dq http . Http can also be written as .Dq http:// . Default service is -.Dq udp +.Dq udp and .Dq tcp . .It Li admin_server = Va host[:port] @@ -283,9 +291,31 @@ If it is not mentioned, the krb524 port on the kdcs will be tried. .It Li default_domain See .Xr krb5_425_conv_principal 3 . +.It Li tgs_require_subkey +a boolan variable that defaults to false. +Old DCE secd (pre 1.1) might need this to be true. .El .It Li } .El +.It Li [capaths] +.Bl -tag -width "xxx" -offset indent +.It Va client-realm Li = { +.Bl -tag -width "xxx" -offset indent +.It Va server-realm Li = Va hop-realm ... +This serves two purposes. First the first listed +.Va hop-realm +tells a client which realm it should contact in order to ultimately +obtain credentials for a service in the +.Va server-realm . +Secondly, it tells the KDC (and other servers) which realms are +allowed in a multi-hop traversal from +.Va client-realm +to +.Va server-realm . +Except for the client case, the order of the realms are not important. +.El +.It Va } +.El .It Li [logging] .Bl -tag -width "xxx" -offset indent .It Va entity Li = Va destination @@ -397,7 +427,12 @@ and is only left for backwards compatibility. .Sh ENVIRONMENT .Ev KRB5_CONFIG points to the configuration file to read. -.Sh EXAMPLE +.Sh FILES +.Bl -tag -width "/etc/krb5.conf" +.It Pa /etc/krb5.conf +configuration file for Kerberos 5. +.El +.Sh EXAMPLES .Bd -literal -offset indent [libdefaults] default_realm = FOO.SE diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h index a245071c5..cef797931 100644 --- a/lib/krb5/krb5.h +++ b/lib/krb5/krb5.h @@ -221,7 +221,8 @@ typedef enum krb5_keytype { KEYTYPE_DES3 = 7, KEYTYPE_AES128 = 17, KEYTYPE_AES256 = 18, - KEYTYPE_ARCFOUR = 23 + KEYTYPE_ARCFOUR = 23, + KEYTYPE_ARCFOUR_56 = 24 } krb5_keytype; typedef EncryptionKey krb5_keyblock; @@ -637,11 +638,17 @@ extern const krb5_kt_ops krb4_fkt_ops; extern const krb5_kt_ops krb5_srvtab_fkt_ops; extern const krb5_kt_ops krb5_any_ops; +#define KRB5_KPASSWD_VERS_CHANGEPW 1 +#define KRB5_KPASSWD_VERS_SETPW 0xff80 + #define KRB5_KPASSWD_SUCCESS 0 #define KRB5_KPASSWD_MALFORMED 1 #define KRB5_KPASSWD_HARDERROR 2 #define KRB5_KPASSWD_AUTHERROR 3 #define KRB5_KPASSWD_SOFTERROR 4 +#define KRB5_KPASSWD_ACCESSDENIED 5 +#define KRB5_KPASSWD_BAD_VERSION 6 +#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 #define KPASSWD_PORT 464 diff --git a/lib/krb5/krb5_set_password.3 b/lib/krb5/krb5_set_password.3 new file mode 100644 index 000000000..94a1b38a7 --- /dev/null +++ b/lib/krb5/krb5_set_password.3 @@ -0,0 +1,109 @@ +.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd June 2, 2004 +.Dt KRB5_SET_PASSWORD 3 +.Os HEIMDAL +.Sh NAME +.Nm krb5_change_password , +.Nm krb5_set_password , +.Nm krb5_set_password_using_ccache +.Nd change password functions +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h +.Ft krb5_error_code +.Fo krb5_change_password +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "char *newpw" +.Fa "int *result_code" +.Fa "krb5_data *result_code_string" +.Fa "krb5_data *result_string" +.Fc +.Ft krb5_error_code +.Fo krb5_set_password +.Fa "krb5_context context" +.Fa "krb5_creds *creds" +.Fa "char *newpw" +.Fa "krb5_principal targprinc", +.Fa "int *result_code" +.Fa "krb5_data *result_code_string" +.Fa "krb5_data *result_string" +.Fc +.Ft krb5_error_code +.Fo krb5_set_password_using_ccache +.Fa "krb5_context context" +.Fa "krb5_ccache ccache" +.Fa "char *newpw" +.Fa "krb5_principal targprinc" +.Fa "int *result_code" +.Fa "krb5_data *result_code_string" +.Fa "krb5_data *result_string" +.Fc +.Sh DESCRIPTION +These functions change the password for a given principal. +.Pp +.Fn krb5_set_password +and +.Fa krb5_set_password_using_ccache +is the newer two of the three functions and uses a newer version of the +protocol (and falls back to the older when the newer doesn't work). +.Pp +.Fn krb5_change_password +set the password +.Fa newpasswd +for the client principal in +.Fa creds . +The server principal of creds must be +.Li kadmin/changepw . +.Pp +.Fn krb5_set_password +changes the password for the principal +.Fa targprinc , +if +.Fa targprinc +is +.Dv NULL +the default principal in +.Fa ccache +is used. +.Pp +Both functions returns and error in +.Fa result_code +and maybe an error strings to print in +.Fa result_string . +.Sh SEE ALSO +.Xr krb5_ccache 3 , +.Xr krb5_init_context 3 diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c index 8b4ad0726..27b12cdf4 100644 --- a/lib/krb5/krbhst.c +++ b/lib/krb5/krbhst.c @@ -124,7 +124,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, else hi->port = rr->u.srv->port; - strlcpy(hi->hostname, rr->u.srv->target, len); + strlcpy(hi->hostname, rr->u.srv->target, len + 1); } *count = num_srv; diff --git a/lib/krb5/mcache.c b/lib/krb5/mcache.c index 96b4cc2ba..aea0b5986 100644 --- a/lib/krb5/mcache.c +++ b/lib/krb5/mcache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -38,6 +38,7 @@ RCSID("$Id$"); typedef struct krb5_mcache { char *name; unsigned int refcnt; + int dead; krb5_principal primary_principal; struct link { krb5_creds cred; @@ -50,7 +51,7 @@ static struct krb5_mcache *mcc_head; #define MCACHE(X) ((krb5_mcache *)(X)->data.data) -#define MISDEAD(X) ((X)->primary_principal == NULL) +#define MISDEAD(X) ((X)->dead) #define MCC_CURSOR(C) ((struct link*)(C)) @@ -77,6 +78,7 @@ mcc_alloc(const char *name) free(m); return NULL; } + m->dead = 0; m->refcnt = 1; m->primary_principal = NULL; m->creds = NULL; @@ -137,9 +139,11 @@ mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { + krb5_mcache *m = MCACHE(id); + m->dead = 0; return krb5_copy_principal (context, primary_principal, - &MCACHE(id)->primary_principal); + &m->primary_principal); } static krb5_error_code @@ -178,9 +182,12 @@ mcc_destroy(krb5_context context, break; } } - krb5_free_principal (context, m->primary_principal); - m->primary_principal = NULL; - + if (m->primary_principal != NULL) { + krb5_free_principal (context, m->primary_principal); + m->primary_principal = NULL; + } + m->dead = 1; + l = m->creds; while (l != NULL) { struct link *old; @@ -231,9 +238,8 @@ mcc_get_principal(krb5_context context, { krb5_mcache *m = MCACHE(id); - if (MISDEAD(m)) + if (MISDEAD(m) || m->primary_principal == NULL) return ENOENT; - return krb5_copy_principal (context, m->primary_principal, principal); diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c index b68599c80..a4f536768 100644 --- a/lib/krb5/mk_req_ext.c +++ b/lib/krb5/mk_req_ext.c @@ -110,6 +110,15 @@ krb5_mk_req_internal(krb5_context context, in_data->data, in_data->length, &c); + } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5) { + /* this is to make MS kdc happy */ + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_RSA_MD5, + in_data->data, + in_data->length, + &c); } else { krb5_crypto crypto; diff --git a/lib/krb5/mk_safe.c b/lib/krb5/mk_safe.c index 8b50bc7ea..b3d31d0bc 100644 --- a/lib/krb5/mk_safe.c +++ b/lib/krb5/mk_safe.c @@ -69,7 +69,7 @@ krb5_mk_safe(krb5_context context, sec2 = sec; s.safe_body.timestamp = &sec2; - usec2 = usec2; + usec2 = usec; s.safe_body.usec = &usec2; if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { tmp_seq = auth_context->local_seqnumber; diff --git a/lib/krb5/name-45-test.c b/lib/krb5/name-45-test.c index 324a668e6..0dc8a1acc 100644 --- a/lib/krb5/name-45-test.c +++ b/lib/krb5/name-45-test.c @@ -96,7 +96,7 @@ static struct testcase { 0, 0}, {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"pop", "mail0.nada.kth.se"}, NULL, HEIM_ERR_V4_PRINC_NO_CONV, 0}, + {"pop", "mail0.nada.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, {"pop", "mail0", "NADA.KTH.SE", "NADA.KTH.SE", 2, {"pop", "mail0.nada.kth.se"}, "[realms]\n" @@ -111,7 +111,7 @@ static struct testcase { HEIM_ERR_V4_PRINC_NO_CONV, 0}, {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, - {"host", "hokkigai.pdc.kth.se"}, NULL, HEIM_ERR_V4_PRINC_NO_CONV, 0}, + {"host", "hokkigai.pdc.kth.se"}, "", HEIM_ERR_V4_PRINC_NO_CONV, 0}, {"rcmd", "hokkigai", "NADA.KTH.SE", "NADA.KTH.SE", 2, {"host", "hokkigai.pdc.kth.se"}, "[libdefaults]\n" @@ -143,7 +143,7 @@ static struct testcase { "012345678901234567890123456789012345678"}, NULL, 0, 0}, - {NULL, NULL, NULL, NULL, 0, {}, NULL, 0} + {NULL, NULL, NULL, NULL, 0, {NULL}, NULL, 0} }; int @@ -199,10 +199,13 @@ main(int argc, char **argv) } } else { if (t->ret) { + char *s; + krb5_unparse_name(context, princ, &s); krb5_warnx (context, "krb5_425_conv_principal %s.%s@%s " - "passed unexpected", - t->v4_name, t->v4_inst, t->v4_realm); + "passed unexpected: %s", + t->v4_name, t->v4_inst, t->v4_realm, s); + free(s); val = 1; continue; } diff --git a/lib/krb5/parse-name-test.c b/lib/krb5/parse-name-test.c index 029950836..1c29a5bd3 100644 --- a/lib/krb5/parse-name-test.c +++ b/lib/krb5/parse-name-test.c @@ -60,7 +60,7 @@ static struct testcase { {"/a", "/a@", "", 2, {"", "a"}, FALSE}, {"\\@@\\@", "\\@@\\@", "@", 1, {"@"}, TRUE}, {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE}, - {NULL, NULL, "", 0, {}, FALSE}}; + {NULL, NULL, "", 0, { NULL }, FALSE}}; int main(int argc, char **argv) diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c index 68c3d95ab..3ee09b821 100644 --- a/lib/krb5/principal.c +++ b/lib/krb5/principal.c @@ -321,14 +321,17 @@ unparse_name(krb5_context context, len += 2*plen; len++; } + len++; *name = malloc(len); - if(len != 0 && *name == NULL) { + if(*name == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; } ret = unparse_name_fixed(context, principal, *name, len, short_flag); - if(ret) + if(ret) { free(*name); + *name = NULL; + } return ret; } diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index 2184e25cd..e107d6e2e 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -129,6 +129,32 @@ krb5_decode_ap_req(krb5_context context, return 0; } +static krb5_error_code +check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) +{ + char **realms; + int num_realms; + krb5_error_code ret; + + if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) + return KRB5KDC_ERR_TRTYPE_NOSUPP; + + if(enc->transited.contents.length == 0) + return 0; + + ret = krb5_domain_x500_decode(context, enc->transited.contents, + &realms, &num_realms, + enc->crealm, + ticket->realm); + if(ret) + return ret; + ret = krb5_check_transited(context, enc->crealm, + ticket->realm, + realms, num_realms, NULL); + free(realms); + return ret; +} + krb5_error_code krb5_decrypt_ticket(krb5_context context, Ticket *ticket, @@ -161,6 +187,14 @@ krb5_decrypt_ticket(krb5_context context, krb5_clear_error_string (context); return KRB5KRB_AP_ERR_TKT_EXPIRED; } + + if(!t.flags.transited_policy_checked) { + ret = check_transited(context, ticket, &t); + if(ret) { + free_EncTicketPart(&t); + return ret; + } + } } if(out) @@ -209,29 +243,6 @@ out: return ret; } -#if 0 -static krb5_error_code -check_transited(krb5_context context, - krb5_ticket *ticket) -{ - char **realms; - int num_realms; - krb5_error_code ret; - - if(ticket->ticket.transited.tr_type != DOMAIN_X500_COMPRESS) - return KRB5KDC_ERR_TRTYPE_NOSUPP; - - ret = krb5_domain_x500_decode(ticket->ticket.transited.contents, - &realms, &num_realms, - ticket->client->realm, - ticket->server->realm); - if(ret) - return ret; - ret = krb5_check_transited_realms(context, realms, num_realms, NULL); - free(realms); - return ret; -} -#endif krb5_error_code krb5_verify_ap_req(krb5_context context, @@ -488,9 +499,15 @@ krb5_rd_req(krb5_context context, ap_req.ticket.realm); server = service; } + if (ap_req.ap_options.use_session_key && + (*auth_context)->keyblock == NULL) { + krb5_set_error_string(context, "krb5_rd_req: user to user auth " + "without session key given"); + ret = KRB5KRB_AP_ERR_NOKEY; + goto out; + } - if(ap_req.ap_options.use_session_key == 0 || - (*auth_context)->keyblock == NULL){ + if((*auth_context)->keyblock == NULL){ ret = get_key_from_keytab(context, auth_context, &ap_req, @@ -499,8 +516,13 @@ krb5_rd_req(krb5_context context, &keyblock); if(ret) goto out; + } else { + ret = krb5_copy_keyblock(context, + (*auth_context)->keyblock, + &keyblock); + if (ret) + goto out; } - ret = krb5_verify_ap_req(context, auth_context, diff --git a/lib/krb5/store.c b/lib/krb5/store.c index 4a17fd919..c91b4b1fb 100644 --- a/lib/krb5/store.c +++ b/lib/krb5/store.c @@ -607,12 +607,25 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) return ret; } +static int32_t +bitswap32(int32_t b) +{ + int32_t r = 0; + int i; + for (i = 0; i < 32; i++) { + r = r << 1 | (b & 1); + b = b >> 1; + } + return r; +} + + /* - * store `creds' on `sp' returning error or zero + * */ krb5_error_code -krb5_store_creds(krb5_storage *sp, krb5_creds *creds) +_krb5_store_creds_internal(krb5_storage *sp, krb5_creds *creds, int v0_6) { int ret; @@ -632,9 +645,15 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds) enc-tkt-in-skey bit from KDCOptions */ if(ret) return ret; - ret = krb5_store_int32(sp, creds->flags.i); - if(ret) - return ret; + if (v0_6) { + ret = krb5_store_int32(sp, creds->flags.i); + if(ret) + return ret; + } else { + ret = krb5_store_int32(sp, bitswap32(TicketFlags2int(creds->flags.b))); + if(ret) + return ret; + } ret = krb5_store_addrs(sp, creds->addresses); if(ret) return ret; @@ -648,6 +667,28 @@ krb5_store_creds(krb5_storage *sp, krb5_creds *creds) return ret; } +/* + * store `creds' on `sp' returning error or zero + */ + +krb5_error_code +krb5_store_creds(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 1); +} + +krb5_error_code +_krb5_store_creds_heimdal_0_7(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 0); +} + +krb5_error_code +_krb5_store_creds_heimdal_pre_0_7(krb5_storage *sp, krb5_creds *creds) +{ + return _krb5_store_creds_internal(sp, creds, 1); +} + krb5_error_code krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) { @@ -668,6 +709,22 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds) if(ret) goto cleanup; ret = krb5_ret_int32 (sp, &dummy32); if(ret) goto cleanup; + /* + * Runtime detect the what is the higher bits of the bitfield. If + * any of the higher bits are set in the input data, its either a + * new ticket flag (and this code need to be removed), or its a + * MIT cache (or new Heimdal cache), lets change it to our current + * format. + */ + { + u_int32_t mask = 0xffff0000; + creds->flags.i = 0; + creds->flags.b.anonymous = 1; + if (creds->flags.i & mask) + mask = ~mask; + if (dummy32 & mask) + dummy32 = bitswap32(dummy32); + } creds->flags.i = dummy32; ret = krb5_ret_addrs (sp, &creds->addresses); if(ret) goto cleanup; diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c index f699cee2b..fb2a92dce 100644 --- a/lib/krb5/ticket.c +++ b/lib/krb5/ticket.c @@ -51,7 +51,10 @@ krb5_copy_ticket(krb5_context context, krb5_ticket **to) { krb5_error_code ret; - krb5_ticket *tmp = malloc(sizeof(*tmp)); + krb5_ticket *tmp; + + *to = NULL; + tmp = malloc(sizeof(*tmp)); if(tmp == NULL) { krb5_set_error_string (context, "malloc: out of memory"); return ENOMEM; @@ -63,12 +66,14 @@ krb5_copy_ticket(krb5_context context, ret = krb5_copy_principal(context, from->client, &tmp->client); if(ret){ free_EncTicketPart(&tmp->ticket); + free(tmp); return ret; } - ret = krb5_copy_principal(context, from->server, &(*to)->server); + ret = krb5_copy_principal(context, from->server, &tmp->server); if(ret){ krb5_free_principal(context, tmp->client); free_EncTicketPart(&tmp->ticket); + free(tmp); return ret; } *to = tmp; diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c index e04027a0a..ac720169e 100644 --- a/lib/krb5/transited.c +++ b/lib/krb5/transited.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -308,6 +308,12 @@ krb5_domain_x500_decode(krb5_context context, struct tr_realm *p, **q; int ret; + if(tr.length == 0) { + *realms = NULL; + *num_realms = 0; + return 0; + } + /* split string in components */ ret = decode_realms(context, tr.data, tr.length, &r); if(ret) @@ -362,6 +368,9 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) char *s = NULL; int len = 0; int i; + krb5_data_zero(encoding); + if (num_realms == 0) + return 0; for(i = 0; i < num_realms; i++){ len += strlen(realms[i]); if(realms[i][0] == '/') @@ -369,6 +378,8 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) } len += num_realms - 1; s = malloc(len + 1); + if (s == NULL) + return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ if(i && i < num_realms - 1) @@ -383,6 +394,44 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) } krb5_error_code +krb5_check_transited(krb5_context context, + krb5_const_realm client_realm, + krb5_const_realm server_realm, + krb5_realm *realms, + int num_realms, + int *bad_realm) +{ + char **tr_realms; + char **p; + int i; + + if(num_realms == 0) + return 0; + + tr_realms = krb5_config_get_strings(context, NULL, + "capaths", + client_realm, + server_realm, + NULL); + for(i = 0; i < num_realms; i++) { + for(p = tr_realms; p && *p; p++) { + if(strcmp(*p, realms[i]) == 0) + break; + } + if(p == NULL || *p == NULL) { + krb5_config_free_strings(tr_realms); + krb5_set_error_string (context, "no transit through realm %s", + realms[i]); + if(bad_realm) + *bad_realm = i; + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + } + krb5_config_free_strings(tr_realms); + return 0; +} + +krb5_error_code krb5_check_transited_realms(krb5_context context, const char *const *realms, int num_realms, diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c index 2a8f7f326..d1aba5558 100644 --- a/lib/krb5/verify_krb5_conf.c +++ b/lib/krb5/verify_krb5_conf.c @@ -156,10 +156,7 @@ check_host(krb5_context context, const char *path, char *data) hostname[strcspn(hostname, "/")] = '\0'; ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); if(ret != 0) { - if(ret == EAI_NODATA) - krb5_warnx(context, "%s: host not found (%s)", path, hostname); - else - krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); + krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); return 1; } return 0; @@ -449,8 +446,8 @@ struct entry log_strings[] = { #if 0 struct entry kdcdefaults_entries[] = { - { "kdc_ports, krb5_config_string, mit_entry }, - { "v4_mode, krb5_config_string, mit_entry }, + { "kdc_ports", krb5_config_string, mit_entry }, + { "v4_mode", krb5_config_string, mit_entry }, { NULL } }; #endif diff --git a/lib/otp/Makefile.am b/lib/otp/Makefile.am index efbcc9431..de14c824d 100644 --- a/lib/otp/Makefile.am +++ b/lib/otp/Makefile.am @@ -13,7 +13,7 @@ otptest_LDADD = libotp.la include_HEADERS = otp.h lib_LTLIBRARIES = libotp.la -libotp_la_LDFLAGS = -version-info 1:3:1 +libotp_la_LDFLAGS = -version-info 1:4:1 libotp_la_LIBADD = $(LIB_des) $(LIB_roken) $(LIB_NDBM) if HAVE_DB3 diff --git a/lib/roken/ChangeLog b/lib/roken/ChangeLog index 931cf747b..3132d23ae 100644 --- a/lib/roken/ChangeLog +++ b/lib/roken/ChangeLog @@ -1,3 +1,21 @@ +2004-01-15 Love + + * roken-common.h: 1.52: use EAI_NONAME instead of EAI_ADDRFAMILY + to check for if we need EAI_ macros + + * gai_strerror.c: 1.4: correct ifdef for EAI_ADDRFAMILY + 1.3: EAI_ADDRFAMILY and EAI_NODATA is deprecated + +2003-08-29 Love + + * ndbm_wrap.c: 1.1->1.2: patch for working with DB4 on + heimdal-discuss From: Luke Howard + +2003-04-22 Love + + * resolve.c: 1.38->1.39: copy NUL too, from janj@wenf.org via + openbsd + 2003-04-16 Love * parse_units.h: remove typedef for units to avoid problems with diff --git a/lib/roken/Makefile.am b/lib/roken/Makefile.am index 79d3fd12a..9c110a5c9 100644 --- a/lib/roken/Makefile.am +++ b/lib/roken/Makefile.am @@ -7,7 +7,7 @@ ACLOCAL_AMFLAGS = -I ../../cf CLEANFILES = roken.h make-roken.c $(XHEADERS) lib_LTLIBRARIES = libroken.la -libroken_la_LDFLAGS = -version-info 16:0:0 +libroken_la_LDFLAGS = -version-info 16:3:0 noinst_PROGRAMS = make-roken snprintf-test @@ -85,86 +85,16 @@ libroken_la_SOURCES = \ xdbm.h EXTRA_libroken_la_SOURCES = \ - chown.c \ - copyhostent.c \ - daemon.c \ - ecalloc.c \ - emalloc.c \ - erealloc.c \ - estrdup.c \ - err.c \ err.hin \ - errx.c \ - fchown.c \ - flock.c \ - fnmatch.c \ - fnmatch.hin \ - freehostent.c \ - gai_strerror.c \ - getdtablesize.c \ - getegid.c \ - geteuid.c \ - getgid.c \ - gethostname.c \ - getifaddrs.c \ - getipnodebyaddr.c \ - getipnodebyname.c \ - getopt.c \ - gettimeofday.c \ - getuid.c \ - getusershell.c \ glob.hin \ - hstrerror.c \ ifaddrs.hin \ - inet_aton.c \ - inet_ntop.c \ - inet_pton.c \ - initgroups.c \ - innetgr.c \ - iruserok.c \ - lstat.c \ - memmove.c \ - mkstemp.c \ - putenv.c \ - rcmd.c \ - readv.c \ - recvmsg.c \ - sendmsg.c \ - setegid.c \ - setenv.c \ - seteuid.c \ - strcasecmp.c \ - strdup.c \ - strerror.c \ - strftime.c \ - strlcat.c \ - strlcpy.c \ - strlwr.c \ - strncasecmp.c \ - strndup.c \ - strnlen.c \ - strptime.c \ - strsep.c \ - strsep_copy.c \ - strtok_r.c \ - strupr.c \ - swab.c \ - unsetenv.c \ - verr.c \ - verrx.c \ - vis.hin \ - vsyslog.c \ - vwarn.c \ - vwarnx.c \ - warn.c \ - warnx.c \ - writev.c + vis.hin EXTRA_DIST = roken.awk roken.h.in libroken_la_LIBADD = @LTLIBOBJS@ $(DBLIB) -$(LTLIBOBJS) $(libroken_la_OBJECTS): $(include_HEADERS) roken.h $(XHEADERS) +$(LTLIBOBJS) $(libroken_la_OBJECTS): roken.h $(XHEADERS) BUILT_SOURCES = make-roken.c roken.h diff --git a/lib/roken/gai_strerror.c b/lib/roken/gai_strerror.c index c3f1e5615..d64391b11 100644 --- a/lib/roken/gai_strerror.c +++ b/lib/roken/gai_strerror.c @@ -43,13 +43,17 @@ static struct gai_error { char *str; } errors[] = { {EAI_NOERROR, "no error"}, +#ifdef EAI_ADDRFAMILY {EAI_ADDRFAMILY, "address family for nodename not supported"}, +#endif {EAI_AGAIN, "temporary failure in name resolution"}, {EAI_BADFLAGS, "invalid value for ai_flags"}, {EAI_FAIL, "non-recoverable failure in name resolution"}, {EAI_FAMILY, "ai_family not supported"}, {EAI_MEMORY, "memory allocation failure"}, +#ifdef EAI_NODATA {EAI_NODATA, "no address associated with nodename"}, +#endif {EAI_NONAME, "nodename nor servname provided, or not known"}, {EAI_SERVICE, "servname not supported for ai_socktype"}, {EAI_SOCKTYPE, "ai_socktype not supported"}, diff --git a/lib/roken/ndbm_wrap.c b/lib/roken/ndbm_wrap.c index 4fec089e4..7c7d6c37a 100644 --- a/lib/roken/ndbm_wrap.c +++ b/lib/roken/ndbm_wrap.c @@ -165,7 +165,12 @@ dbm_open (const char *file, int flags, mode_t mode) free(fn); return NULL; } + +#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0) + if(db->open(db, NULL, fn, NULL, DB_BTREE, myflags, mode) != 0) { +#else if(db->open(db, fn, NULL, DB_BTREE, myflags, mode) != 0) { +#endif free(fn); db->close(db, 0); return NULL; diff --git a/lib/roken/resolve.c b/lib/roken/resolve.c index eb75e6437..00fd43e83 100644 --- a/lib/roken/resolve.c +++ b/lib/roken/resolve.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -186,7 +186,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, return -1; } (*rr)->u.mx->preference = (p[0] << 8) | p[1]; - strlcpy((*rr)->u.mx->domain, host, hostlen); + strlcpy((*rr)->u.mx->domain, host, hostlen + 1); break; } case T_SRV:{ @@ -212,7 +212,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->u.srv->priority = (p[0] << 8) | p[1]; (*rr)->u.srv->weight = (p[2] << 8) | p[3]; (*rr)->u.srv->port = (p[4] << 8) | p[5]; - strlcpy((*rr)->u.srv->target, host, hostlen); + strlcpy((*rr)->u.srv->target, host, hostlen + 1); break; } case T_TXT:{ @@ -294,7 +294,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->u.sig->sig_len = sig_len; memcpy ((*rr)->u.sig->sig_data, p + 18 + status, sig_len); (*rr)->u.sig->signer = &(*rr)->u.sig->sig_data[sig_len]; - strlcpy((*rr)->u.sig->signer, host, hostlen); + strlcpy((*rr)->u.sig->signer, host, hostlen + 1); break; } diff --git a/lib/roken/roken-common.h b/lib/roken/roken-common.h index 331c08f6a..f1e5ed862 100644 --- a/lib/roken/roken-common.h +++ b/lib/roken/roken-common.h @@ -172,7 +172,7 @@ #define EAI_NOERROR 0 /* no error */ #endif -#ifndef EAI_ADDRFAMILY +#ifndef EAI_NONAME #define EAI_ADDRFAMILY 1 /* address family for nodename not supported */ #define EAI_AGAIN 2 /* temporary failure in name resolution */ @@ -186,7 +186,7 @@ #define EAI_SOCKTYPE 10 /* ai_socktype not supported */ #define EAI_SYSTEM 11 /* system error returned in errno */ -#endif /* EAI_ADDRFAMILY */ +#endif /* EAI_NONAME */ /* flags for getaddrinfo() */ diff --git a/lib/vers/print_version.c b/lib/vers/print_version.c index b59d7ce25..359fea021 100644 --- a/lib/vers/print_version.c +++ b/lib/vers/print_version.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1998 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -50,6 +50,6 @@ print_version(const char *progname) if(*package_list == '\0') package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); - fprintf(stderr, "Copyright 1999-2003 Kungliga Tekniska Högskolan\n"); + fprintf(stderr, "Copyright 1999-2004 Kungliga Tekniska Högskolan\n"); fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); } diff --git a/ltconfig b/ltconfig index cc814fa3a..91907462a 100755 --- a/ltconfig +++ b/ltconfig @@ -1,7 +1,8 @@ #! /bin/sh # ltconfig - Create a system-specific libtool. -# Copyright (C) 1996-2000 Free Software Foundation, Inc. +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 +# Free Software Foundation, Inc. # Originally by Gordon Matzigkeit , 1996 # # This file is free software; you can redistribute it and/or modify it @@ -150,6 +151,7 @@ else if test "$prev" != 'sed 50q "$0"'; then echo_test_string=`eval $prev` + export echo_test_string exec "${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}}" "$0" ${1+"$@"} else @@ -179,8 +181,8 @@ progname=`$echo "X$0" | $Xsed -e 's%^.*/%%'` # Constants: PROGRAM=ltconfig PACKAGE=libtool -VERSION=1.3c -TIMESTAMP=" (1.731 2000/07/10 09:42:21)" +VERSION=1.4a +TIMESTAMP=" (1.641.2.255 2001/05/22 10:39:30)" ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' rm="rm -f" @@ -208,13 +210,64 @@ build=NONE nonopt=NONE ofile="$default_ofile" verify_host=yes +tagname= with_gcc=no with_gnu_ld=no need_locks=yes ac_ext=c libext=a cache_file= +max_cmd_len= + +## Dependencies to place before and after the object being linked: +predep_objects= +postdep_objects= +predeps= +postdeps= +compiler_lib_search_path= + +## Link characteristics: +allow_undefined_flag= +no_undefined_flag= +need_lib_prefix=unknown +need_version=unknown +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +archive_cmds= +archive_expsym_cmds= +old_archive_from_new_cmds= +old_archive_from_expsyms_cmds= +striplib= +old_striplib= +export_dynamic_flag_spec= +whole_archive_flag_spec= +thread_safe_flag_spec= +hardcode_into_libs=no +hardcode_libdir_flag_spec= +hardcode_libdir_separator= +hardcode_direct=no +hardcode_minus_L=no +hardcode_shlibpath_var=unsupported +runpath_var= +link_all_deplibs=unknown +always_export_symbols=no +export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols' +# include_expsyms should be a list of space-separated symbols to be *always* +# included in the symbol list +include_expsyms= +# exclude_expsyms can be an egrep regular expression of symbols to exclude +# it will be wrapped by ` (' and `)$', so one must not match beginning or +# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', +# as well as any symbol that contains `d'. +exclude_expsyms="_GLOBAL_OFFSET_TABLE_" +# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out +# platforms (ab)use it in PIC code, but their linkers get confused if +# the symbol is explicitly referenced. Since portable code cannot +# rely on this symbol name, it's probably fine to never include it in +# preloaded symbol tables. +extract_expsyms_cmds= +## Tools: old_AR="$AR" old_AR_FLAGS="$AR_FLAGS" old_CC="$CC" @@ -222,9 +275,10 @@ old_CFLAGS="$CFLAGS" old_CPPFLAGS="$CPPFLAGS" old_LDFLAGS="$LDFLAGS" old_LIBS="$LIBS" -old_MAGIC="$MAGIC" +old_MAGIC_CMD="$MAGIC_CMD" old_LD="$LD" old_LN_S="$LN_S" +old_LTCC="$LTCC" old_NM="$NM" old_RANLIB="$RANLIB" old_STRIP="$STRIP" @@ -233,7 +287,7 @@ old_DLLTOOL="$DLLTOOL" old_OBJDUMP="$OBJDUMP" old_OBJEXT="$OBJEXT" old_EXEEXT="$EXEEXT" -old_reload_Flag="$reload_flag" +old_reload_flag="$reload_flag" old_deplibs_check_method="$deplibs_check_method" old_file_magic_cmd="$file_magic_cmd" @@ -242,7 +296,7 @@ args= prev= for option do - case "$option" in + case $option in -*=*) optarg=`echo "$option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac @@ -254,7 +308,7 @@ do continue fi - case "$option" in + case $option in --help) cat <&2 + exit 1 + ;; + esac + + if grep "^### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$ofile" > /dev/null; then + echo "$progname: tag name $tagname already exists" 1>&2 + exit 1 + fi + + if test ! -f "$ofile"; then + echo "$progname: warning: output file \`$ofile' does not exist" 1>&2 + fi + + if test -z "$LTCC"; then + eval "`$SHELL $ofile --config | grep '^LTCC='`" + if test -z "$LTCC"; then + echo "$progname: warning: output file \`$ofile' does not look like a libtool script" 1>&2 + else + echo "$progname: warning: using \`LTCC=$LTCC', extracted from \`$ofile'" 1>&2 + fi + fi +fi + # Quote any args containing shell metacharacters. ltconfig_args= for arg do - case "$arg" in + case $arg in *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) ltconfig_args="$ltconfig_args '$arg'" ;; *) ltconfig_args="$ltconfig_args $arg" ;; @@ -399,7 +486,7 @@ exec 5>>./config.log if test "X${LC_ALL+set}" = Xset; then LC_ALL=C; export LC_ALL; fi if test "X${LANG+set}" = Xset; then LANG=C; export LANG; fi -if test -n "$cache_file" && test -r "$cache_file"; then +if test -n "$cache_file" && test -r "$cache_file" && test -f "$cache_file"; then echo "loading cache $cache_file within ltconfig" . $cache_file fi @@ -451,14 +538,23 @@ if test "$verify_host" = yes; then echo $ac_n "checking host system type""... $ac_c" 1>&6 host_alias=$host - case "$host_alias" in + case $host_alias in "") + # Force config.guess to use the C compiler. + # CC_FOR_BUILD overrides the CC variable in config.guess but I had + # problems with it so do it this way for now. + CC="$LTCC" + if host_alias=`$SHELL $ac_config_guess`; then : else echo "$progname: cannot guess host type; you must specify one" 1>&2 echo "$help" 1>&2 exit 1 - fi ;; + fi + + # Restore the C compiler. + CC="$old_CC" + ;; esac host=`$SHELL $ac_config_sub $host_alias` echo "$ac_t$host" 1>&6 @@ -470,7 +566,7 @@ if test "$verify_host" = yes; then echo $ac_n "checking build system type... $ac_c" 1>&6 build_alias=$build - case "$build_alias" in + case $build_alias in NONE) case $nonopt in NONE) build_alias=$host_alias ;; @@ -505,12 +601,12 @@ host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` # Transform linux* to *-*-linux-gnu*, to support old configure scripts. -case "$host_os" in +case $host_os in linux-gnu*) ;; linux*) host=`echo $host | sed 's/^\(.*-.*-linux\)\(.*\)$/\1-gnu\2/'` esac -case "$host_os" in +case $host_os in aix3*) # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems @@ -527,13 +623,27 @@ old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs' old_postinstall_cmds='chmod 644 $oldlib' old_postuninstall_cmds= +if test -n "$RANLIB"; then + old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" + old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds" +fi + +# Source the script associated with the $tagname tag configuration. +if test -n "$tagname"; then + . $ltmain +else + # FIXME: We should use a variable here + # Configure for a C compiler + . $srcdir/ltcf-c.sh +fi + # Set sane defaults for various variables test -z "$AR" && AR=ar test -z "$AR_FLAGS" && AR_FLAGS=cru test -z "$AS" && AS=as test -z "$CC" && CC=cc test -z "$DLLTOOL" && DLLTOOL=dlltool -test -z "$MAGIC" && MAGIC=file +test -z "$MAGIC_CMD" && MAGIC_CMD=file test -z "$LD" && LD=ld test -z "$LN_S" && LN_S="ln -s" test -z "$NM" && NM=nm @@ -554,6 +664,9 @@ fi rmdir .libs 2>/dev/null echo "$ac_t$objdir" 1>&6 +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} + # Allow CC to be a program name with arguments. set dummy $CC compiler="$2" @@ -562,129 +675,8 @@ compiler="$2" # in isolation, and that seeing it set (from the cache) indicates that # the associated values are set (in the cache) correctly too. echo $ac_n "checking for $compiler option to produce PIC... $ac_c" 1>&6 -echo "$progname:565:checking for $compiler option to produce PIC" 1>&5 -if test "X${ac_cv_prog_cc_pic+set}" = Xset; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_cv_prog_cc_pic= - ac_cv_prog_cc_shlib= - ac_cv_prog_cc_wl= - ac_cv_prog_cc_static= - ac_cv_prog_cc_no_builtin= - ac_cv_prog_cc_can_build_shared=$can_build_shared - - if test "$with_gcc" = yes; then - ac_cv_prog_cc_wl='-Wl,' - ac_cv_prog_cc_static='-static' - - case "$host_os" in - beos* | irix5* | irix6* | osf3* | osf4* | osf5*) - # PIC is the default for these OSes. - ;; - aix*) - # Below there is a dirty hack to force normal static linking with -ldl - # The problem is because libdl dynamically linked with both libc and - # libC (AIX C++ library), which obviously doesn't included in libraries - # list by gcc. This cause undefined symbols with -static flags. - # This hack allows C programs to be linked with "-static -ldl", but - # we not sure about C++ programs. - ac_cv_prog_cc_static="$ac_cv_prog_cc_static ${ac_cv_prog_cc_wl}-lC" - ;; - cygwin* | mingw* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - ac_cv_prog_cc_pic='-DDLL_EXPORT' - ;; - amigaos*) - # FIXME: we need at least 68020 code to build shared libraries, but - # adding the `-m68020' flag to GCC prevents building anything better, - # like `-m68040'. - ac_cv_prog_cc_pic='-m68020 -resident32 -malways-restore-a4' - ;; - sysv4*MP*) - if test -d /usr/nec; then - ac_cv_prog_cc_pic=-Kconform_pic - fi - ;; - *) - ac_cv_prog_cc_pic='-fPIC' - ;; - esac - else - # PORTME Check for PIC flags for the system compiler. - case "$host_os" in - aix3* | aix4*) - # All AIX code is PIC. - ac_cv_prog_cc_static='-bnso -bI:/lib/syscalls.exp' - ;; - - hpux9* | hpux10* | hpux11*) - # Is there a better ac_cv_prog_cc_static that works with the bundled CC? - ac_cv_prog_cc_wl='-Wl,' - ac_cv_prog_cc_static="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive" - ac_cv_prog_cc_pic='+Z' - ;; - - irix5* | irix6*) - ac_cv_prog_cc_wl='-Wl,' - ac_cv_prog_cc_static='-non_shared' - # PIC (with -KPIC) is the default. - ;; - - cygwin* | mingw* | os2*) - # This hack is so that the source file can tell whether it is being - # built for inclusion in a dll (and should export symbols for example). - ac_cv_prog_cc_pic='-DDLL_EXPORT' - ;; - - osf3* | osf4* | osf5*) - # All OSF/1 code is PIC. - ac_cv_prog_cc_wl='-Wl,' - ac_cv_prog_cc_static='-non_shared' - ;; - - sco3.2v5*) - ac_cv_prog_cc_pic='-Kpic' - ac_cv_prog_cc_static='-dn' - ac_cv_prog_cc_shlib='-belf' - ;; +echo "$progname:678:checking for $compiler option to produce PIC" 1>&5 - solaris*) - ac_cv_prog_cc_pic='-KPIC' - ac_cv_prog_cc_static='-Bstatic' - ac_cv_prog_cc_wl='-Wl,' - ;; - - sunos4*) - ac_cv_prog_cc_pic='-PIC' - ac_cv_prog_cc_static='-Bstatic' - ac_cv_prog_cc_wl='-Qoption ld ' - ;; - - sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) - ac_cv_prog_cc_pic='-KPIC' - ac_cv_prog_cc_static='-Bstatic' - ac_cv_prog_cc_wl='-Wl,' - ;; - - uts4*) - ac_cv_prog_cc_pic='-pic' - ac_cv_prog_cc_static='-Bstatic' - ;; - - sysv4*MP*) - if test -d /usr/nec ;then - ac_cv_prog_cc_pic='-Kconform_pic' - ac_cv_prog_cc_static='-Bstatic' - fi - ;; - - *) - ac_cv_prog_cc_can_build_shared=no - ;; - esac - fi -fi if test -z "$ac_cv_prog_cc_pic"; then echo "$ac_t"none 1>&6 else @@ -692,20 +684,21 @@ else # Check to make sure the pic_flag actually works. echo $ac_n "checking if $compiler PIC flag $ac_cv_prog_cc_pic works... $ac_c" 1>&6 - echo "$progname:695:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5 - if test "X${ac_cv_prog_cc_pic_works+set}" = Xset; then + echo "$progname:687:checking that $compiler PIC flag $ac_cv_prog_cc_pic works." 1>&5 + if test "X${ac_cv_prog_cc_pic_works+set}" = Xset && \ + test "X${ac_cv_prog_cc_pic_works}" != X; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_prog_cc_pic_works=yes $rm conftest* - echo "int some_variable = 0;" > conftest.c + echo $lt_simple_compile_test_code > conftest.$ac_ext save_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $ac_cv_prog_cc_pic -DPIC" - if { (eval echo $progname:704: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then + if { (eval echo $progname:697: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then # Append any warnings to the config.log. cat conftest.err 1>&5 - case "$host_os" in + case $host_os in hpux9* | hpux10* | hpux11*) # On HP-UX, both CC and GCC only warn that PIC is supported... then # they create non-PIC objects. So, if there were any warnings, we @@ -753,15 +746,16 @@ if test -n "$ac_cv_prog_cc_shlib"; then fi echo $ac_n "checking if $compiler static flag $ac_cv_prog_cc_static works... $ac_c" 1>&6 -echo "$progname:756: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5 -if test "X${ac_cv_prog_cc_static_works+set}" = Xset; then +echo "$progname:749: checking if $compiler static flag $ac_cv_prog_cc_static works" >&5 +if test "X${ac_cv_prog_cc_static_works+set}" = Xset && \ + test "X${ac_cv_prog_cc_static_works}" != X; then echo $ac_n "(cached) $ac_c" 1>&6 else $rm conftest* - echo 'main(){return(0);}' > conftest.c + echo $lt_simple_link_test_code > conftest.$ac_ext save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS $ac_cv_prog_cc_static" - if { (eval echo $progname:764: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then + if { (eval echo $progname:758: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ac_cv_prog_cc_static_works=yes else ac_cv_prog_cc_static_works=no @@ -782,78 +776,85 @@ link_static_flag="$ac_cv_prog_cc_static" no_builtin_flag="$ac_cv_prog_cc_no_builtin" can_build_shared="$ac_cv_prog_cc_can_build_shared" +# find the maximum length of command line arguments +echo "$progname:780: finding the maximum length of command line arguments" 1>&5 +echo $ac_n "finding the maximum length of command line arguments... $ac_c" 1>&6 +if test "${lt_cv_sys_max_cmd_len+set}" = set; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + i=0 + testring="ABCD" + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \ + = "XX$testring" && + new_result=`expr "X$testring" : ".*" 2>&1` && + lt_cv_sys_max_cmd_len=$new_result && + test $i != 18 # 1 MB should be enough + do + i=`expr $i + 1` + testring=$testring$testring + done + testring= + # add a significant safety factor because C++ compilers can tack on massive amounts + # of additional arguments before passing them to the linker. 1/4 should be good. + len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len - $len` +fi +echo "$progname:@lineno@: result: $lt_cv_sys_max_cmd_len" 1>&5 +echo "${ac_t}$lt_cv_sys_max_cmd_len" 1>&6 + +if test -n $lt_cv_sys_max_cmd_len ; then + max_cmd_len=$lt_cv_sys_max_cmd_len +else + max_cmd_len=none +fi + # Check to see if options -o and -c are simultaneously supported by compiler -echo $ac_n "checking if $compiler supports -c -o file.o... $ac_c" 1>&6 -$rm -r conftest 2>/dev/null -mkdir conftest -cd conftest -$rm conftest* -echo "int some_variable = 0;" > conftest.c -mkdir out -# According to Tom Tromey, Ian Lance Taylor reported there are C compilers -# that will create temporary files in the current directory regardless of -# the output directory. Thus, making CWD read-only will cause this test -# to fail, enabling locking or at least warning the user not to do parallel -# builds. -chmod -w . -save_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS -o out/conftest2.o" -echo "$progname:801: checking if $compiler supports -c -o file.o" >&5 -if { (eval echo $progname:802: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.o; then - - # The compiler can only warn and ignore the option if not recognized - # So say no if there are warnings - if test -s out/conftest.err; then - echo "$ac_t"no 1>&6 - compiler_c_o=no - else - echo "$ac_t"yes 1>&6 - compiler_c_o=yes - fi +echo $ac_n "checking if $compiler supports -c -o file.$objext... $ac_c" 1>&6 +if test "${lt_cv_compiler_c_o+set}" = set; then + echo $ac_n "(cached) $ac_c" 1>&6 else - # Append any errors to the config.log. - cat out/conftest.err 1>&5 - compiler_c_o=no - echo "$ac_t"no 1>&6 -fi -CFLAGS="$save_CFLAGS" -chmod u+w . -$rm conftest* out/* -rmdir out -cd .. -rmdir conftest -$rm -r conftest 2>/dev/null - -if test x"$compiler_c_o" = x"yes"; then - # Check to see if we can write to a .lo - echo $ac_n "checking if $compiler supports -c -o file.lo... $ac_c" 1>&6 + $rm -r conftest 2>/dev/null + mkdir conftest + cd conftest $rm conftest* - echo "int some_variable = 0;" > conftest.c + echo $lt_simple_compile_test_code > conftest.$ac_ext + mkdir out + # According to Tom Tromey, Ian Lance Taylor reported there are C compilers + # that will create temporary files in the current directory regardless of + # the output directory. Thus, making CWD read-only will cause this test + # to fail, enabling locking or at least warning the user not to do parallel + # builds. + chmod -w . save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -c -o conftest.lo" - echo "$progname:834: checking if $compiler supports -c -o file.lo" >&5 -if { (eval echo $progname:835: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.lo; then + CFLAGS="$CFLAGS -o out/conftest2.$objext" + echo "$progname:833: checking if $compiler supports -c -o file.$objext" >&5 + if { (eval echo $progname:834: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>out/conftest.err; } && test -s out/conftest2.$objext; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings - if test -s conftest.err; then - echo "$ac_t"no 1>&6 - compiler_o_lo=no + if test -s out/conftest.err; then + lt_cv_compiler_c_o=no else - echo "$ac_t"yes 1>&6 - compiler_o_lo=yes + lt_cv_compiler_c_o=yes fi else # Append any errors to the config.log. - cat conftest.err 1>&5 - compiler_o_lo=no - echo "$ac_t"no 1>&6 + cat out/conftest.err 1>&5 + lt_cv_compiler_c_o=no fi CFLAGS="$save_CFLAGS" - $rm conftest* -else - compiler_o_lo=no + chmod u+w . + $rm conftest* out/* + rmdir out + cd .. + rmdir conftest + $rm -r conftest 2>/dev/null fi +compiler_c_o=$lt_cv_compiler_c_o +echo "${ac_t}$compiler_c_o" 1>&6 # Check to see if we can do hard links to lock some files if needed hard_links="nottested" @@ -880,11 +881,11 @@ if test "$with_gcc" = yes; then # Check to see if options -fno-rtti -fno-exceptions are supported by compiler echo $ac_n "checking if $compiler supports -fno-rtti -fno-exceptions ... $ac_c" 1>&6 $rm conftest* - echo "int some_variable = 0;" > conftest.c + echo $lt_simple_compile_test_code > conftest.$ac_ext save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.c" - echo "$progname:886: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 - if { (eval echo $progname:887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.o; then + CFLAGS="$CFLAGS -fno-rtti -fno-exceptions -c conftest.$ac_ext" + echo "$progname:887: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 + if { (eval echo $progname:888: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>conftest.err; } && test -s conftest.$objext; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -909,541 +910,12 @@ if test "$with_gcc" = yes; then else no_builtin_flag=' -fno-builtin' fi - + fi # See if the linker supports building shared libraries. echo $ac_n "checking whether the linker ($LD) supports shared libraries... $ac_c" 1>&6 -allow_undefined_flag= -no_undefined_flag= -need_lib_prefix=unknown -need_version=unknown -# when you set need_version to no, make sure it does not cause -set_version -# flags to be left without arguments -archive_cmds= -archive_expsym_cmds= -old_archive_from_new_cmds= -old_archive_from_expsyms_cmds= -striplib= -old_striplib= -export_dynamic_flag_spec= -whole_archive_flag_spec= -thread_safe_flag_spec= -hardcode_into_libs=no -hardcode_libdir_flag_spec= -hardcode_libdir_separator= -hardcode_direct=no -hardcode_minus_L=no -hardcode_shlibpath_var=unsupported -runpath_var= -link_all_deplibs=unknown -always_export_symbols=no -export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | sed '\''s/.* //'\'' | sort | uniq > $export_symbols' -# include_expsyms should be a list of space-separated symbols to be *always* -# included in the symbol list -include_expsyms= -# exclude_expsyms can be an egrep regular expression of symbols to exclude -# it will be wrapped by ` (' and `)$', so one must not match beginning or -# end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', -# as well as any symbol that contains `d'. -exclude_expsyms="_GLOBAL_OFFSET_TABLE_" -# Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out -# platforms (ab)use it in PIC code, but their linkers get confused if -# the symbol is explicitly referenced. Since portable code cannot -# rely on this symbol name, it's probably fine to never include it in -# preloaded symbol tables. -extract_expsyms_cmds= - -case "$host_os" in -cygwin* | mingw*) - # FIXME: the MSVC++ port hasn't been tested in a loooong time - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - if test "$with_gcc" != yes; then - with_gnu_ld=no - fi - ;; - -esac - -ld_shlibs=yes -if test "$with_gnu_ld" = yes; then - # If archive_cmds runs LD, not CC, wlarc should be empty - wlarc='${wl}' - - # See if GNU ld supports shared libraries. - case "$host_os" in - aix3* | aix4*) - # On AIX, the GNU linker is very broken - ld_shlibs=no - cat <&2 - -*** Warning: the GNU linker, at least up to release 2.9.1, is reported -*** to be unable to reliably create shared libraries on AIX. -*** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. - -EOF - ;; - - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - - # Samuel A. Falvo II reports - # that the semantics of dynamic libraries on AmigaOS, at least up - # to version 4, is to share data among multiple programs linked - # with the same dynamic library. Since this doesn't match the - # behavior of shared libraries on other platforms, we can use - # them. - ld_shlibs=no - ;; - - beos*) - if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - allow_undefined_flag=unsupported - # Joseph Beckenbach says some releases of gcc - # support --undefined. This deserves some investigation. FIXME - archive_cmds='$CC -nostart $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib' - else - ld_shlibs=no - fi - ;; - - cygwin* | mingw*) - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec='-L$libdir' - allow_undefined_flag=unsupported - always_export_symbols=yes - - extract_expsyms_cmds='test -f $output_objdir/impgen.c || \ - sed -e "/^# \/\* impgen\.c starts here \*\//,/^# \/\* impgen.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/impgen.c~ - test -f $output_objdir/impgen.exe || (cd $output_objdir && \ - if test "x$HOST_CC" != "x" ; then $HOST_CC -o impgen impgen.c ; \ - else $CC -o impgen impgen.c ; fi)~ - $output_objdir/impgen $dir/$soname > $output_objdir/$soname-def' - - old_archive_from_expsyms_cmds='$DLLTOOL --as=$AS --dllname $soname --def $output_objdir/$soname-def --output-lib $output_objdir/$newlib' - - # cygwin and mingw dlls have different entry points and sets of symbols - # to exclude. - # FIXME: what about values for MSVC? - dll_entry=__cygwin_dll_entry@12 - dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12~ - case "$host_os" in - mingw*) - # mingw values - dll_entry=_DllMainCRTStartup@12 - dll_exclude_symbols=DllMain@12,DllMainCRTStartup@12,DllEntryPoint@12~ - ;; - esac - - # mingw and cygwin differ, and it's simplest to just exclude the union - # of the two symbol sets. - dll_exclude_symbols=DllMain@12,_cygwin_dll_entry@12,_cygwin_noncygwin_dll_entry@12,DllMainCRTStartup@12,DllEntryPoint@12 - - # recent cygwin and mingw systems supply a stub DllMain which the user - # can override, but on older systems we have to supply one (in ltdll.c) - if test "x$lt_cv_need_dllmain" = "xyes"; then - ltdll_obj='$output_objdir/$soname-ltdll.'"$objext " - ltdll_cmds='test -f $output_objdir/$soname-ltdll.c || sed -e "/^# \/\* ltdll\.c starts here \*\//,/^# \/\* ltdll.c ends here \*\// { s/^# //; p; }" -e d < $0 > $output_objdir/$soname-ltdll.c~ - test -f $output_objdir/$soname-ltdll.$objext || (cd $output_objdir && $CC -c $soname-ltdll.c)~' - else - ltdll_obj= - ltdll_cmds= - fi - - # Extract the symbol export list from an `--export-all' def file, - # then regenerate the def file from the symbol export list, so that - # the compiled dll only exports the symbol export list. - # Be careful not to strip the DATA tag left be newer dlltools. - export_symbols_cmds="$ltdll_cmds"' - $DLLTOOL --export-all --exclude-symbols '$dll_exclude_symbols' --output-def $output_objdir/$soname-def '$ltdll_obj'$libobjs $convenience~ - sed -e "1,/EXPORTS/d" -e "s/ @ [0-9]*//" -e "s/ *;.*$//" < $output_objdir/$soname-def > $export_symbols' - - # If DATA tags from a recent dlltool are present, honour them! - archive_expsym_cmds='echo EXPORTS > $output_objdir/$soname-def~ - _lt_hint=1; - cat $export_symbols | while read symbol; do - set dummy \$symbol; - case \$# in - 2) echo " \$2 @ \$_lt_hint ; " >> $output_objdir/$soname-def;; - *) echo " \$2 @ \$_lt_hint \$3 ; " >> $output_objdir/$soname-def;; - esac; - _lt_hint=`expr 1 + \$_lt_hint`; - done~ - '"$ltdll_cmds"' - $CC -Wl,--base-file,$output_objdir/$soname-base '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~ - $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~ - $CC -Wl,--base-file,$output_objdir/$soname-base $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags~ - $DLLTOOL --as=$AS --dllname $soname --exclude-symbols '$dll_exclude_symbols' --def $output_objdir/$soname-def --base-file $output_objdir/$soname-base --output-exp $output_objdir/$soname-exp~ - $CC $output_objdir/$soname-exp '$lt_cv_cc_dll_switch' -Wl,-e,'$dll_entry' -o $lib '$ltdll_obj'$libobjs $deplibs $compiler_flags' - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' - wlarc= - else - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - fi - ;; - - solaris* | sysv5*) - if $LD -v 2>&1 | egrep 'BFD 2\.8' > /dev/null; then - ld_shlibs=no - cat <&2 - -*** Warning: The releases 2.8.* of the GNU linker cannot reliably -*** create shared libraries on Solaris systems. Therefore, libtool -*** is disabling shared libraries support. We urge you to upgrade GNU -*** binutils to release 2.9.1 or newer. Another option is to modify -*** your PATH or compiler configuration so that the native linker is -*** used, and then restart. - -EOF - elif $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $linker_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - - sunos4*) - archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' - wlarc= - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - *) - if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' - else - ld_shlibs=no - fi - ;; - esac - - if test "$ld_shlibs" = yes; then - runpath_var=LD_RUN_PATH - hardcode_libdir_flag_spec="$wlarc"'--rpath '"$wlarc"'$libdir' - export_dynamic_flag_spec="$wlarc"'--export-dynamic' - case $host_os in - cygwin* | mingw*) - # dlltool doesn't understand --whole-archive et. al. - whole_archive_flag_spec= - ;; - *) - # ancient GNU ld didn't support --whole-archive et. al. - if $LD --help 2>&1 | egrep 'no-whole-archive' > /dev/null; then - whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' - else - whole_archive_flag_spec= - fi - ;; - esac - fi -else - # PORTME fill in a description of your system's linker (not GNU ld) - case "$host_os" in - aix3*) - allow_undefined_flag=unsupported - always_export_symbols=yes - archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' - # Note: this linker hardcodes the directories in LIBPATH if there - # are no directories specified by -L. - hardcode_minus_L=yes - if test "$with_gcc" = yes && test -z "$link_static_flag"; then - # Neither direct hardcoding nor static linking is supported with a - # broken collect2. - hardcode_direct=unsupported - fi - ;; - - aix4*) - hardcode_libdir_flag_spec='${wl}-b ${wl}nolibpath ${wl}-b ${wl}libpath:$libdir:/usr/lib:/lib' - hardcode_libdir_separator=':' - if test "$with_gcc" = yes; then - collect2name=`${CC} -print-prog-name=collect2` - if test -f "$collect2name" && \ - strings "$collect2name" | grep resolve_lib_name >/dev/null - then - # We have reworked collect2 - hardcode_direct=yes - else - # We have old collect2 - hardcode_direct=unsupported - # It fails to find uninstalled libraries when the uninstalled - # path is not listed in the libpath. Setting hardcode_minus_L - # to unsupported forces relinking - hardcode_minus_L=yes - hardcode_libdir_flag_spec='-L$libdir' - hardcode_libdir_separator= - fi - shared_flag='-shared' - else - shared_flag='${wl}-bM:SRE' - hardcode_direct=yes - fi - allow_undefined_flag=' ${wl}-berok' - archive_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bexpall ${wl}-bnoentry${allow_undefined_flag}' - archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}' - case "$host_os" in aix4.[01]|aix4.[01].*) - # According to Greg Wooledge, -bexpall is only supported from AIX 4.2 on - always_export_symbols=yes ;; - esac - ;; - - amigaos*) - archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - # see comment about different semantics on the GNU ld section - ld_shlibs=no - ;; - - cygwin* | mingw*) - # When not using gcc, we currently assume that we are using - # Microsoft Visual C++. - # hardcode_libdir_flag_spec is actually meaningless, as there is - # no search path for DLLs. - hardcode_libdir_flag_spec=' ' - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # FIXME: Setting linknames here is a bad hack. - archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | sed -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_from_new_cmds='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path='`cygpath -w $srcfile`' - ;; - - freebsd1*) - ld_shlibs=no - ;; - - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor - # support. Future versions do this automatically, but an explicit c++rt0.o - # does not break anything, and helps significantly (at the cost of a little - # extra space). - freebsd2.2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; - - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd*) - archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - hpux9* | hpux10* | hpux11*) - case "$host_os" in - hpux9*) archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' ;; - *) archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' ;; - esac - hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_separator=: - hardcode_direct=yes - hardcode_minus_L=yes # Not in the search PATH, but as the default - # location of the library. - export_dynamic_flag_spec='${wl}-E' - ;; - - irix5* | irix6*) - if test "$with_gcc" = yes; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - link_all_deplibs=yes - ;; - - netbsd*) - if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out - else - archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF - fi - hardcode_libdir_flag_spec='${wl}-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - openbsd*) - archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - os2*) - hardcode_libdir_flag_spec='-L$libdir' - hardcode_minus_L=yes - allow_undefined_flag=unsupported - archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' - old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' - ;; - - osf3*) - if test "$with_gcc" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - - osf4* | osf5*) # as osf3* with the addition of -msym flag - if test "$with_gcc" = yes; then - allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' - else - allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib' - fi - hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' - hardcode_libdir_separator=: - ;; - rhapsody*) - archive_cmds='$CC -bundle -undefined suppress -o $lib $libobjs $deplibs $linkopts' - hardcode_libdir_flags_spec='-L$libdir' - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; - - sco3.2v5*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ;; - - solaris*) - no_undefined_flag=' -z text' - # $CC -shared without GNU ld will not create a library from C++ - # object files and a static libstdc++, better avoid it by now - archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - hardcode_libdir_flag_spec='-R$libdir' - hardcode_shlibpath_var=no - case "$host_os" in - solaris2.[0-5] | solaris2.[0-5].*) ;; - *) # Supported since Solaris 2.6 (maybe 2.5.1?) - whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;; - esac - link_all_deplibs=yes - ;; - - sunos4*) - if test "x$host_vendor" = xsequent; then - # Use $CC to link under sequent, because it throws in some extra .o - # files that make .init and .fini sections work. - archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $linkopts' - else - archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' - fi - hardcode_libdir_flag_spec='-L$libdir' - hardcode_direct=yes - hardcode_minus_L=yes - hardcode_shlibpath_var=no - ;; - - sysv4) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var=no - hardcode_direct=no #Motorola manual says yes, but my tests say they lie - ;; - - sysv4.3*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - export_dynamic_flag_spec='-Bexport' - ;; - - sysv5*) - no_undefined_flag=' -z text' - # $CC -shared without GNU ld will not create a library from C++ - # object files and a static libstdc++, better avoid it by now - archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' - archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~ - $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp' - hardcode_libdir_flag_spec= - hardcode_shlibpath_var=no - runpath_var='LD_RUN_PATH' - ;; - - uts4*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; - - dgux*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_libdir_flag_spec='-L$libdir' - hardcode_shlibpath_var=no - ;; - - sysv4*MP*) - if test -d /usr/nec; then - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - hardcode_shlibpath_var=no - runpath_var=LD_RUN_PATH - hardcode_runpath_var=yes - ld_shlibs=yes - fi - ;; - - sysv4.2uw2*) - archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' - hardcode_direct=yes - hardcode_minus_L=no - hardcode_shlibpath_var=no - hardcode_runpath_var=yes - runpath_var=LD_RUN_PATH - ;; - - unixware7*) - archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' - runpath_var='LD_RUN_PATH' - hardcode_shlibpath_var=no - ;; - - *) - ld_shlibs=no - ;; - esac -fi echo "$ac_t$ld_shlibs" 1>&6 test "$ld_shlibs" = no && can_build_shared=no @@ -1482,6 +954,10 @@ else echo "${ac_t}no" 1>&6 fi +case $reload_flag in +"" | " "*) ;; +*) reload_flag=" $reload_flag" ;; +esac reload_cmds='$LD$reload_flag -o $output$reload_objs' test -z "$deplibs_check_method" && deplibs_check_method=unknown @@ -1501,25 +977,63 @@ sys_lib_dlsearch_path_spec="/lib /usr/lib" sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" echo $ac_n "checking dynamic linker characteristics... $ac_c" 1>&6 -case "$host_os" in +case $host_os in aix3*) version_type=linux library_names_spec='${libname}${release}.so$versuffix $libname.a' shlibpath_var=LIBPATH - # AIX has no versioning support, so we append a major version to the name. + # AIX 3 has no versioning support, so we append a major version to the name. soname_spec='${libname}${release}.so$major' ;; -aix4*) - version_type=linux - # AIX has no versioning support, so currently we can not hardcode correct - # soname into executable. Probably we can add versioning support to - # collect2, so additional links can be useful in future. - # We preserve .a as extension for shared libraries though AIX4.2 - # and later linker supports .so - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.a' - shlibpath_var=LIBPATH +aix4* | aix5*) + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' + shlibpath_var=LD_LIBRARY_PATH + else + # AIX (on Power*) has no versioning support, so currently we can not hardcode correct + # soname into executable. Probably we can add versioning support to + # collect2, so additional links can be useful in future. + # We preserve .a as extension for shared libraries though AIX4.2 + # and later linker supports .so + if test "$aix_use_runtimelinking" = yes; then + # If using run time linking (on AIX 4.2 or later) use lib.so instead of + # lib.a to let people know that these are not typical AIX shared libraries. + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' + else + # We preserve .a as extension for shared libraries though AIX4.2 + # and later when we are not doing run time linking. + library_names_spec='${libname}${release}.a $libname.a' + soname_spec='${libname}${release}.so$major.o' + fi + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + if $NM -V 2>&1 | egrep '(GNU)' > /dev/null; then + export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' + else + export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols' + fi + shlibpath_var=LIBPATH + deplibs_check_method=pass_all + case $host_os in + aix4 | aix4.[01] | aix4.[01].*) + if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' + echo ' yes ' + echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then + : + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line `#! .'. This would cause the generated library to + # depend on `.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + can_build_shared=no + fi + ;; + esac + fi ;; amigaos*) @@ -1552,15 +1066,32 @@ bsdi4*) # libtool to hard-code these into programs ;; -cygwin* | mingw*) +cygwin* | mingw* | pw32*) version_type=windows need_version=no need_lib_prefix=no - if test "$with_gcc" = yes; then + case $with_gcc,$host_os in + yes,cygwin*) + library_names_spec='$libname.dll.a' + soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | [sed -e 's/[.]/-/g']`${versuffix}.dll' + postinstall_cmds='dlpath=`bash 2>&1 -c '\''. $dir/${file}i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog .libs/$dlname \$dldir/$dlname' + postuninstall_cmds='dldll=`bash 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll; $rm \$dlpath' + ;; + yes,mingw*) library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' - else + sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | sed -e "s/^libraries://" -e "s/;/ /g"` + ;; + yes,pw32*) + library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll' +;; + *) library_names_spec='${libname}`echo ${release} | sed -e 's/[.]/-/g'`${versuffix}.dll $libname.lib' - fi + ;; + esac dynamic_linker='Win32 ld.exe' # FIXME: first we should search . and the directory the executable is in shlibpath_var=PATH @@ -1568,34 +1099,43 @@ cygwin* | mingw*) lt_cv_dlopen_libs= ;; +darwin* | rhapsody*) + dynamic_linker="$host_os dyld" + version_type=darwin + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${versuffix}.`test .$module = .yes && echo so || echo dylib` ${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib` ${libname}.`test .$module = .yes && echo so || echo dylib`' + soname_spec='${libname}${release}${major}.`test .$module = .yes && echo so || echo dylib`' + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + ;; + freebsd1*) dynamic_linker=no ;; freebsd*) objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout` - version_type=freebsd-$objformat - case "$version_type" in - freebsd-elf*) - library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so $libname.so' + version_type=sunos + case $objformat in + elf*) + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' + soname_spec='${libname}${release}.so$major' need_version=no + need_lc=no need_lib_prefix=no ;; - freebsd-*) - library_names_spec='${libname}${release}.so$versuffix $libname.so$versuffix' + *) + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' need_version=yes ;; esac shlibpath_var=LD_LIBRARY_PATH - case "$host_os" in + case $host_os in freebsd2*) shlibpath_overrides_runpath=yes ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes - hardcode_into_libs=yes - ;; - *) # from 3.2 on + *) shlibpath_overrides_runpath=no hardcode_into_libs=yes ;; @@ -1628,17 +1168,17 @@ hpux9* | hpux10* | hpux11*) ;; irix5* | irix6*) - version_type=irix + version_type=sunos need_lib_prefix=no need_version=no - soname_spec='${libname}${release}.so.$major' - library_names_spec='${libname}${release}.so.$versuffix ${libname}${release}.so.$major ${libname}${release}.so $libname.so' - case "$host_os" in + soname_spec='${libname}${release}.so$major' + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major ${libname}${release}.so $libname.so' + case $host_os in irix5*) libsuff= shlibsuff= ;; *) - case "$LD" in # libtool.m4 will add one of these switches to LD + case $LD in # libtool.m4 will add one of these switches to LD *-32|*"-32 ") libsuff= shlibsuff= libmagic=32-bit;; *-n32|*"-n32 ") libsuff=32 shlibsuff=N32 libmagic=N32;; *-64|*"-64 ") libsuff=64 shlibsuff=64 libmagic=64-bit;; @@ -1659,7 +1199,7 @@ linux-gnuoldld* | linux-gnuaout* | linux-gnucoff*) # This must be Linux ELF. linux-gnu*) - version_type=linux + version_type=sunos need_lib_prefix=no need_version=no library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' @@ -1682,6 +1222,8 @@ linux-gnu*) ;; netbsd*) + need_lib_prefix=no + need_version=no version_type=sunos if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then library_names_spec='${libname}${release}.so$versuffix ${libname}.so$versuffix' @@ -1693,6 +1235,17 @@ netbsd*) dynamic_linker='NetBSD ld.elf_so' fi shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + sys_lib_dlsearch_path_spec="/usr/lib" + sys_lib_search_path_spec="/usr/lib" + ;; + +newsos6) + version_type=linux + library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes ;; openbsd*) @@ -1724,14 +1277,6 @@ osf3* | osf4* | osf5*) sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" ;; -rhapsody*) - version_type=sunos - library_names_spec='${libname}.so' - soname_spec='${libname}.so' - shlibpath_var=DYLD_LIBRARY_PATH - deplibs_check_method=pass_all - ;; - sco3.2v5*) version_type=osf soname_spec='${libname}${release}.so$major' @@ -1740,7 +1285,7 @@ sco3.2v5*) ;; solaris*) - version_type=linux + version_type=sunos need_lib_prefix=no need_version=no library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' @@ -1769,11 +1314,7 @@ sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) library_names_spec='${libname}${release}.so$versuffix ${libname}${release}.so$major $libname.so' soname_spec='${libname}${release}.so$major' shlibpath_var=LD_LIBRARY_PATH - case "$host_vendor" in - sequent) - file_magic_cmd='/bin/file' - deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' - ;; + case $host_vendor in motorola) need_lib_prefix=no need_version=no @@ -1834,15 +1375,15 @@ symxfrm='\1 \2\3 \3' global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern char \1;/p'" # Define system-specific variables. -case "$host_os" in +case $host_os in aix*) symcode='[BCDT]' ;; -cygwin* | mingw*) +cygwin* | mingw* | pw32*) symcode='[ABCDGISTW]' ;; hpux*) # Its linker distinguishes data from code symbols - global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^. .* \(.*\)$/extern char \1;/p'" + global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern char \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" ;; irix*) symcode='[BCDEGRST]' @@ -1855,9 +1396,9 @@ sysv4) ;; esac -# Handle CRLF in mingw too chain +# Handle CRLF in mingw tool chain opt_cr= -case "$host_os" in +case $host_os in mingw*) opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp ;; @@ -1872,12 +1413,12 @@ fi for ac_symprfx in "" "_"; do # Write the raw and C identifiers. -global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode\)[ ][ ]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" + global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'" # Check to see that the pipe works correctly. pipe_works=no $rm conftest* - cat > conftest.c < conftest.$ac_ext <&5 - if { (eval echo $progname:1893: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then + echo "$progname:1433: checking if global_symbol_pipe works" >&5 + if { (eval echo $progname:1434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; } && test -s conftest.$objext; then # Now try to grab the symbols. nlist=conftest.nm - if { echo "$progname:1896: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then + if { echo "$progname:1437: eval \"$NM conftest.$objext | $global_symbol_pipe > $nlist\"" >&5; eval "$NM conftest.$objext | $global_symbol_pipe > $nlist 2>&5"; } && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then @@ -1905,16 +1446,16 @@ EOF # Make sure that we snagged all the symbols we need. if egrep ' nm_test_var$' "$nlist" >/dev/null; then if egrep ' nm_test_func$' "$nlist" >/dev/null; then - cat < conftest.c + cat < conftest.$ac_ext #ifdef __cplusplus extern "C" { #endif EOF # Now generate the symbol file. - eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.c' + eval "$global_symbol_to_cdecl"' < "$nlist" >> conftest.$ac_ext' - cat <> conftest.c + cat <> conftest.$ac_ext #if defined (__STDC__) && __STDC__ # define lt_ptr_t void * #else @@ -1930,8 +1471,8 @@ const struct { lt_preloaded_symbols[] = { EOF - sed 's/^. \(.*\) \(.*\)$/ {"\2", (lt_ptr_t) \&\2},/' < "$nlist" >> conftest.c - cat <<\EOF >> conftest.c + sed "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" >> conftest.$ac_ext + cat <<\EOF >> conftest.$ac_ext {0, (lt_ptr_t) 0} }; @@ -1945,11 +1486,11 @@ EOF save_CFLAGS="$CFLAGS" LIBS="conftstm.$objext" CFLAGS="$CFLAGS$no_builtin_flag" - if { (eval echo $progname:1948: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then + if { (eval echo $progname:1489: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then pipe_works=yes else echo "$progname: failed program was:" >&5 - cat conftest.c >&5 + cat conftest.$ac_ext >&5 fi LIBS="$save_LIBS" else @@ -1963,7 +1504,7 @@ EOF fi else echo "$progname: failed program was:" >&5 - cat conftest.c >&5 + cat conftest.$ac_ext >&5 fi $rm conftest* conftst* @@ -1989,8 +1530,8 @@ echo "checking if libtool supports shared libraries... $can_build_shared" 1>&6 # Only try to build win32 dlls if AC_LIBTOOL_WIN32_DLL was used in # configure.in, otherwise build static only libraries. -case "$host_os" in -cygwin* | mingw* | os2*) +case $host_os in +cygwin* | mingw* | pw32* | os2*) if test x$can_build_shared = xyes; then test x$enable_win32_dll = xno && can_build_shared=no echo "checking if package supports dlls... $can_build_shared" 1>&6 @@ -2003,7 +1544,7 @@ test "$can_build_shared" = "no" && enable_shared=no # On AIX, shared libraries and static libraries use the same namespace, and # are all built from PIC. -case "$host_os" in +case $host_os in aix3*) test "$enable_shared" = yes && enable_static=no if test -n "$RANLIB"; then @@ -2024,7 +1565,7 @@ test "$enable_shared" = yes || enable_static=yes echo "checking whether to build static libraries... $enable_static" 1>&6 -if test "$hardcode_action" = relink || test "$hardcode_into_libs" = all; then +if test "$hardcode_action" = relink; then # Fast installation is not supported enable_fast_install=no elif test "$shlibpath_overrides_runpath" = yes || @@ -2049,14 +1590,14 @@ else if test "X${lt_cv_dlopen+set}" != Xset; then lt_cv_dlopen=no lt_cv_dlopen_libs= echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "$progname:2052: checking for dlopen in -ldl" >&5 +echo "$progname:1593: checking for dlopen in -ldl" >&5 if test "X${ac_cv_lib_dl_dlopen+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo $progname:1613: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_lib_dl_dlopen=yes else @@ -2088,12 +1629,12 @@ if test "X$ac_cv_lib_dl_dlopen" = Xyes; then else echo "$ac_t""no" 1>&6 echo $ac_n "checking for dlopen""... $ac_c" 1>&6 -echo "$progname:2091: checking for dlopen" >&5 +echo "$progname:1632: checking for dlopen" >&5 if test "X${ac_cv_func_dlopen+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -2118,7 +1659,7 @@ dlopen(); ; return 0; } EOF -if { (eval echo $progname:2121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo $progname:1662: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_func_dlopen=yes else @@ -2134,15 +1675,54 @@ if test "X$ac_cv_func_dlopen" = Xyes; then lt_cv_dlopen="dlopen" else echo "$ac_t""no" 1>&6 +echo $ac_n "checking for dlopen in -lsvld""... $ac_c" 1>&6 +echo "$progname:1679: checking for dlopen in -lsvld" >&5 +if test "X${ac_cv_lib_svld_dlopen+set}" = Xset; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lsvld $LIBS" +cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + ac_cv_lib_svld_dlopen=yes +else + echo "$progname: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_lib_svld_dlopen=no +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if test "X$ac_cv_lib_svld_dlopen" = Xyes; then + echo "$ac_t""yes" 1>&6 + lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld" +else + echo "$ac_t""no" 1>&6 echo $ac_n "checking for dld_link in -ldld""... $ac_c" 1>&6 -echo "$progname:2138: checking for dld_link in -ldld" >&5 +echo "$progname:1718: checking for dld_link in -ldld" >&5 if test "X${ac_cv_lib_dld_dld_link+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" LIBS="-ldld $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo $progname:1738: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_lib_dld_dld_link=yes else @@ -2174,12 +1754,12 @@ if test "X$ac_cv_lib_dld_dld_link" = Xyes; then else echo "$ac_t""no" 1>&6 echo $ac_n "checking for shl_load""... $ac_c" 1>&6 -echo "$progname:2177: checking for shl_load" >&5 +echo "$progname:1757: checking for shl_load" >&5 if test "X${ac_cv_func_shl_load+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -2204,7 +1784,7 @@ shl_load(); ; return 0; } EOF -if { (eval echo $progname:2207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo $progname:1787: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_func_shl_load=yes else @@ -2222,14 +1802,14 @@ if test "X$ac_cv_func_shl_load" = Xyes; then else echo "$ac_t""no" 1>&6 echo $ac_n "checking for shl_load in -ldld""... $ac_c" 1>&6 -echo "$progname:2225: checking for shl_load in -ldld" >&5 +echo "$progname:1805: checking for shl_load in -ldld" >&5 if test "X${ac_cv_lib_dld_shl_load+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" LIBS="-ldld $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo $progname:1826: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_lib_dld_shl_load=yes else @@ -2277,27 +1857,31 @@ fi fi +fi + if test "x$lt_cv_dlopen" != xno; then enable_dlopen=yes + else + enable_dlopen=no fi - case "$lt_cv_dlopen" in + case $lt_cv_dlopen in dlopen) for ac_hdr in dlfcn.h; do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "$progname:2289: checking for $ac_hdr" >&5 +echo "$progname:1873: checking for $ac_hdr" >&5 if eval "test \"`echo 'X$''{'ac_cv_header_$ac_safe'+set}'`\" = Xset"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int fnord = 0; -int main () { return (0); } +int main () { return(0); } EOF ac_try="$ac_compile >/dev/null 2>conftest.out" -{ (eval echo $progname:2300: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo $progname:1884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -2325,15 +1909,15 @@ done LIBS="$lt_cv_dlopen_libs $LIBS" echo $ac_n "checking whether a program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:2328: checking whether a program can dlopen itself" >&5 +echo "$progname:1912: checking whether a program can dlopen itself" >&5 if test "X${lt_cv_dlopen_self+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else if test "$cross_compiling" = yes; then lt_cv_dlopen_self=cross else - cat > conftest.c < conftest.$ac_ext < @@ -2373,13 +1957,14 @@ else # endif #endif -fnord() { int i=42;} -main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); +void fnord() { int i=42; } +int main() { + void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); - if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } + if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } EOF -if { (eval echo $progname:2382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null +if { (eval echo $progname:1967: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null then lt_cv_dlopen_self=yes else @@ -2398,15 +1983,15 @@ echo "$ac_t""$lt_cv_dlopen_self" 1>&6 if test "$lt_cv_dlopen_self" = yes; then LDFLAGS="$LDFLAGS $link_static_flag" echo $ac_n "checking whether a statically linked program can dlopen itself""... $ac_c" 1>&6 -echo "$progname:2401: checking whether a statically linked program can dlopen itself" >&5 +echo "$progname:1986: checking whether a statically linked program can dlopen itself" >&5 if test "X${lt_cv_dlopen_self_static+set}" = Xset; then echo $ac_n "(cached) $ac_c" 1>&6 else if test "$cross_compiling" = yes; then lt_cv_dlopen_self_static=cross else - cat > conftest.c < conftest.$ac_ext < @@ -2446,13 +2031,14 @@ else # endif #endif -fnord() { int i=42;} -main() { void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); +void fnord() { int i=42; } +int main() { + void *self, *ptr1, *ptr2; self=dlopen(0,LTDL_GLOBAL|LTDL_LAZY_OR_NOW); if(self) { ptr1=dlsym(self,"fnord"); ptr2=dlsym(self,"_fnord"); if(ptr1 || ptr2) { dlclose(self); exit(0); } } exit(1); } EOF -if { (eval echo $progname:2455: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null +if { (eval echo $progname:2041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null then lt_cv_dlopen_self_static=yes else @@ -2471,12 +2057,12 @@ fi ;; esac - case "$lt_cv_dlopen_self" in + case $lt_cv_dlopen_self in yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; *) enable_dlopen_self=unknown ;; esac - case "$lt_cv_dlopen_self_static" in + case $lt_cv_dlopen_self_static in yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; *) enable_dlopen_self_static=unknown ;; esac @@ -2493,16 +2079,16 @@ LTSHELL="$SHELL" LTCONFIG_VERSION="$VERSION" # Only quote variables if we're using ltmain.sh. -case "$ltmain" in +case $ltmain in *.sh) # Now quote all the things that may contain metacharacters. - for var in ltecho old_AR old_ARFLAGS old_CC old_CFLAGS old_CPPFLAGS \ - old_MAGIC old_LD old_LDFLAGS old_LIBS \ + for var in ltecho old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ + old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ old_LN_S old_NM old_RANLIB old_STRIP \ old_AS old_DLLTOOL old_OBJDUMP \ old_OBJEXT old_EXEEXT old_reload_flag \ old_deplibs_check_method old_file_magic_cmd \ - AR AR_FLAGS CC LD LN_S NM LTSHELL LTCONFIG_VERSION \ + AR AR_FLAGS CC LTCC LD LN_S NM LTSHELL LTCONFIG_VERSION \ reload_flag reload_cmds wl \ pic_flag link_static_flag no_builtin_flag export_dynamic_flag_spec \ thread_safe_flag_spec whole_archive_flag_spec libname_spec \ @@ -2510,14 +2096,15 @@ case "$ltmain" in RANLIB old_archive_cmds old_archive_from_new_cmds old_postinstall_cmds \ old_postuninstall_cmds archive_cmds archive_expsym_cmds postinstall_cmds \ postuninstall_cmds extract_expsyms_cmds old_archive_from_expsyms_cmds \ + predep_objects postdep_objects predeps postdeps compiler_lib_search_path \ old_striplib striplib file_magic_cmd export_symbols_cmds \ deplibs_check_method allow_undefined_flag no_undefined_flag \ finish_cmds finish_eval global_symbol_pipe global_symbol_to_cdecl \ hardcode_libdir_flag_spec hardcode_libdir_separator \ sys_lib_search_path_spec sys_lib_dlsearch_path_spec \ - compiler_c_o compiler_o_lo need_locks exclude_expsyms include_expsyms; do + compiler_c_o need_locks exclude_expsyms include_expsyms; do - case "$var" in + case $var in reload_cmds | old_archive_cmds | old_archive_from_new_cmds | \ old_postinstall_cmds | old_postuninstall_cmds | \ export_symbols_cmds | archive_cmds | archive_expsym_cmds | \ @@ -2533,16 +2120,17 @@ case "$ltmain" in esac done - case "$ltecho" in + case $ltecho in *'\$0 --fallback-echo"') ltecho=`$echo "X$ltecho" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'` ;; esac - trap "$rm \"$ofile\"; exit 1" 1 2 15 - echo "creating $ofile" - $rm "$ofile" - cat < "$ofile" + if test -z "$tagname"; then + trap "$rm \"$ofile\"; exit 1" 1 2 15 + echo "creating $ofile" + $rm "$ofile" + cat < "$ofile" #! $SHELL # `$echo "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. @@ -2578,15 +2166,22 @@ Xsed="sed -e s/^X//" # if CDPATH is set. if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi +# The names of the tagged configurations supported by this script. +available_tags= + ### BEGIN LIBTOOL CONFIG EOF + else + echo "appending configuration tag \"$tagname\" to $ofile" + echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" + fi cfgfile="$ofile" ;; *) # Double-quote the variables that need it (for aesthetics). - for var in old_AR old_AR_FLAGS old_CC old_CFLAGS old_CPPFLAGS \ - old_MAGIC old_LD old_LDFLAGS old_LIBS \ + for var in old_AR old_AR_FLAGS old_CC old_LTCC old_CFLAGS old_CPPFLAGS \ + old_MAGIC_CMD old_LD old_LDFLAGS old_LIBS \ old_LN_S old_NM old_RANLIB old_STRIP \ old_AS old_DLLTOOL old_OBJDUMP \ old_OBJEXT old_EXEEXT old_reload_flag \ @@ -2596,29 +2191,39 @@ EOF # Just create a config file. cfgfile="$ofile.cfg" - trap "$rm \"$cfgfile\"; exit 1" 1 2 15 - echo "creating $cfgfile" - $rm "$cfgfile" - cat < "$cfgfile" + if test -z "$tagname"; then + trap "$rm \"$cfgfile\"; exit 1" 1 2 15 + echo "creating $cfgfile" + $rm "$cfgfile" + cat < "$cfgfile" # `$echo "$cfgfile" | sed 's%^.*/%%'` - Libtool configuration file. # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP) + +### BEGIN LIBTOOL CONFIG EOF + else + echo "appending to $cfgfile" + echo "### BEGIN LIBTOOL TAG CONFIG: $tagname" >> "$ofile" + fi ;; esac cat <> "$cfgfile" # Libtool was configured as follows, on host `(hostname || uname -n) 2>/dev/null | sed 1q`: # -# AR=$old_AR AR_FLAGS=$old_AR_FLAGS CC=$old_CC CFLAGS=$old_CFLAGS \\ -# CPPFLAGS=$old_CPPFLAGS MAGIC=$old_MAGIC LD=$old_LD LDFLAGS=$old_LDFLAGS \\ -# LIBS=$old_LIBS LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB \\ -# STRIP=$old_STRIP AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\ +# AR=$old_AR AR_FLAGS=$old_AR_FLAGS LTCC=$old_LTCC CC=$old_CC \\ +# CFLAGS=$old_CFLAGS CPPFLAGS=$old_CPPFLAGS \\ +# MAGIC_CMD=$old_MAGIC_CMD LD=$old_LD LDFLAGS=$old_LDFLAGS LIBS=$old_LIBS \\ +# LN_S=$old_LN_S NM=$old_NM RANLIB=$old_RANLIB STRIP=$old_STRIP \\ +# AS=$old_AS DLLTOOL=$old_DLLTOOL OBJDUMP=$old_OBJDUMP \\ # objext=$old_OBJEXT exeext=$old_EXEEXT reload_flag=$old_reload_flag \\ -# deplibs_check_method=$old_deplibs_check_method file_magic_cmd=$old_file_magic_cmd \\ +# deplibs_check_method=$old_deplibs_check_method \\ +# file_magic_cmd=$old_file_magic_cmd \\ # $0$ltconfig_args # # Compiler and other test output produced by $progname, useful for # debugging $progname, is in ./config.log if it exists. + # The version of $progname that generated this script. LTCONFIG_VERSION=$LTCONFIG_VERSION @@ -2628,6 +2233,9 @@ SHELL=$LTSHELL # Whether or not to build shared libraries. build_libtool_libs=$enable_shared +# Whether or not to add -lc for building shared libraries. +build_libtool_need_lc=$need_lc + # Whether or not to build static libraries. build_old_libs=$enable_static @@ -2645,9 +2253,15 @@ echo=$ltecho AR=$AR AR_FLAGS=$AR_FLAGS -# The default C compiler. +# A C compiler. +LTCC=$LTCC + +# A language-specific compiler. CC=$CC +# Is the compiler the GNU C compiler? +with_gcc=$with_gcc + # The linker used to build libraries. LD=$LD @@ -2661,7 +2275,7 @@ NM=$NM STRIP=$STRIP # Used to examine libraries when file_magic_cmd begins "file" -MAGIC=$MAGIC +MAGIC_CMD=$MAGIC_CMD # Used on cygwin: DLL creation program. DLLTOOL="$DLLTOOL" @@ -2695,12 +2309,12 @@ exeext="$exeext" pic_flag=$pic_flag pic_mode=$pic_mode +# What is the maximum length of a command? +max_cmd_len=$max_cmd_len + # Does compiler simultaneously support -c and -o options? compiler_c_o=$compiler_c_o -# Can we write directly to a .lo ? -compiler_o_lo=$compiler_o_lo - # Must we lock files when doing compilation ? need_locks=$need_locks @@ -2769,6 +2383,26 @@ postuninstall_cmds=$postuninstall_cmds old_striplib=$old_striplib striplib=$striplib +# Dependencies to place before the objects being linked to create a +# shared library. +predep_objects=$predep_objects + +# Dependencies to place after the objects being linked to create a +# shared library. +postdep_objects=$postdep_objects + +# Dependencies to place before the objects being linked to create a +# shared library. +predeps=$predeps + +# Dependencies to place after the objects being linked to create a +# shared library. +postdeps=$postdeps + +# The library search path used internally by the compiler when linking +# a shared library. +compiler_lib_search_path=$compiler_lib_search_path + # Method to check whether dependent libraries are shared objects. deplibs_check_method=$deplibs_check_method @@ -2860,13 +2494,19 @@ include_expsyms=$include_expsyms EOF -case "$ltmain" in -*.sh) +if test -z "$tagname"; then echo '### END LIBTOOL CONFIG' >> "$ofile" +else + echo "### END LIBTOOL TAG CONFIG: $tagname" >> "$ofile" +fi + +case $ltmain in +*.sh) echo >> "$ofile" - case "$host_os" in - aix3*) - cat <<\EOF >> "$ofile" + if test -z "$tagname"; then + case $host_os in + aix3*) + cat <<\EOF >> "$ofile" # AIX sometimes has problems with the GCC collect2 program. For some # reason, if we set the COLLECT_NAMES environment variable, the problems @@ -2876,11 +2516,11 @@ if test "X${COLLECT_NAMES+set}" != Xset; then export COLLECT_NAMES fi EOF - ;; - esac - case "$host" in - *-*-cygwin* | *-*-mingw* | *-*-os2*) - cat <<'EOF' >> "$ofile" + ;; + esac + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*) + cat <<'EOF' >> "$ofile" # This is a source program that is used to create dlls on Windows # Don't remove nor modify the starting and closing comments # /* ltdll.c starts here */ @@ -2994,7 +2634,7 @@ EOF # filename = argv[1]; # # dll = open(filename, O_RDONLY|O_BINARY); -# if (!dll) +# if (dll < 1) # return 1; # # dll_name = filename; @@ -3059,14 +2699,15 @@ EOF esac - # Append the ltmain.sh script. - sed '$q' "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1) - # We use sed instead of cat because bash on DJGPP gets confused if - # if finds mixed CR/LF and LF-only lines. Since sed operates in - # text mode, it properly converts lines to CR/LF. This bash problem - # is reportedly fixed, but why not run on old versions too? + # Append the ltmain.sh script. + sed '$q' "$ltmain" >> "$ofile" || (rm -f "$ofile"; exit 1) + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? - chmod +x "$ofile" + chmod +x "$ofile" + fi ;; *) @@ -3075,7 +2716,29 @@ EOF ;; esac -test -n "$cache_file" || exit 0 +# Update the list of available tags. +if test -n "$tagname"; then + + # Extract list of available tagged configurations in $ofile. + # Note that this assumes the entire list is on one line. + available_tags=`grep "^available_tags=" $ofile | sed -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'` + + # Append the new tag name to the list of available tags. + available_tags="$available_tags $tagname" + + # Now substitute the updated of available tags. + if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' ${ofile} > ${ofile}.new"; then + mv ${ofile}.new ${ofile} + chmod +x "$ofile" + else + rm -f ${ofile}.new + echo "$progname: unable to update list of available tagged configurations." + exit 1 + fi +fi + +# Don't cache tagged configuration! +test -n "$cache_file" && test -z "$tagname" || exit 0 # AC_CACHE_SAVE trap '' 1 2 15 diff --git a/ltmain.sh b/ltmain.sh index 6e5bf3657..ecc7e6dfe 100644 --- a/ltmain.sh +++ b/ltmain.sh @@ -1,5 +1,5 @@ # ltmain.sh - Provide generalized library-building support services. -# NOTE: Changing this file will not affect anything until you rerun configure. +# NOTE: Changing this file will not affect anything until you rerun ltconfig. # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001 # Free Software Foundation, Inc. @@ -55,8 +55,8 @@ modename="$progname" # Constants. PROGRAM=ltmain.sh PACKAGE=libtool -VERSION=1.4.2 -TIMESTAMP=" (1.922.2.53 2001/09/11 03:18:52)" +VERSION=1.4a +TIMESTAMP=" (1.641.2.255 2001/05/22 10:39:30)" default_mode= help="Try \`$progname --help' for more information." @@ -84,8 +84,11 @@ if test "${LANG+set}" = set; then save_LANG="$LANG"; LANG=C; export LANG fi -# Make sure IFS has a sensible default -: ${IFS=" "} +if test "$LTCONFIG_VERSION" != "$VERSION"; then + echo "$modename: ltconfig version \`$LTCONFIG_VERSION' does not match $PROGRAM version \`$VERSION'" 1>&2 + echo "Fatal configuration error. See the $PACKAGE docs for more information." 1>&2 + exit 1 +fi if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then echo "$modename: not configured to build any kind of library" 1>&2 @@ -122,6 +125,33 @@ do execute_dlfiles) execute_dlfiles="$execute_dlfiles $arg" ;; + tag) + tagname="$arg" + + # Check whether tagname contains only valid characters + case $tagname in + *[!-_A-Za-z0-9,/]*) + echo "$progname: invalid tag name: $tagname" 1>&2 + exit 1 + ;; + esac + + case $tagname in + CC) + # Don't test for the "default" C tag, as we know, it's there, but + # not specially marked. + ;; + *) + if grep "^### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$0" > /dev/null; then + taglist="$taglist $tagname" + # Evaluate the configuration. + eval "`sed -n -e '/^### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`" + else + echo "$progname: ignoring unknown tag $tagname" 1>&2 + fi + ;; + esac + ;; *) eval "$prev=\$arg" ;; @@ -144,7 +174,11 @@ do ;; --config) - sed -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0 + sed -n -e '/^### BEGIN LIBTOOL CONFIG/,/^### END LIBTOOL CONFIG/p' < "$0" + # Now print the configurations for the tags. + for tagname in $taglist; do + sed -n -e "/^### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^### END LIBTOOL TAG CONFIG: $tagname$/p" < "$0" + done exit 0 ;; @@ -177,10 +211,19 @@ do --mode) prevopt="--mode" prev=mode ;; --mode=*) mode="$optarg" ;; + --preserve-dup-deps) duplicate_deps="yes" ;; + --quiet | --silent) show=: ;; + --tag) prevopt="--tag" prev=tag ;; + --tag=*) + set tag "$optarg" ${1+"$@"} + shift + prev=tag + ;; + -dlopen) prevopt="-dlopen" prev=execute_dlfiles @@ -215,7 +258,7 @@ if test -z "$show_help"; then # Infer the operation mode. if test -z "$mode"; then case $nonopt in - *cc | *++ | gcc* | *-gcc*) + *cc | *++ | gcc* | *-gcc* | *CC) mode=link for arg do @@ -337,7 +380,7 @@ if test -z "$show_help"; then -Wc,*) args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"` lastarg= - save_ifs="$IFS"; IFS=',' + IFS="${IFS= }"; save_ifs="$IFS"; IFS=',' for arg in $args; do IFS="$save_ifs" @@ -429,10 +472,12 @@ if test -z "$show_help"; then *.asm) xform=asm ;; *.c++) xform=c++ ;; *.cc) xform=cc ;; + *.class) xform=class ;; *.cpp) xform=cpp ;; *.cxx) xform=cxx ;; *.f90) xform=f90 ;; *.for) xform=for ;; + *.java) xform=java ;; esac libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"` @@ -445,6 +490,67 @@ if test -z "$show_help"; then ;; esac + # Infer tagged configuration to use if any are available and + # if one wasn't chosen via the "--tag" command line option. + # Only attempt this if the compiler in the base compile + # command doesn't match the default compiler. + if test -n "$available_tags" && test -z "$tagname"; then + case $base_compile in + "$CC "*) tagname=CC ;; + # Blanks in the command may have been stripped by the calling shell, + # but not from the CC environment variable when ltconfig was run. + "`$echo $CC` "*) tagname=CC ;; + *) base_compiler=`echo $base_compile | awk '{ print $1 }'` + case $base_compiler in + *cc) tagname=CC ;; + *++) + tagname=CXX + eval "`sed -n -e '/^### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`" + ;; + esac ;; + esac + fi + if test -n "$available_tags" && test -z "$tagname"; then + for z in $available_tags; do + if grep "^### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then + # Evaluate the configuration. + eval "`sed -n -e '/^### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`" + case $base_compile in + "$CC "*) + # The compiler in the base compile command matches + # the one in the tagged configuration. + # Assume this is the tagged configuration we want. + tagname=$z + break + ;; + "`$echo $CC` "*) + tagname=$z + break + ;; + esac + fi + done + # If $tagname still isn't set, then no tagged configuration + # was found and let the user know that the "--tag" command + # line option must be used. + if test -z "$tagname"; then + echo "$modename: unable to infer tagged configuration" + echo "$modename: specify a tag with \`--tag'" 1>&2 + exit 1 +# else +# echo "$modename: using $tagname tagged configuration" + fi + fi + + objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` + xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` + if test "X$xdir" = "X$obj"; then + xdir= + else + xdir=$xdir/ + fi + lobj=${xdir}$objdir/$objname + if test -z "$base_compile"; then $echo "$modename: you must specify a compilation command" 1>&2 $echo "$help" 1>&2 @@ -453,9 +559,9 @@ if test -z "$show_help"; then # Delete any leftover library objects. if test "$build_old_libs" = yes; then - removelist="$obj $libobj" + removelist="$obj $lobj $libobj ${libobj}T" else - removelist="$libobj" + removelist="$lobj $libobj ${libobj}T" fi $run $rm $removelist @@ -480,6 +586,7 @@ if test -z "$show_help"; then removelist="$removelist $output_obj $lockfile" trap "$run $rm $removelist; exit 1" 1 2 15 else + output_obj= need_locks=no lockfile= fi @@ -514,49 +621,48 @@ compiler." eval srcfile=\"$fix_srcfile_path\" fi + $run $rm "$libobj" "${libobj}T" + + # Create a libtool object file (analogous to a ".la" file), + # but don't create it if we're doing a dry run. + test -z "$run" && cat > ${libobj}T <> ${libobj}T <> ${libobj}T < $libobj" - $run eval "echo timestamp > \$libobj" || exit $? - else - # Move the .lo from within objdir - $show "$mv $libobj $lo_libobj" - if $run $mv $libobj $lo_libobj; then : - else - error=$? - $run $rm $removelist - exit $error - fi - fi + # Append the name of the non-PIC object the libtool object file. + # Only append if the libtool object file exists. + test -z "$run" && cat >> ${libobj}T <> ${libobj}T <\?\'\ \ ]*|*]*|"") @@ -892,6 +974,113 @@ compiler." prev= continue ;; + objectlist) + if test -f "$arg"; then + save_arg=$arg + moreargs= + for fil in `cat $save_arg` + do +# moreargs="$moreargs $fil" + arg=$fil + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if (sed -e '2q' $arg | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then + pic_object= + non_pic_object= + + # Read the .lo file + # If there is no directory component, then add one. + case $arg in + */* | *\\*) . $arg ;; + *) . ./$arg ;; + esac + + if test -z "$pic_object" || \ + test -z "$non_pic_object" || + test "$pic_object" = none && \ + test "$non_pic_object" = none; then + $echo "$modename: cannot find name of object for \`$arg'" 1>&2 + exit 1 + fi + + # Extract subdirectory from the argument. + xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` + if test "X$xdir" = "X$arg"; then + xdir= + else + xdir="$xdir/" + fi + + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" + + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + dlfiles="$dlfiles $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + dlprefiles="$dlprefiles $pic_object" + prev= + fi + + # A PIC object. + libobjs="$libobjs $pic_object" + arg="$pic_object" + fi + + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" + + # A standard non-PIC object + non_pic_objects="$non_pic_objects $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + fi + else + # Only an error if not doing a dry-run. + if test -z "$run"; then + $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 + exit 1 + else + # Dry-run case. + + # Extract subdirectory from the argument. + xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` + if test "X$xdir" = "X$arg"; then + xdir= + else + xdir="$xdir/" + fi + + pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` + non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` + libobjs="$libobjs $pic_object" + non_pic_objects="$non_pic_objects $non_pic_object" + fi + fi + done + else + $echo "$modename: link input file \`$save_arg' does not exist" + exit 1 + fi + arg=$save_arg + prev= + continue + ;; rpath | xrpath) # We need an absolute path. case $arg in @@ -1043,17 +1232,6 @@ compiler." # These systems don't actually have a C library (as such) test "X$arg" = "X-lc" && continue ;; - *-*-openbsd*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - esac - elif test "X$arg" = "X-lc_r"; then - case $host in - *-*-openbsd*) - # Do not include libc_r directly, use -pthread flag. - continue - ;; esac fi deplibs="$deplibs $arg" @@ -1089,6 +1267,11 @@ compiler." continue ;; + -objectlist) + prev=objectlist + continue + ;; + -o) prev=output ;; -release) @@ -1145,7 +1328,7 @@ compiler." -Wc,*) args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'` arg= - save_ifs="$IFS"; IFS=',' + IFS="${IFS= }"; save_ifs="$IFS"; IFS=',' for flag in $args; do IFS="$save_ifs" case $flag in @@ -1163,7 +1346,7 @@ compiler." -Wl,*) args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'` arg= - save_ifs="$IFS"; IFS=',' + IFS="${IFS= }"; save_ifs="$IFS"; IFS=',' for flag in $args; do IFS="$save_ifs" case $flag in @@ -1201,29 +1384,101 @@ compiler." esac ;; - *.lo | *.$objext) - # A library or standard object. - if test "$prev" = dlfiles; then - # This file was specified with -dlopen. - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $arg" - prev= - continue + *.$objext) + # A standard object. + objs="$objs $arg" + ;; + + *.lo) + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if (sed -e '2q' $arg | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then + pic_object= + non_pic_object= + + # Read the .lo file + # If there is no directory component, then add one. + case $arg in + */* | *\\*) . $arg ;; + *) . ./$arg ;; + esac + + if test -z "$pic_object" || \ + test -z "$non_pic_object" || + test "$pic_object" = none && \ + test "$non_pic_object" = none; then + $echo "$modename: cannot find name of object for \`$arg'" 1>&2 + exit 1 + fi + + # Extract subdirectory from the argument. + xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` + if test "X$xdir" = "X$arg"; then + xdir= else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles + xdir="$xdir/" fi - fi - if test "$prev" = dlprefiles; then - # Preload the old-style object. - dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"` - prev= - else - case $arg in - *.lo) libobjs="$libobjs $arg" ;; - *) objs="$objs $arg" ;; - esac + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" + + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + dlfiles="$dlfiles $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + dlprefiles="$dlprefiles $pic_object" + prev= + fi + + # A PIC object. + libobjs="$libobjs $pic_object" + arg="$pic_object" + fi + + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" + + # A standard non-PIC object + non_pic_objects="$non_pic_objects $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + fi + else + # Only an error if not doing a dry-run. + if test -z "$run"; then + $echo "$modename: \`$arg' is not a valid libtool object" 1>&2 + exit 1 + else + # Dry-run case. + + # Extract subdirectory from the argument. + xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'` + if test "X$xdir" = "X$arg"; then + xdir= + else + xdir="$xdir/" + fi + + pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"` + non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"` + libobjs="$libobjs $pic_object" + non_pic_objects="$non_pic_objects $non_pic_object" + fi fi ;; @@ -1277,6 +1532,58 @@ compiler." exit 1 fi + # Infer tagged configuration to use if any are available and + # if one wasn't chosen via the "--tag" command line option. + # Only attempt this if the compiler in the base link + # command doesn't match the default compiler. + if test -n "$available_tags" && test -z "$tagname"; then + case $base_compile in + "$CC "*) tagname=CC ;; + # Blanks in the command may have been stripped by the calling shell, + # but not from the CC environment variable when ltconfig was run. + "`$echo $CC` "*) tagname=CC ;; + *) base_compiler=`echo $base_compile | awk '{ print $1 }'` + case $base_compiler in + *cc) tagname=CC ;; + *++) + tagname=CXX + eval "`sed -n -e '/^### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`" + ;; + esac ;; + esac + fi + if test -n "$available_tags" && test -z "$tagname"; then + for z in $available_tags; do + if grep "^### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then + # Evaluate the configuration. + eval "`sed -n -e '/^### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`" + case $base_compile in + "$CC "*) + # The compiler in $compile_command matches + # the one in the tagged configuration. + # Assume this is the tagged configuration we want. + tagname=$z + break + ;; + "`$echo $CC` "*) + tagname=$z + break + ;; + esac + fi + done + # If $tagname still isn't set, then no tagged configuration + # was found and let the user know that the "--tag" command + # line option must be used. + if test -z "$tagname"; then + echo "$modename: unable to infer tagged configuration" + echo "$modename: specify a tag with \`--tag'" 1>&2 + exit 1 +# else +# echo "$modename: using $tagname tagged configuration" + fi + fi + if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then eval arg=\"$export_dynamic_flag_spec\" compile_command="$compile_command $arg" @@ -1330,11 +1637,32 @@ compiler." # Find all interdependent deplibs by searching for libraries # that are linked more than once (e.g. -la -lb -la) for deplib in $deplibs; do + if test "X$duplicate_deps" = "Xyes" ; then case "$libs " in *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; esac + fi libs="$libs $deplib" done + + if test $linkmode = lib; then + libs="$predeps $libs $compiler_lib_search_path $postdeps" + + # Compute libraries that are listed more than once in $predeps + # $postdeps and mark them as special (i.e., whose duplicates are + # not to be eliminated). + pre_post_deps= + if test "X$duplicate_deps" = "Xyes" ; then + for pre_post_dep in $predeps $postdeps; do + case "$pre_post_deps " in + *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;; + esac + pre_post_deps="$pre_post_deps $pre_post_dep" + done + fi + pre_post_deps= + fi + deplibs= newdependency_libs= newlib_search_path= @@ -1555,9 +1883,11 @@ compiler." tmp_libs= for deplib in $dependency_libs; do deplibs="$deplib $deplibs" + if test "X$duplicate_deps" = "Xyes" ; then case "$tmp_libs " in *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; esac + fi tmp_libs="$tmp_libs $deplib" done elif test $linkmode != prog && test $linkmode != lib; then @@ -1680,9 +2010,11 @@ compiler." # or/and link against static libraries newdependency_libs="$deplib $newdependency_libs" fi + if test "X$duplicate_deps" = "Xyes" ; then case "$tmp_libs " in *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; esac + fi tmp_libs="$tmp_libs $deplib" done # for deplib continue @@ -1773,7 +2105,7 @@ compiler." if test -f "$output_objdir/$soname-def"; then : else $show "extracting exported symbol list from \`$soname'" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' eval cmds=\"$extract_expsyms_cmds\" for cmd in $cmds; do IFS="$save_ifs" @@ -1786,7 +2118,7 @@ compiler." # Create $newlib if test -f "$output_objdir/$newlib"; then :; else $show "generating import library for \`$soname'" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' eval cmds=\"$old_archive_from_expsyms_cmds\" for cmd in $cmds; do IFS="$save_ifs" @@ -1934,17 +2266,17 @@ compiler." echo "*** Therefore, libtool will create a static module, that should work " echo "*** as long as the dlopening application is linked with the -dlopen flag." if test -z "$global_symbol_pipe"; then - echo - echo "*** However, this would only work if libtool was able to extract symbol" - echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - echo "*** not find such a program. So, this module is probably useless." - echo "*** \`nm' from GNU binutils and a full rebuild may help." + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using \`nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** \`nm' from GNU binutils and a full rebuild may help." fi if test "$build_old_libs" = no; then - build_libtool_libs=module - build_old_libs=yes + build_libtool_libs=module + build_old_libs=yes else - build_libtool_libs=no + build_libtool_libs=no fi fi else @@ -1981,9 +2313,11 @@ compiler." tmp_libs= for deplib in $dependency_libs; do newdependency_libs="$deplib $newdependency_libs" + if test "X$duplicate_deps" = "Xyes" ; then case "$tmp_libs " in *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; esac + fi tmp_libs="$tmp_libs $deplib" done @@ -2024,7 +2358,7 @@ compiler." esac case " $deplibs " in *" $path "*) ;; - *) deplibs="$deplibs $path" ;; + *) deplibs="$path $deplibs" ;; esac done fi # link_all_deplibs != no @@ -2182,7 +2516,9 @@ compiler." if test -z "$rpath"; then if test "$build_libtool_libs" = yes; then # Building a libtool convenience library. - libext=al + # Some compilers have problems with a `.al' extension so + # convenience libraries should have the same extension an + # archive normally would. oldlibs="$output_objdir/$libname.$libext $oldlibs" build_libtool_libs=convenience build_old_libs=yes @@ -2198,7 +2534,7 @@ compiler." else # Parse the version information argument. - save_ifs="$IFS"; IFS=':' + IFS="${IFS= }"; save_ifs="$IFS"; IFS=':' set dummy $vinfo 0 0 0 IFS="$save_ifs" @@ -2274,7 +2610,7 @@ compiler." ;; irix) - major=`expr $current - $age + 1` + major=`expr $current - $age` verstring="sgi$major.$revision" # Add in all the interfaces that we are compatible with. @@ -2334,12 +2670,11 @@ compiler." # Clear the version info if we defaulted, and they specified a release. if test -z "$vinfo" && test -n "$release"; then major= - verstring="0.0" case $version_type in darwin) # we can't check for "0.0" in archive_cmds due to quoting # problems, so we reset it completely - verstring="" + verstring= ;; *) verstring="0.0" @@ -2373,9 +2708,24 @@ compiler." fi if test "$mode" != relink; then - # Remove our outputs. - $show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*" - $run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.* + # Remove our outputs, but don't remove object files since they + # may have been created when compiling PIC objects. + removelist= + tempremovelist=`echo "$output_objdir/*"` + for p in $tempremovelist; do + case $p in + *.$objext) + ;; + $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) + removelist="$removelist $p" + ;; + *) ;; + esac + done + if test -n "$removelist"; then + $show "${rm}r $removelist" + $run ${rm}r $removelist + fi fi # Now set the variables for building old libraries. @@ -2441,9 +2791,6 @@ compiler." *-*-netbsd*) # Don't link with libc until the a.out ld.so is fixed. ;; - *-*-openbsd*) - # Do not include libc due to us having libc/libc_r. - ;; *) # Add libc to deplibs on all other systems if necessary. if test $build_libtool_need_lc = "yes"; then @@ -2486,7 +2833,7 @@ compiler." int main() { return 0; } EOF $rm conftest - $CC -o conftest conftest.c $deplibs + $LTCC -o conftest conftest.c $deplibs if test $? -eq 0 ; then ldd_output=`ldd conftest` for i in $deplibs; do @@ -2519,7 +2866,7 @@ EOF # If $name is empty we are operating on a -L argument. if test -n "$name" && test "$name" != "0"; then $rm conftest - $CC -o conftest conftest.c $i + $LTCC -o conftest conftest.c $i # Did it work? if test $? -eq 0 ; then ldd_output=`ldd conftest` @@ -2793,22 +3140,22 @@ EOF linknames="$linknames $link" done - # Ensure that we have .o objects for linkers which dislike .lo - # (e.g. aix) in case we are running --disable-static - for obj in $libobjs; do - xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$obj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` - oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` - if test ! -f $xdir/$oldobj; then - $show "(cd $xdir && ${LN_S} $baseobj $oldobj)" - $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $? - fi - done +# # Ensure that we have .o objects for linkers which dislike .lo +# # (e.g. aix) in case we are running --disable-static +# for obj in $libobjs; do +# xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'` +# if test "X$xdir" = "X$obj"; then +# xdir="." +# else +# xdir="$xdir" +# fi +# baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'` +# oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` +# if test ! -f $xdir/$oldobj && test "$baseobj" != "$oldobj"; then +# $show "(cd $xdir && ${LN_S} $baseobj $oldobj)" +# $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $? +# fi +# done # Use standard objects if they are pic test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` @@ -2820,7 +3167,7 @@ EOF export_symbols="$output_objdir/$libname.exp" $run $rm $export_symbols eval cmds=\"$export_symbols_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -2842,13 +3189,14 @@ EOF if test -n "$convenience"; then if test -n "$whole_archive_flag_spec"; then + save_libobjs=$libobjs eval libobjs=\"\$libobjs $whole_archive_flag_spec\" else gentop="$output_objdir/${outputname}x" $show "${rm}r $gentop" $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" + $show "$mkdir $gentop" + $run $mkdir "$gentop" status=$? if test $status -ne 0 && test ! -d "$gentop"; then exit $status @@ -2866,8 +3214,8 @@ EOF $show "${rm}r $xdir" $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" + $show "$mkdir $xdir" + $run $mkdir "$xdir" status=$? if test $status -ne 0 && test ! -d "$xdir"; then exit $status @@ -2875,7 +3223,7 @@ EOF $show "(cd $xdir && $AR x $xabs)" $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP` + libobjs="$libobjs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` done fi fi @@ -2896,13 +3244,115 @@ EOF else eval cmds=\"$archive_cmds\" fi - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - $show "$cmd" - $run eval "$cmd" || exit $? - done - IFS="$save_ifs" + if len=`expr "X$cmds" : ".*"` && + test $len -le $max_cmd_len; then + : + else + # The command line is too long to link in one step, link piecewise. + $echo "creating reloadable object files..." + + # Save the value of $output and $libobjs because we want to + # use them later. If we have whole_archive_flag_spec, we + # want to use save_libobjs as it was before + # whole_archive_flag_spec was expanded, because we can't + # assume the linker understands whole_archive_flag_spec. + # This may have to be revisited, in case too many + # convenience libraries get linked in and end up exceeding + # the spec. + if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + fi + save_output=$output + + # Clear the reloadable object creation command queue and + # initialize k to one. + test_cmds= + concat_cmds= + objlist= + delfiles= + last_robj= + k=1 + output=$output_objdir/$save_output-${k}.$objext + # Loop over the list of objects to be linked. + for obj in $save_libobjs + do + eval test_cmds=\"$reload_cmds $objlist $last_robj\" + if test "X$objlist" = X || + { len=`expr "X$test_cmds" : ".*"` && + test $len -le $max_cmd_len; }; then + objlist="$objlist $obj" + else + # The command $test_cmds is almost too long, add a + # command to the queue. + if test $k -eq 1 ; then + # The first file doesn't have a previous command to add. + eval concat_cmds=\"$reload_cmds $objlist $last_robj\" + else + # All subsequent reloadable object files will link in + # the last one created. + eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\" + fi + last_robj=$output_objdir/$save_output-${k}.$objext + k=`expr $k + 1` + output=$output_objdir/$save_output-${k}.$objext + objlist=$obj + len=1 + fi + done + # Handle the remaining objects by creating one last + # reloadable object file. All subsequent reloadable object + # files will link in the last one created. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\" + + # Set up a command to remove the reloadale object files + # after they are used. + i=0 + while test $i -lt $k + do + i=`expr $i + 1` + delfiles="$delfiles $output_objdir/$save_output-${i}.$objext" + done + + $echo "creating a temporary reloadable object file: $output" + + # Loop through the commands generated above and execute them. + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' + for cmd in $concat_cmds; do + IFS="$save_ifs" + $show "$cmd" + $run eval "$cmd" || exit $? + done + IFS="$save_ifs" + + libobjs=$output + # Restore the value of output. + output=$save_output + + if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + fi + # Expand the library linking commands again to reset the + # value of $libobjs for piecewise linking. + + # Do each of the archive commands. + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + eval cmds=\"$archive_expsym_cmds\" + else + eval cmds=\"$archive_cmds\" + fi + + # Append the command to remove the reloadable object files + # to the just-reset $cmds. + eval cmds=\"\$cmds~$rm $delfiles\" + fi + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' + for cmd in $cmds; do + IFS="$save_ifs" + $show "$cmd" + $run eval "$cmd" || exit $? + done + IFS="$save_ifs" # Restore the uninstalled library and exit if test "$mode" = relink; then @@ -2986,8 +3436,8 @@ EOF gentop="$output_objdir/${obj}x" $show "${rm}r $gentop" $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" + $show "$mkdir $gentop" + $run $mkdir "$gentop" status=$? if test $status -ne 0 && test ! -d "$gentop"; then exit $status @@ -3005,8 +3455,8 @@ EOF $show "${rm}r $xdir" $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" + $show "$mkdir $xdir" + $run $mkdir "$xdir" status=$? if test $status -ne 0 && test ! -d "$xdir"; then exit $status @@ -3014,7 +3464,7 @@ EOF $show "(cd $xdir && $AR x $xabs)" $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP` + reload_conv_objs="$reload_objs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` done fi fi @@ -3024,7 +3474,7 @@ EOF output="$obj" eval cmds=\"$reload_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -3050,8 +3500,8 @@ EOF # Create an invalid libtool object if no PIC, so that we don't # accidentally link it into a program. - $show "echo timestamp > $libobj" - $run eval "echo timestamp > $libobj" || exit $? + # $show "echo timestamp > $libobj" + # $run eval "echo timestamp > $libobj" || exit $? exit 0 fi @@ -3060,27 +3510,27 @@ EOF reload_objs="$libobjs $reload_conv_objs" output="$libobj" eval cmds=\"$reload_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" $run eval "$cmd" || exit $? done IFS="$save_ifs" - else - # Just create a symlink. - $show $rm $libobj - $run $rm $libobj - xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$libobj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'` - oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` - $show "(cd $xdir && $LN_S $oldobj $baseobj)" - $run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $? +# else +# # Just create a symlink. +# $show $rm $libobj +# $run $rm $libobj +# xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'` +# if test "X$xdir" = "X$libobj"; then +# xdir="." +# else +# xdir="$xdir" +# fi +# baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'` +# oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"` +# $show "(cd $xdir && $LN_S $oldobj $baseobj)" +# $run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $? fi if test -n "$gentop"; then @@ -3213,12 +3663,6 @@ EOF fi finalize_rpath="$rpath" - if test -n "$libobjs" && test "$build_old_libs" = yes; then - # Transform all the library objects into standard objects. - compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - fi - dlsyms= if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then if test -n "$NM" && test -n "$global_symbol_pipe"; then @@ -3261,7 +3705,7 @@ extern \"C\" { test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist" # Add our own program objects to the symbol list. - progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + progfiles="$objs$old_deplibs" for arg in $progfiles; do $show "extracting global C symbols from \`$arg'" $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'" @@ -3323,25 +3767,27 @@ extern \"C\" { #undef lt_preloaded_symbols #if defined (__STDC__) && __STDC__ -# define lt_ptr void * +# define lt_ptr_t void * #else -# define lt_ptr char * +# define lt_ptr_t char * # define const #endif /* The mapping between symbol names and symbols. */ const struct { const char *name; - lt_ptr address; + lt_ptr_t address; } lt_preloaded_symbols[] = {\ " - eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms" + sed -n -e 's/^: \([^ ]*\) $/ {\"\1\", (lt_ptr_t) 0},/p' \ + -e 's/^. \([^ ]*\) \([^ ]*\)$/ {"\2", (lt_ptr_t) \&\2},/p' \ + < "$nlist" >> "$output_objdir/$dlsyms" $echo >> "$output_objdir/$dlsyms" "\ - {0, (lt_ptr) 0} + {0, (lt_ptr_t) 0} }; /* This works around a problem in FreeBSD linker */ @@ -3367,18 +3813,18 @@ static const void *lt_preloaded_setup() { *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) case "$compile_command " in *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";; + *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";; esac;; *-*-hpux*) case "$compile_command " in *" -static "*) ;; - *) pic_flag_for_symtable=" $pic_flag -DPIC";; + *) pic_flag_for_symtable=" $pic_flag";; esac esac # Now compile the dynamic symbol file. - $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")" - $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $? + $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")" + $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $? # Clean up the generated files. $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T" @@ -3654,7 +4100,7 @@ else if test -n \"\$relink_command\"; then if relink_command_output=\`eval \$relink_command 2>&1\`; then : else - $echo \"\$relink_command_output\" >&2 + $echo \"\$relink_command_output\" >&2 $rm \"\$progdir/\$file\" exit 1 fi @@ -3759,7 +4205,7 @@ fi\ oldobjs="$libobjs_save" build_libtool_libs=no else - oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP` + oldobjs="$objs$old_deplibs $non_pic_objects" fi addlibs="$old_convenience" fi @@ -3768,8 +4214,8 @@ fi\ gentop="$output_objdir/${outputname}x" $show "${rm}r $gentop" $run ${rm}r "$gentop" - $show "mkdir $gentop" - $run mkdir "$gentop" + $show "$mkdir $gentop" + $run $mkdir "$gentop" status=$? if test $status -ne 0 && test ! -d "$gentop"; then exit $status @@ -3788,8 +4234,8 @@ fi\ $show "${rm}r $xdir" $run ${rm}r "$xdir" - $show "mkdir $xdir" - $run mkdir "$xdir" + $show "$mkdir $xdir" + $run $mkdir "$xdir" status=$? if test $status -ne 0 && test ! -d "$xdir"; then exit $status @@ -3797,7 +4243,7 @@ fi\ $show "(cd $xdir && $AR x $xabs)" $run eval "(cd \$xdir && $AR x \$xabs)" || exit $? - oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP` + oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print | $NL2SP` done fi @@ -3805,27 +4251,59 @@ fi\ if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then eval cmds=\"$old_archive_from_new_cmds\" else - # Ensure that we have .o objects in place in case we decided - # not to build a shared library, and have fallen back to building - # static libs even though --disable-static was passed! - for oldobj in $oldobjs; do - if test ! -f $oldobj; then - xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'` - if test "X$xdir" = "X$oldobj"; then - xdir="." - else - xdir="$xdir" - fi - baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'` - obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"` - $show "(cd $xdir && ${LN_S} $obj $baseobj)" - $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $? - fi - done - - eval cmds=\"$old_archive_cmds\" +# # Ensure that we have .o objects in place in case we decided +# # not to build a shared library, and have fallen back to building +# # static libs even though --disable-static was passed! +# for oldobj in $oldobjs; do +# if test ! -f $oldobj; then +# xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'` +# if test "X$xdir" = "X$oldobj"; then +# xdir="." +# else +# xdir="$xdir" +# fi +# baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'` +# obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"` +# $show "(cd $xdir && ${LN_S} $obj $baseobj)" +# $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $? +# fi +# done + + eval cmds=\"$old_archive_cmds\" + + if len=`expr "X$cmds" : ".*"` && + test $len -le $max_cmd_len; then + : + else + # the command line is too long to link in one step, link in parts + $echo "using piecewise archive linking..." + save_RANLIB=$RANLIB + RANLIB=: + objlist= + concat_cmds= + save_oldobjs=$oldobjs + for obj in $save_oldobjs + do + oldobjs="$objlist $obj" + objlist="$objlist $obj" + eval test_cmds=\"$old_archive_cmds\" + if len=`expr "X$test_cmds" : ".*"` && + test $len -le $max_cmd_len; then + : + else + # the above command should be used before it gets too long + oldobjs=$objlist + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" + objlist= + fi + done + RANLIB=$save_RANLIB + oldobjs=$objlist + eval cmds=\"\$concat_cmds~$old_archive_cmds\" + fi fi - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4200,7 +4678,7 @@ relink_command=\"$relink_command\"" # Do each command in the postinstall commands. lib="$destdir/$realname" eval cmds=\"$postinstall_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4347,10 +4825,11 @@ relink_command=\"$relink_command\"" fi fi + # remove .exe since cygwin /usr/bin/install will append another # one anyways case $install_prog,$host in - /usr/bin/install*,*cygwin*) + */usr/bin/install*,*cygwin*) case $file:$destfile in *.exe:*.exe) # this is ok @@ -4364,6 +4843,7 @@ relink_command=\"$relink_command\"" esac ;; esac + $show "$install_prog$stripme $file $destfile" $run eval "$install_prog\$stripme \$file \$destfile" || exit $? test -n "$outputname" && ${rm}r "$tmpdir" @@ -4387,7 +4867,7 @@ relink_command=\"$relink_command\"" # Do each command in the postinstall commands. eval cmds=\"$old_postinstall_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4425,7 +4905,7 @@ relink_command=\"$relink_command\"" if test -n "$finish_cmds"; then # Do each command in the finish commands. eval cmds=\"$finish_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4610,7 +5090,7 @@ relink_command=\"$relink_command\"" fi # Now prepare to actually exec the command. - exec_cmd='"$cmd"$args' + exec_cmd="\$cmd$args" else # Display what would be done. if test -n "$shlibpath_var"; then @@ -4672,14 +5152,14 @@ relink_command=\"$relink_command\"" # Don't error if the file doesn't exist and rm -f was used. if (test -L "$file") >/dev/null 2>&1 \ - || (test -h "$file") >/dev/null 2>&1 \ + || (test -h "$file") >/dev/null 2>&1 \ || test -f "$file"; then - : + : elif test -d "$file"; then - exit_status=1 + exit_status=1 continue elif test "$rmforce" = yes; then - continue + continue fi rmfiles="$file" @@ -4701,7 +5181,7 @@ relink_command=\"$relink_command\"" if test -n "$library_names"; then # Do each command in the postuninstall commands. eval cmds=\"$postuninstall_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4716,7 +5196,7 @@ relink_command=\"$relink_command\"" if test -n "$old_library"; then # Do each command in the old_postuninstall commands. eval cmds=\"$old_postuninstall_cmds\" - save_ifs="$IFS"; IFS='~' + IFS="${IFS= }"; save_ifs="$IFS"; IFS='~' for cmd in $cmds; do IFS="$save_ifs" $show "$cmd" @@ -4733,9 +5213,23 @@ relink_command=\"$relink_command\"" ;; *.lo) - if test "$build_old_libs" = yes; then - oldobj=`$echo "X$name" | $Xsed -e "$lo2o"` - rmfiles="$rmfiles $dir/$oldobj" + # Possibly a libtool object, so verify it. + if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then + + # Read the .lo file + . $dir/$name + + # Add PIC object to the list of files to remove. + if test -n "$pic_object" \ + && test "$pic_object" != none; then + rmfiles="$rmfiles $dir/$pic_object" + fi + + # Add non-PIC object to the list of files to remove. + if test -n "$non_pic_object" \ + && test "$non_pic_object" != none; then + rmfiles="$rmfiles $dir/$non_pic_object" + fi fi ;; @@ -4803,6 +5297,7 @@ Provide generalized library-building support services. --mode=MODE use operation mode MODE [default=inferred from MODE-ARGS] --quiet same as \`--silent' --silent don't print informational messages + --tag=TAG use configuration variables from tag TAG --version print version information MODE must be one of the following: @@ -4928,6 +5423,7 @@ The following components of LINK-COMMAND are treated specially: -no-install link a not-installable executable -no-undefined declare that a library does not refer to external symbols -o OUTPUT-FILE create OUTPUT-FILE from the specified objects + -objectlist FILE Use a list of object files found in FILE to specify objects -release RELEASE specify package release information -rpath LIBDIR the created library will eventually be installed in LIBDIR -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries @@ -4978,6 +5474,26 @@ $echo "Try \`$modename --help' for more information about other modes." exit 0 +# The TAGs below are defined such that we never get into a situation +# in which we disable both kinds of libraries. Given conflicting +# choices, we go for a static library, that is the most portable, +# since we can't tell whether shared libraries were disabled because +# the user asked for that or because the platform doesn't support +# them. This is particularly important on AIX, because we don't +# support having both static and shared libraries enabled at the same +# time on that platform, so we default to a shared-only configuration. +# If a disable-shared tag is given, we'll fallback to a static-only +# configuration. But we'll never go from static-only to shared-only. + +### BEGIN LIBTOOL TAG CONFIG: disable-shared +build_libtool_libs=no +build_old_libs=yes +### END LIBTOOL TAG CONFIG: disable-shared + +### BEGIN LIBTOOL TAG CONFIG: disable-static +build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` +### END LIBTOOL TAG CONFIG: disable-static + # Local Variables: # mode:shell-script # sh-indentation:2 diff --git a/make-release.el b/make-release.el index 879fb230e..a6afe415f 100644 --- a/make-release.el +++ b/make-release.el @@ -3,11 +3,11 @@ (let* ((heimdal-version (getenv "HV")) (version-string (concat "Release " heimdal-version))) (find-file "configure.in") - (re-search-forward "AM_INIT_AUTOMAKE(heimdal,\\(.*\\))") - (replace-match heimdal-version nil nil nil 1) + (if (re-search-forward "AM_INIT_AUTOMAKE(heimdal,\\(.*\\))" (point-max) t) + (replace-match heimdal-version nil nil nil 1)) (goto-char 1) - (re-search-forward "AC_INIT(heimdal, *\\(.*\\),") - (replace-match heimdal-version nil nil nil 1) + (if (re-search-forward "AC_INIT(heimdal, *\\(.*\\)," (point-max) t) + (replace-match heimdal-version nil nil nil 1)) (save-buffer) ;;(vc-checkin "configure.in" nil version-string) (find-file "ChangeLog") diff --git a/missing b/missing index dd583709f..6a37006e8 100644 --- a/missing +++ b/missing @@ -1,6 +1,6 @@ #! /bin/sh # Common stub for a few missing GNU programs while installing. -# Copyright 1996, 1997, 1999, 2000 Free Software Foundation, Inc. +# Copyright (C) 1996, 1997, 1999, 2000, 2002 Free Software Foundation, Inc. # Originally by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify @@ -293,23 +293,23 @@ WARNING: \`$1' is missing on your system. You should only need it if # Look for gnutar/gtar before invocation to avoid ugly error # messages. if (gnutar --version > /dev/null 2>&1); then - gnutar ${1+"$@"} && exit 0 + gnutar "$@" && exit 0 fi if (gtar --version > /dev/null 2>&1); then - gtar ${1+"$@"} && exit 0 + gtar "$@" && exit 0 fi firstarg="$1" if shift; then case "$firstarg" in *o*) firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac case "$firstarg" in *h*) firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" ${1+"$@"} && exit 0 + tar "$firstarg" "$@" && exit 0 ;; esac fi diff --git a/mkinstalldirs b/mkinstalldirs dissimilarity index 70% index 994d71ce7..d2d5f21b6 100755 --- a/mkinstalldirs +++ b/mkinstalldirs @@ -1,101 +1,111 @@ -#! /bin/sh -# mkinstalldirs --- make directory hierarchy -# Author: Noah Friedman -# Created: 1993-05-16 -# Public domain - -# $Id$ - -errstatus=0 -dirmode="" - -usage="\ -Usage: mkinstalldirs [-h] [--help] [-m mode] dir ..." - -# process command line arguments -while test $# -gt 0 ; do - case "${1}" in - -h | --help | --h* ) # -h for help - echo "${usage}" 1>&2; exit 0 ;; - -m ) # -m PERM arg - shift - test $# -eq 0 && { echo "${usage}" 1>&2; exit 1; } - dirmode="${1}" - shift ;; - -- ) shift; break ;; # stop option processing - -* ) echo "${usage}" 1>&2; exit 1 ;; # unknown option - * ) break ;; # first non-opt arg - esac -done - -for file -do - if test -d "$file"; then - shift - else - break - fi -done - -case $# in -0) exit 0 ;; -esac - -case $dirmode in -'') - if mkdir -p -- . 2>/dev/null; then - echo "mkdir -p -- $*" - exec mkdir -p -- "$@" - fi ;; -*) - if mkdir -m "$dirmode" -p -- . 2>/dev/null; then - echo "mkdir -m $dirmode -p -- $*" - exec mkdir -m "$dirmode" -p -- "$@" - fi ;; -esac - -for file -do - set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` - shift - - pathcomp= - for d - do - pathcomp="$pathcomp$d" - case "$pathcomp" in - -* ) pathcomp=./$pathcomp ;; - esac - - if test ! -d "$pathcomp"; then - echo "mkdir $pathcomp" - - mkdir "$pathcomp" || lasterr=$? - - if test ! -d "$pathcomp"; then - errstatus=$lasterr - else - if test ! -z "$dirmode"; then - echo "chmod $dirmode $pathcomp" - - lasterr="" - chmod "$dirmode" "$pathcomp" || lasterr=$? - - if test ! -z "$lasterr"; then - errstatus=$lasterr - fi - fi - fi - fi - - pathcomp="$pathcomp/" - done -done - -exit $errstatus - -# Local Variables: -# mode: shell-script -# sh-indentation: 3 -# End: -# mkinstalldirs ends here +#! /bin/sh +# mkinstalldirs --- make directory hierarchy +# Author: Noah Friedman +# Created: 1993-05-16 +# Public domain + +errstatus=0 +dirmode="" + +usage="\ +Usage: mkinstalldirs [-h] [--help] [-m mode] dir ..." + +# process command line arguments +while test $# -gt 0 ; do + case $1 in + -h | --help | --h*) # -h for help + echo "$usage" 1>&2 + exit 0 + ;; + -m) # -m PERM arg + shift + test $# -eq 0 && { echo "$usage" 1>&2; exit 1; } + dirmode=$1 + shift + ;; + --) # stop option processing + shift + break + ;; + -*) # unknown option + echo "$usage" 1>&2 + exit 1 + ;; + *) # first non-opt arg + break + ;; + esac +done + +for file +do + if test -d "$file"; then + shift + else + break + fi +done + +case $# in + 0) exit 0 ;; +esac + +case $dirmode in + '') + if mkdir -p -- . 2>/dev/null; then + echo "mkdir -p -- $*" + exec mkdir -p -- "$@" + fi + ;; + *) + if mkdir -m "$dirmode" -p -- . 2>/dev/null; then + echo "mkdir -m $dirmode -p -- $*" + exec mkdir -m "$dirmode" -p -- "$@" + fi + ;; +esac + +for file +do + set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` + shift + + pathcomp= + for d + do + pathcomp="$pathcomp$d" + case $pathcomp in + -*) pathcomp=./$pathcomp ;; + esac + + if test ! -d "$pathcomp"; then + echo "mkdir $pathcomp" + + mkdir "$pathcomp" || lasterr=$? + + if test ! -d "$pathcomp"; then + errstatus=$lasterr + else + if test ! -z "$dirmode"; then + echo "chmod $dirmode $pathcomp" + lasterr="" + chmod "$dirmode" "$pathcomp" || lasterr=$? + + if test ! -z "$lasterr"; then + errstatus=$lasterr + fi + fi + fi + fi + + pathcomp="$pathcomp/" + done +done + +exit $errstatus + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# End: +# mkinstalldirs ends here -- 2.11.4.GIT